Data Protection Statement

Data Protection Statement

We, Erich Thor Wohnungsunternehmen GmbH (“we“, “us“ or “our“), take the protection of your personal data seriously. Whether you visit our website, use our services as a potential tenant or transmit your personal data to us in connection with a tenancy, we are aware of the responsibility associated therewith. Therefore, we collect, use and process personal data exclusively in accordance with applicable provisions under data protection law, especially the General Data Protection Regulation (GDPR).

In the following, we would like to inform you what kind of personal data we collect, how we process them, what claims and rights you have in this regard and how we protect your data.

1. Terms and definition

Following the example of Art. 4 of GDPR, the following definitions form the basis of this Data Protection Statement:

Terms Definition
Personal data Any information relating to an identified or identifiable natural person. A person is identifiable if he/she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information on his/her physical, physiological, genetic, mental, economic, cultural or social features of identity.
Processing Any operation which deals with personal data, whether or not by automated means (i.e. technology-based). This especially includes collection (i.e. acquisition), recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data as well as any change in a target or purpose on which data processing was originally based.
Data subject Any identified or identifiable natural person whose personal data are processed by the data controller.
Controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Third party Any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process the personal data; this also includes other legal persons that are group companies.
Consent Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Homepage, Website Our homepage at https://www.thor.de
Cookie A cookie is a text file consisting of letters and numbers that can be stored on the browser or the computer’s hard disk.
Third country Country which is not a member of the European Union or of the European Economic Area or which does not fall under the “adequacy decision” of the European Commission.
GDPR General Data Protection Regulation of the EU (Regulation (EU) 2016/679), including transposition acts
“we“, “us“ or “our“ Erich Thor Wohnungsunternehmen GmbH
2. Data controller and contact details
Controller as defined by data protection law

Erich Thor Wohnungsunternehmen GmbH

Amalie-Dietrich-Stieg 13
22305 Hamburg

Telephone : +49 40 - 69 70 69 - 7
Fax : +49 40 - 69 70 69 - 10
E-Mail: info@thor.de

(see our Legal Notice).
Contact details of our data protection officer

Erich Thor Wohnungsunternehmen GmbH

Amalie-Dietrich-Stieg 13
22305 Hamburg

Data protection officer: Mr Christoph Lüttjohann Jäger

E-Mail: datenschutz@thor.de
3. Data processing by e-mail traffic

Description and purpose of data processing

You can contact us by e-mail.

In order to deal with your inquiry, we will need a valid e-mail address; any further information is provided on a voluntary basis, but may facilitate dealing with your request. We will process the personal data provided in order to be able to deal with your inquiry.

If the data required for dealing with your inquiry are not provided to us, we will not be able to deal with your request.
Data security: Scanning of file attachments and firewall

a) Scanning of file attachments:

In this connection, please note that especially file attachments with potentially active content, such as Microsoft® Word or Excel, as well as compressed files such as ZIP files are scanned regularly by means of virus/malware scanners to ensure our data security.

To this end, we also use the services of external providers.

As a result, these providers obtain knowledge of the data content sent to us and any personal data contained therein.

We therefore ask you to send file attachments exclusively in the following formats if necessary:
• PDF (unencrypted, without links or active content)
• Picture files (JPG, JPEG, HEIC, TIFF, GIF)

b) Data processing e-mail firewall

To protect our IT infrastructure, we use an e-mail firewall. We especially do so to detect any attempted misuse at an early stage. To this end, we collect the following protocol data about access and store them in server log files:
• Date, time and duration of connection,
• e-mail addresses of sender and recipient(s),
• subject,
• message ID,
• name and IP address of the mail servers involved,
• detailed information on the encryption method,
• automated safety assessment (antivirus, SPAM Confidence Level – SCL),
• delivery status (delivered, rejected)

c) Secure data connection (server-based)

Please note that only encrypted e-mail communication with us is possible to protect the confidentiality and integrity of the data transmitted by e-mail (server-based e-mail encryption according to the latest standard). Unless your mail server meets this standard, it is not possible to communicate with us by e-mail.
Legal basis for and legitimate interest in data processing

We process your personal data on the basis of our legitimate interest in being able to communicate with you as part of our business activity. We use the firewall to protect our IT systems and data security. Insofar as you provide information on a voluntary basis beyond the e-mail address when you contact us by e-mail, you consent to its processing. You may withdraw this consent at any time (see 9. Your right of withdrawal).

