Data Protection Notice

Data Protection Notice

The following information is to inform you about data processing in connection with our website and especially about the processing of personal data, i.e. data relating to you as an identifiable natural person, in connection with this website and your rights relating thereto.

1. Controller within the meaning of data protection law and data protection officer

The controller responsible for the operation of the website at www.thor.de and the data processing involved pursuant to Art. 4 No. 7 of the General Data Protection Regulation (‘GDPR’) is

Erich Thor Wohnungsunternehmen GmbH

Amalie-Dietrich-Stieg 13
22305 Hamburg

Telephone: +49 40 - 69 70 69 - 7
Fax: +49 40 - 69 70 69 10
E-mail: info@thor.de

(see our Legal Notice).

Our data protection officer can be contacted at datenschutz@thor.de or at the above-mentioned postal address by adding ‘Attn: data protection officer’.

2. Data processing during a visit to our website for information purposes

If our website is accessed for information purposes, the following data, which your browser transmits to the server used for our website, are processed:

• IP address of the requesting terminal (e.g. PC, tablet, smartphone)
• Date and time of access
• Name and URL of the retrieved file
• Retrieved and transferred amount of data
• Notice of successful retrieval
• Identification data of the browser and operating system used
• Website from which access is gained

These data will not be evaluated in a manner relating to an individual. These data are only collected in anonymised form and stored exclusively for statistical purposes.

The purpose of this data processing is to enable visits to our website and to ensure system security, technical administration of the network infrastructure as well as to optimise the website and is therefore in our legitimate interest. In so far as personal data are affected by the data processing, the legal basis thereof is Art. 6(1)(f) of GDPR. The data will be deleted if and as soon as they are not required any more for the above-mentioned purposes and neither statutory obligations to store the data nor our legitimate interests prevent such a deletion. In the latter cases, the data will be deleted after expiry of the period of retention or after the legitimate interests have ceased to exist.

3. Data processing in connection with use of our contact form

You can contact us by using the contact form provided on our website or by e-mail. In order to deal with your request, we will need a valid e-mail address; further information is provided on a voluntary basis, but may facilitate dealing with your request. We will only process the personal data provided in order to be able to deal with your request. Without your express consent, there will be no further use, especially no transfer of personal data to third parties. The legal basis for processing for the aforementioned purpose is Art. 6(1)(a) and/or (b) of GDPR. The personal data collected in this connection will be deleted after your request has been finally dealt with or the processing of such data will be limited to the minimum required if there are statutory obligations to store the data or we have a legitimate interest. In the latter cases, the data will be deleted after expiry of the period of retention or after the legitimate interests have ceased to exist.

If the data required for dealing with your request are not provided to us, this will result in our not being able to deal with your request.

4. Data processing in connection with use of our mailing list

We also offer you to enter your name on our Mailing List in order to receive information about flats that become available. For this purpose, we will need a valid e-mail address; further information is provided on a voluntary basis. We will process the data you enter when registering for our mailing list to send you an automated message about flats that become available and meet the search criteria you specify. Without your express consent, there will be no further use, especially no transfer of personal data to third parties. The legal basis for processing for the above-mentioned purpose is the consent you have given in this regard and thus Art. 6(1)(a) of GDPR.

You may deregister from the mailing list at any time via our website – cancel mailing list – and thus revoke your consent to the processing of the data – also of the data you may have entered in the contact form – with effect for the future (see also No. 12 of this Data Protection Notice). Please re-enter your e-mail address to deregister from the mailing list.

5. Transfer of data

Your personal data will exclusively be transferred to third parties in the following cases for the following purposes:

• You have given your consent to a transfer (Art. 6(1)(a) of GDPR).
• The transfer is permitted by law and required for the preparation or performance of contractual relationships with you (Art. 6(1)(b) of GDPR).
• There is a statutory obligation to transfer the data (Art. 6(1)(c) of GDPR).
• The transfer is required to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest meriting protection in the non-transfer of your data (Art. 6(1)(f) of GDPR).

Because of the use of Google Analytics (see No. 7 of this Data Protection Notice), Google Maps (see No. 8 of this Data Protection Notice), Google Fonts (see No. 9 of this Data Protection Notice) and a content delivery network of the company StockPath LLC (see No. 10 of this Data Protection Notice), data are also transferred to the USA. As regards exceptional cases where personal data are transferred to the USA, both Google Inc. and StockPath LLC have submitted to the EU-US Privacy Shield (see https://www.privacyshield.gov/EU-US-Framework). In the opinion of the European Court of Justice, your personal data are nevertheless not protected in a comparable way in the USA as within the EU. There is no adequacy decision by the European Commission or comparable guarantees. The rights of data subjects listed in No. 11 of this data protection declaration cannot therefore be enforced as they are within the EU.

