CONSENS GmbH takes the protection of your personal data seriously. We treat your personal data confidentially and in accordance with the applicable legal data protection regulations. We herewith inform you on the processing of your personal data by CONSENS GmbH, if
- you visit our website (see paragraph 1 below)
- we process your data in connection with our activity as an intermediary of real estate loans, real estate, and insurances (see paragraph 2 below)
Furthermore, you will receive general information on your rights in relation to the processing of your data (see paragraph 2.10 below). CONSENS GmbH processes your data in accordance with the data protection regulations of the Bundesdatenschutzgesetz (BDSG) [German Federal Data Protection Act] in the version valid as of May 25, 2018 and Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”). Which of your personal data we process and use depends largely on the services provided in each case. The responsible party for processing in the sense of data protection is
Phone: 0 89 / 12 00 50 – 0
Managing Director: Torsten Flohr
Amtsgericht München HRB 79834
In the following, we, as the responsible party, fulfil our duty to provide information and disclosure regarding the processing of personal data and inform you about the type, scope and purpose of the processing of personal data. In addition, we will inform you about our criteria for the storage period, possible categories of recipients and planned transfers to third countries or to an international organisation. With regard to the terms "personal data", "processing", "controller", "data subject", "third party" used, we refer to the definitions of Art. 4 Regulation (EU) 2016/679 (GDPR). We would like to point out that this data protection notice may be adapted on an ad hoc basis or on the basis of regular reviews.
Unless a more specific storage period has been specified within this data protection declaration, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion, or revoke your consent to data processing, your data will be deleted, unless we have other legally permissible reasons for storing your personal data (for example retention periods under tax law or commercial law); in the latter case, the deletion will take place after these reasons cease to apply.
We would like to point out that data transmission on the Internet (e.g. communication by e-mail, access to websites) can have security gaps. Complete protection of data against access by third parties is not possible.
1. Data protection information for visitors to our website
On our website we would like to give you an overview of our company and our services. In doing so, we collect personal data (pursuant to Art. 6 para. 1 sentence 1 lit. f DSGVO). Data subjects are the respective users of this website.
1.1. Hosting of the website
We host the content of our website with the following provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (hereinafter referred to as IONOS).
When you visit our website, IONOS collects various log files, including your IP addresses (see 1.2 below). The use by IONOS is based on Article 6 subsection (1) lit. f GDPR. We have a legitimate interest in ensuring that our website is as reliable as possible. If a corresponding consent has been requested, the processing will exclusively be carried out on the basis of Art. 6 subsection (1) lit. a GDPR and Section 25 subsection (1) TTDSG [German Telecommunications and Telemedia Data Protection Act], insofar as the consent includes the storage of cookies or access to information in the terminal device of the user (for example device fingerprinting) within the meaning of TTDSG. The consent may be revoked at any time.
Order processing: We have concluded a contract for order processing for the use of the above-mentioned service. This is a contract which is required by data protection law, with which it is warranted that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with GDPR.
1.2. Processing of the website calls and server log files
When the CONSENS GmbH website is accessed, the web servers (product IONOS Webhosting Plus) automatically store various data about the accessing system. The following data is collected from website visitors, which is anonymized directly during collection:
- Referrer (previously visited website)
- Requested website or file
- Type and version of the browser
- Operating system used
- Type of device used
- Time of access
- IP address in anonymized form (will only be used to determine the location of access)
This data will be stored for 8 weeks. No data will be forwarded to third parties. In addition, processing will take place by IONOS WebAnalytics (see 1.3 below). The purposes of the processing are:
- Provision of the website and its contents, services and functions
- Ensuring a smooth and comfortable use of the website
- Ensuring system security and stability by evaluating errors and incidents
- Carrying out administrative tasks
1.3. Analysis tool IONOS WebAnalytics
This website uses the analysis services of IONOS WebAnalytics (hereinafter referred to as WebAnalytics). The provider is IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, [Germany]. As part of the analyses with WebAnalytics, visitor numbers and behaviour (for example number of page views, duration of a website visit, bounce rates), visitor sources (for example from which page the visitor comes), visitor locations, and technical data (browser and operating system versions) can be analysed.