The legal basis for processing is point (a) and (b) of Art. 6(1) of GDPR.
Erasure of data The data will be deleted if and when they are not required any more for the above-mentioned purposes and neither statutory obligations to retain nor our legitimate interests (especially to protect our statutory rights) prevent such a deletion.
Recipient(s)

Employees of our company; in the event of attacks on our IT security, we will also transfer the data to (prosecuting) authorities.

Manufacturers of our virus scanners.
4. Our website

Description and purpose of data processing

Each time our website is visited, the following data, which your browser transmits to the server used for our website, are processed:
• IP address of the requesting terminal (e.g. PC, tablet, smartphone),
• date and time of access,
• name and URL of the retrieved file or webpage,
• retrieved and transferred amount of data,
• notice of successful retrieval,
• identification data of the browser and operating system used,
• website from which access is gained

We process these data to enable access to our website, to ensure system security and technical administration of the network infrastructure as well as to optimise our website.

It is not possible to visit and use our website without these data being processed.
Legal basis for and legitimate interest in data processing The data are processed on the basis of our legitimate interest in a trouble-free, secure operation of our website for information and communication purposes. The legal basis is point (f) of Article 6(1) of GDPR.
Erasure of data The data will be deleted if and when they are not required any more for the above-mentioned purposes and neither statutory obligations to retain nor our legitimate interests (especially to protect our statutory rights) prevent such a deletion.
Recipient(s) Employees of our IT Department; in the event of attacks on our IT security, we will also transfer the data to (prosecuting) authorities.
4.1 Cookies

Use of Cookies

We use cookies on our website. Cookies are small text files that are stored on your hard disk and assigned to the browser used by you by means of a characteristic string and that deliver certain information to the entity placing the cookie. Cookies cannot execute programs or transfer viruses to your computer and can therefore not cause any damage.

Cookies generally serve to make the website more user-friendly and effective for you. However, cookies may contain data that enable recognition of the device used.
Technically necessary cookies we use

For functional purposes, we use cookies on our website that are temporarily necessary, e.g. so-called session cookies. A randomly generated identification number is stored in a session cookie. In addition, the source and storage period are recorded. Session cookies do not store any other data and are deleted as soon as you close your browser or log out. We also use persistent cookies that are necessary. These are generally required in order to move around the website, to use essential features, to ensure security of the website and, if necessary, to record your choice regarding prior consent to the use of cookies.

Application control
• Designation:  PHPSESSID
• Provider:  www.thor.de
• Purpose:  Used to identify and control the user’s PHP session
• Expiry:  1 year
• Type:  http cookie

Data Protection Statement
• Designation:  ds_accept
• Provider:  www.thor.de
• Purpose:  Used to store consent to/rejection of the data protection statement
• Expiry:  1 year
• Type:  http cookie

Data protection settings regarding Google Maps
• Designation:  ds_maps
• Provider:  www.thor.de
• Purpose:  Used to store consent to/rejection of Google Maps
• Expiry:  1 year
• Type:  http cookie

Data protection settings regarding Google Analytics
• Designation:  ds_analytics
• Provider:  www.thor.de
• Purpose:  Used to store consent to/rejection of Google Analytics
• Expiry:  1 year
• Type:  http cookie
Cookies we use that are not technically necessary

We only use cookies on our website that are not technically necessary if you give your consent to their use. These cookies help us provide better functionality during visits to our website and understand better how visitors use our website.