6. Use of cookies

We use cookies on our website. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive by means of a characteristic string of characters and through which certain information flows to the place that sets the cookie. Cookies cannot run programs or transfer viruses to your computer and therefore cannot cause any damage. They regularly serve to make the Internet offer more user-friendly and more effective. However, cookies can contain data that make it possible to recognize the device used. In some cases, on the other hand, cookies only contain information about certain settings that cannot be related to a person.

If you do not want cookies to be stored on your computer, you can do this in the system settings of your web browser (block cookies). Cookies that have already been saved can also be deleted using the system settings. Please note that blocking cookies can lead to a restriction in the use and functionality of our online offer.

In general, you have the option to object to using cookies for online marketing purposes via the deactivation pages of the network advertising initiative https://optout.networkadvertising.org/ and also via the European website https://www.youronlinechoices.com/uk/your-ad-choices.

In the following we explain for you which cookies are used on our websites so that you will, among other things, be able to make an informed decision as to whether you agree to the use of technically unnecessary cookies and accordingly consent to the associated data processing.

You can change your cookie settings at any time via the link “Privacy Settings“ in the footer.

We fundamentally differentiate between the following categories of cookies:

6.1 Necessary cookies

For functional purposes, we use temporarily necessary cookies on our websites, e.g. so-called „session cookies“. A randomly generated identification number is stored in a session cookie. In addition, the origin and storage period are stored. Session cookies do not save any further data and are deleted as soon as you close your browser or log out. We also use permanent necessary cookies. These are regularly required in order to move around the website, use basic functions, ensure the security of the website and e.g. to choose your previous cookie consent.

The legal basis for setting the necessary cookies and accessing them is Art. 6 Para. 1 lit. f GDPR.

The necessary cookies used on our website can be found here:

6.1.a Application control
• Designation:  PHPSESSID
• Provider:  www.thor.de
• Purpose:  Used to identify and control the user's PHP session
• Expiry:  1 year
• Type:  http Cookie

6.1.b Data protection notice
• Designation:  ds_accept
• Provider:  www.thor.de
• Purpose:  Used to save the consent / rejection of the privacy policy
• Expiry:  1 year
• Type:  http Cookie

6.1.c Data protection settings for google Maps
• Designation:  ds_maps
• Provider:  www.thor.de
• Purpose:  Used to save consent / rejection to google Maps
• Expiry:  1 year
• Type:  http Cookie

6.1.d Data protection settings for google Analytics
• Designation:  ds_analytics
• Provider:  www.thor.de
• Purpose:  Used to save the consent / rejection to google Analytics
• Expiry:  1 year
• Type:  http Cookie
6.2 Technically unnecessary cookies

Technically unnecessary cookies are also used on our website. They help us a) to offer better functionality when visiting our website and b) to better understand how visitors use our online offer (web analysis). Technically unnecessary cookies are only used on our website if you give your consent. This consent is therefore also the legal basis for data processing. You can revoke your consent at any time for the future (see No. 12 of this Data Protection Notice). You can change your cookie settings at any time via the link “Privacy Settings“ in the footer.

Cookies that are not required on our website can be found here:

6.2.1 Functionality

6.2.1.a Map display
• Designation:  NID
• Provider:  google Maps
• Purpose:  NID is used by Google to tailor advertisements to your Google searches. With the help of the cookie, Google „remembers“ the most frequently entered search queries or previous interactions with advertisements in order to control the selection of future advertisements. The cookie contains a unique ID that Google uses to collect personal settings for advertising purposes.
• Expiry:  6 months
• Type:  http Cookie

6.2.2 Web analysis

6.2.2.a Data protection settings for google Analytics
• Designation:  _utma
• Provider:  google Analytics
• Purpose:  Calculation of visitor statistics. Tracks when / how often visitors were on the website and when the last visit took place.
• Expiry:  2 years
• Type:  http Cookie

6.2.2.b Data protection settings for google Analytics
• Designation:  _utmb, _utmc
• Provider:  google Analytics
• Purpose:  Cookie is used to calculate the time spent on the website, sets a time stamp when visiting / leaving the website.
• Expiry:  30 minutes
• Type:  http Cookie
7. Use of Google Analytics

We use the web analysis service „Google Analytics“ for the purpose of tailoring our website to requirements and continuously optimizing it. The legal basis for this is your free and at any time revocable consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR (see also No. 12 of this Data Protection Notice).