What technologies are used to determine the data?
Order processing: We have concluded a contract for order processing for the use of the above-mentioned service. This is a contract required by data protection law, which warrants that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with GDPR.
1.4. Legal notice for the website
We are responsible for our own content on these pages in accordance with general laws. The free and freely accessible contents of this website have been created with the greatest possible care and serve only to provide general information and not advice in specific cases. The provider of this website excludes liability for the content of the retrievable information, unless it is a case of intentional or grossly negligent misinformation. As soon as we become aware of a concrete violation of the law, we will remove this content immediately.
The content provided on the website (e.g. texts, graphics, photos, etc.) may be protected by copyright or other industrial property rights. The exploitation of this content is not permitted without the consent of the rights holder.
2. Data processing in the framework of our business activity
2.1. Contact and pre-contractual measures
2.1.1. If you contact us (for example by email or telephone), we store and process your contact information (name, email address, telephone number) and the information and content transmitted in connection with the contact in order to be able to answer the request. (Legal basis: Art. 6 subsection (1) sentence 1 lit. b or lit. f GDPR)
2.1.2. We will carry out the processing within the framework of pre-contractual measures if it is a corresponding request by you. Besides that, we have a legitimate interest in answering inquiries to or about us and our services and processing data accordingly for this purpose. (Legal basis: Art. 6 subsection (1) sentence 1 lit. b or lit. f GDPR)
2.2. Type of data used
In the course of our activities as intermediaries for real estate loans, real estate and insurance, we come into contact with personal data. The respective companies or entrepreneurs usually have a contractual or pre-contractual relationship with us. If it is necessary for the provision of our services, we also process personal data which we obtain from publicly accessible sources (e.g. land registers, commercial registers, press, Internet) or which are transmitted to us by other third parties (e.g. partner companies of our clients). The data we process includes personal data (e.g. name, address, other contact data) and identification data (e.g. ID card data). Furthermore, we also process order data (e.g. payment orders), data from the fulfilment of our contractual obligations (e.g. tax data, beneficial owner), financial data (e.g. creditworthiness data, origin of assets, proof of income, wage documents, applications for employee savings allowances, capital-forming benefits, pension insurance documents), contribution statements for social insurance, pension insurance and insurance policies, documentation data (e.g. logs, e-mails, confirmations) and health data.
2.3. Purpose of the processing
We process personal data within the framework of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
2.4. Data processing for the purpose of contract initiation/contract management
We process personal data for the purpose of contract administration, i.e. so that we can provide our business partners or customers with the contractual services and for the purpose of corresponding contract preparations. If the business partner or customer is a natural person, the legal basis is that the processing is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures in accordance with Art. 6 Para. 1 b GDPR.
2.5. Data processing within the framework of balancing interests
If necessary, we process personal data of employees of the business partner or customer. The legal basis for this is a legitimate interest according to Art. 6 para. 1 f GDPR - both ours or that of third parties (assertion of legal claims and defence in the event of disputes, risk management, prevention and investigation of criminal offences, etc.). The legitimate interest lies in the performance of our business activities and those of the business partner or customer. A conflicting interest of the respective data subject does not exist in this respect, because from the point of view of our business partner or customer, the processing by us is already necessary within the framework of the existing employment relationship with the data subject (Section 26 BDSG-neu). For this purpose, we store personal data for the duration of the contract.
2.6. Data processing on the basis of consent
Insofar as we have consent to process personal data for certain purposes (e.g. to pass it on to banks, real estate sellers), the lawfulness of this processing is given in accordance with Art. 6 (1) a GDPR. This consent can be revoked at any time. However, the revocation only applies to the future and does not affect the lawfulness of the data processed until the revocation.
2.7. Data processing due to legal requirements or in the public interest
CONSENS GmbH is subject to a wide range of legal obligations (e.g. Money Laundering Act). The processing and disclosure of personal data is necessary for the fulfilment of these obligations and is permitted in accordance with Art. 6 Para. 1 c GDPR.