Map display
• Designation:  NID
• Provider:  Google Maps
• Purpose:  Google uses NID to tailor advertisements to your Google search. The cookie helps Google “remember” the search queries entered most frequently or earlier interactions with advertisements in order to control the selection of future advertisements. The cookie contains a unique ID which Google uses to collect personal settings for advertising purposes.
• Expiry:  6 months
• Type:  http cookie

Data protection settings regarding Google Analytics
• Designation:  _utma
• Provider:  Google Analytics
• Purpose:  Calculation of visitor statistics. Tracks when/how often visitors were on the website and when the last visit took place.
• Expiry:  2 years
• Type:  http cookie

Data protection settings regarding Google Analytics
• Designation:  _utmb, _utmc
• Provider:  Google Analytics
• Purpose:  This cookie serves to calculate the dwell time on the website; it sets a time stamp when visiting/leaving the website.
• Ablauf:  30 minutes
• Type:  http cookie
Legal basis for and legitimate interest in data processing

We use technically necessary cookies on the basis of our legitimate interest in making our website available to promote our business activity. The legal basis for the above is point (f) of Article 6(1) of GDPR.

Cookies that are not technically necessary are only used if you give your prior consent to their use. Your consent is the legal basis for processing. You may withdraw this consent at any time with effect for the future (see 9. Your right of withdrawal).
Erasure of data

You can change your cookie settings for our website at any time via the link “data protection settings” in the footer of our website.

If you do not want any cookies to be stored on your computer, you may also make appropriate adjustments in the system settings of your web browser (block cookies). You can also use the system settings of your browser to delete any cookies that have already been stored. Please note that the usability and functionality of our website may be restricted if you block cookies.
Recipient(s)

Technically necessary cookies are processed by our servers and StackPath, 2021 McKinney Avenue, Suite 1100, 75201 Texas, USA, as well as by the open-source service jsDelivr of the software company ProspectOne, Królewska 65A/1, 30-081, Krakow, Poland, on the basis of processing on behalf of the controller.

Cookies that are not technically necessary are processed by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with the involvement of the US parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
4.2 Google Analytics

Description and purpose of data processing

For the purposes of needs-based design and continuous optimisation of our website, we use the web analysis service „Google Analytics“.

Google Analytics is a web analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with the involvement of the US parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

In connection with our use of Google Analytics, pseudonymised user profiles are created and cookies are used. The cookie stores information generated about your use of websites such as:
• Type of browser/browser version,
• operating system used,
• referrer URL (the site visited previously),
• host name of the accessing computer (IP address),
• time of the server request

It is possible that these personal data are transferred to the USA, linked with other data and stored there. In the opinion of the European Court of Justice, the data protection level in the USA is not comparable to that in the EU. Rights of data subjects (see 8. Your rights as a data subject) cannot be enforced in the USA in the same manner as in the EU. It cannot be ruled out that US authorities may access these stored data.

We have concluded a contract with Google Ireland Limited, including the EU Standard Contractual Clauses.

Please find out about data protection at Google by using the following link: https://privacy.google.com/businesses/compliance/#!#gdpr
Legitimate interest in and legal basis for data processing

We process your data on the basis of our legitimate interest in analysing and optimising our website. The legal basis for the above is your free consent, which may be withdrawn at any time for the future, according to point (a) of Article 6(1) of GDPR (see 9. Your right of withdrawal).

You can change your cookie settings for our website at any time via the link “data protection settings” in the footer of our website.

If you do not want any cookies to be stored on your computer, you may also make appropriate adjustments in the system settings of your web browser (block cookies). You can also use the system settings of your browser to delete any cookies that have already been stored. Please note that the usability and functionality of our website may be restricted if you block cookies.

In addition, you can prevent the collection of data by using the browser plugin that may be downloaded at the following link: http://tools.google.com/dlpage/gaoptout?hl=de
Erasure We delete personal or pseudonymised data after 14 months at the latest.
Recipient(s) Employees of our IT Department; Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with the involvement of the US parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
4.3 Content Delivery Networks

Description and purpose of data processing

We use so-called content delivery networks (CDN) to integrate scripts and libraries on our website. These cause the loading time of common JavaScript libraries and fonts to be shortened because the files are transferred from fast, local or underutilised servers. For this purpose, the browser you use must connect to the CDN servers. During the connection to the content delivery networks, your IP address is transmitted to the CDN server.

For our website we use the Bootstrap CDN web service of StackPath, LLC, 2021 McKinney Avenue, Suite 1100, 75201 Texas, USA, as well as the open-source service jsDelivr of the software company ProspectOne, Królewska 65A / 1, 30- 081, Krakow, Poland.