Google Analytics is a web analysis service provided by Google Ireland Limited, Gordon House 4, Barrow Street, Dublin, Ireland. In exceptional cases, personal data will also be transferred to the parent company Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. For cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield (see https://www.privacyshield.gov/EU-US-Framework). In the opinion of the European Court of Justice, your personal data are nevertheless not protected in a comparable way in the USA as within the EU. There is no adequacy decision by the European Commission or comparable guarantees. The rights of data subjects listed in No. 11 of this data protection declaration cannot therefore be enforced as they are within the EU. With your consent, you therefore also consent to data transfer within the meaning of Art. 49 Para. 1 lit a GDPR. There is a data protection agreement between Google Ireland Limited and Google LLC in the USA, including the EU standard contractual clauses (https://privacy.google.com/businesses/compliance/#!#gdpr).

In connection with our use of Google Analytics, pseudonymised usage profiles are created and cookies are used. The information generated by the cookie about your use of this website such as

• type of browser/browser version
• operating system used
• referrer URL (the site visited previously)
• host name of the accessing computer (IP address)
• time of the server request

are transmitted to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage for the purposes of market research and the needs-based design of this website. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of us. The IP addresses are anonymized so that an assignment is generally not possible (IP masking). The full IP address is only transmitted to a Google server in the USA and shortened there in exceptional cases. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data unless you have allowed this in your Google account.

Further information on data protection in connection with Google Analytics can be found e.g. in the Google Analytics Help (https://support.google.com/analytics/answer/6004245?hl=de).

You can revoke your consent at any time for the future (see No. 12 of this Data Protection Notice). You can change your cookie settings at any time via the link “Privacy Settings“ in the footer. You can also prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout).

8. Use of Google Maps

In order to be able to show visitors to our website interactive maps directly on the website and to enable them to conveniently use the map function, we use Google Maps on this website, a map service provided by the third-party provider Google Ireland Limited, Gordon House, 4 Barrow St, Dublin , Ireland. The legal basis for this is your voluntary consent, which can be revoked at any time, in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR (consent – see also No. 12 of this Data Protection Notice).

Personal data may also be transferred to the parent company Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. For cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. In the opinion of the European Court of Justice, your personal data are nevertheless not protected in a comparable way in the USA as within the EU. There is no adequacy decision by the European Commission or comparable guarantees. The rights of data subjects listed in No. 11 of this data protection declaration cannot therefore be enforced as they are within the EU. With your consent, you therefore also consent to data transfer within the meaning of Art. 49 Para. 1 lit a GDPR. There is a data protection contract between Google Ireland Limited and Google LLC in the USA, including the EU standard contractual clauses (see https://privacy.google.com/businesses/compliance/#!#gdpr).

When you visit the website, Google receives the information that you have accessed the corresponding subpage of our website. In addition, the under No. 2 of this data protection declaration. This happens regardless of whether Google provides a user account that you are logged in to or whether there is no user account. If you are logged into Google, your data will be assigned directly to your account. If you do not want the assignment to your profile on Google, you must log out before activating the button. Google stores your data as a user profile and uses it for advertising, market research and / or needs-based design of its website. Such an evaluation takes place in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, although you must contact Google to exercise this right.

You can revoke your consent at any time for the future (see No. 12 of this Data Protection Notice). You can change your cookie settings at any time via the link “Privacy Settings“ in the footer. Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in Google's privacy policy: https://policies.google.com/privacy. There you will also find further information on your rights in this regard and setting options to protect your privacy, such as Opt-Out (see https://www.google.com/settings/ads/).

9. Use of Google Fonts

We use so-called web fonts from Google Ireland Limited, Barrow Street, 4 Dublin, Ireland (hereinafter: Google Fonts) for a uniform and functional display of fonts on our website. When you call up a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

For this purpose, the browser you are using must connect to the Google servers. This provides Google with the information that our website has been accessed via your IP address. The use of Google Web Fonts takes place in the interest of a uniform and appealing presentation of our offer and therefore represents a legitimate interest within the meaning of Art. 6(1)(f) of GDPR.

If your browser does not support web fonts, your computer will use a standard font.

You can find more information about Google Web Fonts at https://developers.google.com/fonts/faq and in Google's data protection declaration: https://policies.google.com/privacy.

10. Use of so-called Content Delivery Networks

We use so-called Content Delivery Networks (CDN) to integrate scripts and libraries on our website. These have the effect that the loading time of common JavaScript libraries and fonts is shortened because the files are transferred from fast, local or underutilized servers. For this purpose, the browser you are using must connect to the CDN servers. During the connection to the content delivery networks, your IP address is sent to the CDN server. For our website we use the Bootstrap CDN web service from StackPath, LLC, 2021 McKinney Avenue, Suite 1100, 75201 Texas, United States of America, as well as the open source service jsDelivr from the software company ProspectOne, Królewska 65A / 1, 30- 081, Kraków, Poland.