2.8. Data sharing
Within CONSENS GmbH, only the employees entrusted with the fulfilment of the respective contractual and legal obligations have access to the personal data. In addition, we transmit your data to our business partners (banks, insurance companies, real estate buyers and sellers) for the purpose of initiating a contract. Personal data is only transferred or passed on to third parties if this is done on a legal basis and we state this in the individual processing operations or if one of the following reasons applies:
- It is necessary for the performance of a contract with you or the implementation of pre-contractual measures at your request (Art. 6 para. 1 sentence 1 b GDPR).
- The disclosure is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data (Art. 6 para. 1 sentence 1 f GDPR).
- There is a legal obligation to disclose the data (Art. 6 para. 1 sentence 1 c GDPR).
- We have a valid consent from you (Art. 6 para. 1 sentence 1 a GDPR).
In this context, data is only transferred to third countries (outside the EU and the EEA) or processed there if the special requirements of Art. 44 et seq. GDPR are fulfilled.
2.9. Duration of data retention
As a matter of principle, we store personal data for the period of time that is necessary for corresponding processing, legal or regulatory retention periods exist or we have a legitimate interest in storing the data or you have given your consent. We store certain data in accordance with the following rules for the duration specified in each case and delete it after the specified storage period has expired:
- 3 years: data and contents on legal acts (including their preparation), insofar as necessary for the ability to provide information and defence as well as for the assertion or defence of claims.
- 6 years: Commercial letters (section 257 (1) nos. 2 and 3, (4) HGB), hand files (section 50 (1) BRAO), wage documents, applications for employee savings allowances, capital-forming benefits, pension insurance documents, social insurance contribution statements, insurance policies.
- 10 years: documents relevant to taxation, accounting vouchers, commercial books (§§ 147 para. 1 AO) 257 para. 1 nos. 1 and 4, para. 4 HGB), health data.
- 30 years: Data stored on the basis of special circumstances in one's own interest or in the interest of third parties due to corresponding limitation periods or special retention periods (e.g. enforcement orders, special limitation periods).
If circumstances arise during storage (e.g. conclusion of a contract, negotiations about claims, legal disputes, etc.) that make longer storage necessary, these periods are extended accordingly. The beginning of a period for the storage period is regularly the end of the calendar year in which the last event for the respective processing took place (e.g. order, delivery, end of a contract, invoicing).
2.10. Your rights as a data subject and rights of appeal
As a data subject of a processing (hereinafter also "user") of personal data by us, you can assert the following rights against us:
- You can request information in accordance with Article 15 of the GDPR, in particular about whether we process your personal data. If this is the case, you can request information about, among other things, the categories of personal data and the processing purposes as well as, if applicable, the origin (if this was not collected by us) and categories of recipients of this data.
- You may request the correction of inaccurate or the completion of your personal data stored by us in accordance with Art. 16 GDPR.
- You can request the deletion of your personal data stored by us within the scope of Art. 17 GDPR. If there are legitimate reasons for deletion, the processing of the data will be restricted (blocking). In order to effectively block data and implement the associated restriction of processing, the data concerned may need to be held in a blocking file.
- You can request the restriction of processing from us within the framework of Art. 18 GDPR.
- You may request information about recipients of any notification obligation under Art. 19 GDPR in the event of rectification, erasure or restriction of processing of personal data.
- You may, in accordance with Art. 20 GDPR, receive your personal data that you have provided to us in a structured, common and machine-readable format or request that it be transferred to another controller.
- You may exercise your right to object within the framework of Art. 21 GDPR, in particular if your personal data is used for direct marketing purposes or if there are grounds arising from your particular situation where the processing is based on Art. 6 (1) sentence 1 e or f GDPR. You can revoke consent to the processing of personal data at any time with effect for the future. Processing prior to revocation is not affected by this. You may also exercise your right to lodge a complaint with a competent supervisory authority under data protection law in accordance with Article 77 of the GDPR. In the case of CONSENS GmbH, this is the Bavarian State Commissioner for Data Protection:
Postfach 22 12 19, 80502 München
Wagmüllerstraße 18, 80538 München
Phone: 0 89 / 21 26 72 – 0
Fax: 0 89 / 21 26 72 – 50
E-Mail: poststelle [at] datenschutz-bayern.de