Further information on the data protection of the providers can be found at https://www.stackpath.com/legal/gdpr and https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

It is possible that personal data are transferred to the USA and stored there. In the opinion of the European Court of Justice, the data protection level in the USA is not comparable to that in the EU. Rights of data subjects (see 8. Your rights as a data subject) cannot be enforced in the USA in the same manner as in the EU. It cannot be ruled out that US authorities may access these stored data.

We have concluded a contract with StackPath LLC, including the EU Standard Contractual Clauses.
Legitimate interest in and legal basis for data processing The legal basis for data processing is our legitimate interest in the secure and efficient provision of our website pursuant to point (f) of Art. 6(1) of GDPR.
Erasure The data will be deleted after the purpose has been achieved.
Recipient(s) StackPath, LLC, 2021 McKinney Avenue, Suite 1100, 75201 Texas, USA, as well as the open-source service jsDelivr of the software company ProspectOne, Królewska 65A / 1, 30- 081, Krakow, Poland.
4.4 Integration of third-party services / content and transfer of data to third parties

Description and purpose of data processing

To optimise our website or online presence, we sometimes use third-party providers with regard to various contents and services. This is done, for example, in order to be able to make interactive maps available. The third-party providers of such contents are informed about your IP address. Moreover, third-party providers use so-called pixel tags. By means of these tags, third-party providers may obtain information on, among other things, the browser and operating system, duration of the visit to the website, visitor traffic on the website, etc. Third-party providers may also link these data with other data. For example, Google assigns them to user profiles – irrespective of whether there is a user account – and stores these data for advertising purposes/for market research, among other things.

You can change your cookie settings on our website at any time via the link “data protection settings” in the footer.

Insofar as we include links to third-party websites on our website, we generally do not have any influence on the content displayed on such websites and on the use or processing of your data there. Therefore, we ask you to visit the relevant external websites for separate information about data protection.

You will find an overview of the content of third-party providers included on our website and links to their respective data protection statements under “recipient(s)”.
Legitimate interest in and legal basis for data processing The legal basis for data processing is our legitimate interest in the uniform, efficient and optimised provision of our website as well as the protection of our IT security pursuant to point (f) of Art. 6(1) of GDPR.
Erasure The data will be deleted after the purpose has been achieved.
Recipient(s)

Below you will find an overview of the content of third-party providers included on our website and links to their respective data protection statements. There you will especially get information about possible settings to protect your privacy.

Regarding use of interactive maps: Google Maps, map service offered by the third-party provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with the involvement of the parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (see https://privacy.google.com/businesses/compliance/#!#gdpr).

Regarding the use of content delivery networks: StackPath, LLC, 2021 McKinney Avenue, Suite 1100, 75201 Texas, USA, as well as the open-source service jsDelivr of the software company ProspectOne, Królewska 65A / 1, 30- 081, Krakow, Poland (see https://www.stackpath.com/legal/gdpr and https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

To ensure our data security: Virus/malware scanners.
4.5 Data processing in connection with subscription to our mailing list

Description and purpose of data processing

On our homepage, we offer you the option of subscribing to our mailing list , so that we can inform you about flats that become available. For this purpose, we will process your e-mail address and the information you provide about the rented property; all other information is provided on a voluntary basis.

We will process the data you enter when subscribing to our mailing list to send you an automated message about flats that become available and meet the search criteria you specify (business development, marketing).

Your personal data will not be transferred. If you do not transmit the required personal data, we will not be able to make this service available to you.
Legitimate interest in and legal basis for data processing The legal basis for processing is your consent according to point (a) of Article 6(1) of GDPR.
Cancellation of mailing list / withdrawal of consent You may unsubscribe from the mailing list on our homepage at any time and thus withdraw your consent to the processing of the data – also of the data you may have entered voluntarily in the contact form – with effect for the future (see 9. Your right of withdrawal). Your data will then be deleted immediately.
Erasure We will process your data as long as you consent. If you withdraw your consent / unsubscribe from the mailing list, the data will be deleted immediately.
Recipient(s) Exclusively employees of our company.
4.6 Data processing in connection with use of our contact form

Description and purpose of data processing

On our website, you have the option of sending your inquiries and applications to us via our contact form.

In order to deal with your inquiry, we will need a valid e-mail address; any further information is provided on a voluntary basis, but may facilitate dealing with your request. Information provided on a voluntary basis is marked in the contact form. We will process the personal data provided in order to be able to deal with your inquiry.

If the data required for dealing with your inquiry are not provided to us, we will not be able to deal with your request.
Legitimate interest in and legal basis for data processing We process your personal data on the basis of our legitimate interest in being able to communicate with you as part of our business activity. Insofar as you provide information on a voluntary basis beyond the e-mail address, you consent to its processing. You may withdraw this consent at any time (see 9. Your right of withdrawal). The legal basis for processing is point (a) and (b) of Art. 6(1) of GDPR.
Erasure The personal data collected in this connection will be deleted after your request has been finally dealt with or the processing of such data will be limited to the minimum required if there are statutory obligations to retain or we have a legitimate interest in retention. In the latter cases, the data will be deleted after expiry of the period of retention or after the legitimate interests have ceased to exist.
Recipient(s)

Employees of our company; in the event of attacks on our IT security, we will also transfer the data to (prosecuting) authorities.

The contact form is also managed by Aareon Deutschland GmbH, Isaac-Fulda-Allee 6, 55124 Mainz, on the basis of processing on behalf of the controller pursuant to Art. 28 of GDPR. Aareon Deutschland GmbH has been certified by TÜV Rheinland as regards its data protection management (technical and organisational measures).
5. Data processing regarding potential tenants / pre-contractual phase

Description and purpose of data processing

In order to be able to deal with your inquiry as a potential tenant and to communicate with you, we initially collect and process the following required personal data:
• First name/surname,
• contact details,
• search criteria for housing

Should you have a definite interest in renting one of our flats after viewing and should you be eligible as a tenant for us, we will additionally collect and process the following personal data:
• Date of birth,
• address,
• information whether a rented flat is currently used,
• information about employment (incl. income/creditworthiness),
• information about persons moving in (adults/children)

Any further information provided by you (e.g. in free-text fields) is voluntary. By transmitting such information voluntarily, you consent to the processing of these data. If you do not provide any information on a voluntary basis, this will not have negative effects on the rental process for you.

If we have selected you as a concrete, potential tenant, we will carry out a credit check for you or any guarantors with regard to future rent payments. We do so to protect ourselves against payment defaults. To this end, we will engage a service provider, i.e. a credit agency such as SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. Scoring is used to assess your creditworthiness. Scoring means that forecasts for the future are made on the basis of past experiences using mathematical/statistical procedures. During the scoring procedure, a person’s credit behaviour is compared to that of other consumers with similar characteristics. The score thus calculated is guided by the default rate of payments in that comparison group.

It is important to provide the required data for the signing of any lease because only these data enable us to take a balanced decision (e.g. whether the requirements for appropriate use in terms of space are met). Consequently, if the required data are not provided, you will be eliminated from the application procedure for rental of the flat in question. No further consequences are involved; in particular, you can provide the relevant details later in connection with a subsequent application for a flat.

The decision is not made in an automated process.
Legitimate interest in and legal basis for data processing The legal basis for pre-contractual data processing is point (b) of Art. 6(1) of GDPR or point (f) of Art. 6(1) of GDPR for credit checks.
Erasure Should we not sign a lease with you, your data will be deleted unless you have given your express consent to further data processing.
Recipient(s)

Employees of our company who are in charge of the matter. Authorities and service providers if this is in our legitimate interest for actual, legal or economic reasons and there is no legitimate interest on your part that conflicts with such transfer.

This includes external service providers such as credit agencies, IT service providers and other service providers such as, in particular,
• Aareon Deutschland GmbH, Isaac-Fulda-Allee 6, 55124 Mainz
• SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden
6. Data processing in connection with tenancies

Description and purpose of data processing

If you sign a lease with us, we will collect and process the following data for the proper performance of the lease:
• Dates and places of birth,
• previous address of the tenant,
• address of rented flat,
• telephone number [landline and/or mobile number] / e-mail address of the tenant,
• bank/account details of the tenant,
• information about existing certificate of priority, if any,
• information about occupants, legal representatives,
• information about guarantors [name, bank and payment details, contact details, communication] if applicable,
• consumption data [operating costs],
• communication data if applicable, e.g. in order to deal with cases of damage, notices of defects, modernisation measures,
• if applicable, data according to item 5 above (insofar as the number of tenants changes in the course of the tenancy,
• correspondence arising from the tenancy, including but not limited to, tenancy agreements, change agreements, declarations, statements, minutes, other letters and email correspondence,
• if applicable, other data insofar as these are required for the proper performance of the lease

The personal data that you communicate are stored in an electronic tenant file.

It is necessary to provide the data for the conclusion of the contract and performance of the lease. Consequently, if the data are not provided, the tenancy will not be entered into or (depending on the situation) the lease cannot be performed as provided for in the contract or by law.
Legitimate interest in and legal basis for data processing The legal basis for data processing is point (b) of Art. 6(1) of GDPR. Processing is carried out on the basis of our legitimate interest in the proper performance of the lease in order to be able to fulfil our legal obligations vis-à-vis you or authorities, for example, to settle liability claims, if any, and to assert any other claims. The legal basis for this is point (c) of Art. 6(1) of GDPR and/or point (f) of Art. 6(1) of GDPR.
Erasure The personal data will be deleted after the purpose has been achieved unless there are obligations to retain under the German Commercial Code, Criminal Code or Tax Code or you have given your consent to storage pursuant to point (a) of Art. 6(1) of GDPR.
Recipient(s) Employees of our company who are in charge of the matter.
Transfer of data to third parties in connection with the tenancy

If and insofar as this is required for the processing of your tenancy or is in our legitimate interest for actual, legal or economic reasons, your personal data will be transferred to third parties in compliance with data protection regulations. Categories of recipients:

a) to companies associated with us for the purpose of performing the lease and providing support to you as a tenant,

b) to tradesmen engaged by us for the purpose of simplified direct communication, e.g. in order to carry out repairs and/or renovations. You may object to such transfer in exceptional cases (see 9. Your right to object)

c) to authorities and service providers, if this is required in order to perform the lease and servicing you as a tenant.

This particularly includes law firms, credit institutions, energy providers, measurement services provider and other service providers such as, inter alia:
• Aareon Deutschland GmbH, Isaac-Fulda-Allee 6, 55124 Mainz
• KALORIMETA GmbH, Heidenkampsweg 40, 20097 Hamburg,

Your personal data will not be transferred to third parties for other purposes than those above without your express consent. The relevant third party may use the transferred data exclusively for the aforementioned purposes. Insofar as required under data protection law, we have concluded a contract for data processing on behalf of the controller with our service providers.
7. meinTHOR tenant portal and tenant app

Description and purpose of data processing

You as the tenant have the option of registering for our online tenant portal meinTHOR through our homepage or downloading our meinTHOR tenant app through common app-stores. We offer you various services through the online tenant portal and the tenant app, such as web-based communication and the possibility of easy retrieval of important documents or application forms.

In order to be able to provide this service, we will process your personal data. These include the data provided by you upon login/registration (name, e-mail address, unique registration code and time of login) as well as information on the rented property/tenancy such as data regarding repairs that were carried out or are still to be done as well as correspondence. Use of the services offered by us via the online tenant portal or the tenant app is voluntary.

Registration with the online tenant portal is done through a secure double opt-in process. This means that registration is only completed successfully when you confirm this by clicking on a link sent to your e-mail address.

When downloading the tenant app, certain personal data required in this connection will be transmitted to the relevant App Store (e.g. Apple App Store). In particular, the e-mail address, user name, customer ID of the downloading account, the individual code number of the device used as well as the time of download will be transmitted to the App Store. We have no influence on the collection and processing of these data; rather, this is done exclusively by the App Store you choose.

If you do not wish to provide us with the personal data required for registration, you will not be able to use this service.
Legitimate interest in and legal basis for data processing The personal data are processed in order to provide the services described above on the basis of our legitimate interest in offering such services to our tenants. The legal basis for processing for the above-mentioned purpose is point (b) of Art. 6(1) of GDPR, point (f) of Art. 6(1) of GDPR. Information provided on a voluntary basis will be processed on the basis of your consent pursuant to point (a) of Art. 6(1) of GDPR.
Erasure If registration is not completed in the double opt-in process, your personal data will be deleted after [x] days. If you register, the personal data required in this connection will be stored until such time as access is cancelled with final effect. Furthermore, we store the data provided by you on a voluntary basis for the time of your use of the online tenant portal/tenant app, unless you delete them beforehand. Should there be any statutory obligations to retain or should we have a legitimate interest in storing the data, the data will be deleted after expiry of the period of retention or after the legitimate interests have ceased to exist.
Recipient(s) The online tenant portal and the tenant app are operated by Aareon Deutschland GmbH, Isaac-Fulda-Allee 6, 55124 Mainz on the basis of processing on behalf of the controller pursuant to Art. 28 of GDPR. Aareon Deutschland GmbH has been certified by TÜV Rheinland as regards its data protection management (technical and organisational measures).
8. Your rights as a data subject

Right of access pursuant to Art. 15 of GDPR You may request information about the purposes of processing, the category of the personal data that are processed, the recipients or categories of recipients to whom your personal data have been or will be disclosed, the envisaged storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the source of your data where they are not collected by us as well as the existence of automated decision-making, including profiling, and meaningful information about details thereof, if any.
Right to rectification pursuant to Art. 16 of GDPR You may demand the rectification of inaccurate personal data without undue delay or the completion of your personal data stored by us.
Right to erasure pursuant to Art. 17 of GDPR You have the right to demand that we erase your personal data stored by us unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.
Right to restriction pursuant to Art. 18 of GDPR You may demand restriction of the processing of your personal data where the accuracy of the data is contested by you, the processing is unlawful but you oppose the erasure of the data and we no longer need the data, but you require them for the establishment, exercise or defence of legal claims or you have objected to processing pursuant to Art. 21 of GDPR.
Right to data portability pursuant to Art. 20 of GDPR You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to demand transmission to another controller.
Right to lodge a complaint pursuant to Art. 77 of GDPR You have the right to lodge a complaint with a supervisory authority. As a rule, you may contact the supervisory authority of your habitual residence or place of work or of the registered office of our company (Hamburg) for this purpose.
9. Your right of withdrawal

Right of withdrawal pursuant to Art. 7(3) of GDPR

If you have given your consent to the processing of your personal data, you have the right to withdraw this consent at any time with regard to us with effect for the future pursuant to Art. 7(3) of GDPR.

To do so, you may, for example, send an e-mail to datenschutz@thor.de or contact the entity named in the Legal Notice.

You can change your cookie settings for our website at any time via the link “data protection settings” in the footer of our website.

If you do not want any cookies to be stored on your computer, you may also make appropriate adjustments in the system settings of your web browser (block cookies). You can also use the system settings of your browser to delete any cookies that have already been stored. Please note that the usability and functionality of our website may be restricted if you block cookies.

You may unsubscribe from the mailing list on our website at any time and thus withdraw your consent to the processing of the data – also of the data you may have entered voluntarily in the contact form – with effect for the future. Your data will then be deleted immediately.
10. Your right to object

Right to object pursuant to Art. 21 of GDPR

You have the right to object at any time to the processing of your data which is based on point (f) of Art. 6(1) of GDPR (data processing on the basis of a weighing of interests) or point (e) of Art. 6(1) of GDPR (data processing in the public interest) if there are grounds relating to your particular situation.

If you object, we will stop processing your personal data, unless we have compelling grounds for processing that merit protection and override your interests, rights and freedoms or the processing is useful for the establishment, exercise or defence of legal claims. If you would like to avail yourself of your right to object, you may, for example, send an e-mail to datenschutz@thor.de or contact the entity named in the Legal Notice.
Our Data Protection Statement is valid from: October 2022.

We reserve the right to make changes to our Data Protection Statement. We will publish all future changes on our website at www.thor.de.

PDF of the current version that is optimised for printing can be downloaded at https://www.thor.de/pdf/Thor_Datenschutzerklaerung_EN.pdf.