The legal basis for this data processing is our legitimate interest in a secure and efficient provision of our internet offer in accordance with Art. 6(1)(f) of GDPR.

StackPath, LLC is certified under the EU-US Privacy Shield Agreement (see https://www.privacyshield.gov/list). In the opinion of the European Court of Justice, your personal data are nevertheless not protected in a comparable way in the USA as within the EU. There is no adequacy decision by the European Commission or comparable guarantees. The rights of data subjects listed in No. 11 of this data protection declaration cannot therefore be enforced as they are within the EU.

Further information on the data protection of the providers can be found at https://www.bootstrapcdn.com/privacy-policy/ and https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

11. General rights of the data subject

You have the following general rights of the data subject with regard to the processing of your personal data by us:

• Right of access pursuant to Art. 15 of GDPR: You may request information about the purposes of processing, the category of the personal data that are processed, the recipients or categories of recipients to whom your personal data have been or will be disclosed, the envisaged storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right to lodge a complaint, the source of your data where they were not collected by us as well as the existence of automated decision-making, including profiling, and meaningful information about details thereof, if any.
• Right to rectification pursuant to Art. 16 of GDPR: You may demand the rectification of inaccurate personal data without undue delay or the completion of your personal data stored by us.
• Right to erasure (‘right to be forgotten’) pursuant to Art. 17 of GDPR: You have the right to demand that we delete your personal data stored by us unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.
• Right to restriction of processing pursuant to Art. 18 of GDPR: You may demand restriction of the processing of your personal data where the accuracy of the data is contested by you, the processing is unlawful but you oppose the erasure of the data and we no longer need the data, but you require them for the establishment, exercise or defence of legal claims or you have objected to processing pursuant to Art. 21 of GDPR.
• Right to data portability pursuant to Art. 21 of GDPR: You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to demand transmission to another controller.
• Right to lodge a complaint with a supervisory authority (Art. 77 of GDPR): You have the right to lodge a complaint with a supervisory authority. As a rule, you may contact the supervisory authority of your habitual residence or place of work or of the registered office of our company (Hamburg) for this purpose.

12. Right of withdrawal

If you have given your consent to the processing of your personal data, you have the right to withdraw this consent at any time with regard to us with effect for the future pursuant to Art. 7(3) of GDPR. An e-mail sent to datenschutz@thor.de will suffice for this purpose.

13. Right to object

In addition, we would like to point out to you that, pursuant to Art. 21 of GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data if your personal data are processed on the basis of legitimate interests pursuant to Art. 6(1)(f) of GDPR; this also applies to profiling based on these provisions. If you wish to avail yourself of your right to object, an e-mail sent to datenschutz@thor.de will suffice.

The further course of action is laid down in Art. 21 of GDPR. In the case of direct marketing, the personal data are not used any more for this purpose if an objection is lodged. In other cases where an objection is lodged, further data processing will only take place if we demonstrate compelling grounds for processing that merit protection and override your interests, rights and freedoms or the processing is useful for the establishment, exercise or defence of legal claims.

14. Links to other websites

The offer on our website contains links to third-party websites. We do not transfer any data to third-party operators. Generally, we do not have any influence on their content and the collection, use and processing of data by them. We kindly ask you to obtain information about data protection on external websites separately. As soon as we should learn about illegal contents on a linked website, the link will be deleted immediately.

15. Data security and sending of file attachments

We maintain current technical measures to ensure data security, in particular to protect your personal data from the dangers of data transmission and from third parties gaining knowledge. These measures are adapted to the current state of the art. Please note that the transmission of data via our website is not encrypted and therefore you should not send any confidential information via our website.

Please take note that the transfer of data through our website is not made in encrypted form and that you should therefore not send any confidential information via our website.

To ensure our data security, file attachments with possibly active content, such as Microsoft® Word or Excel, as well as compressed files such as ZIP files, are regularly checked by using viruses / malware scanners. For this purpose, we also use the services of external providers [in particular VirusTotal, an offer from Chronicle Security Ireland Limited, 3rd Floor Gordon House, Barrow Street, Dublin 4, Ireland. Chronicle Security Ireland Limited is owned by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, and has adopted their data protection regulations, see https://chronicle.security/privacy/ and https://support.virustotal.com/hc/en-us/articles/115002168385-Privacy-Policy].

This gives these providers knowledge of the file content sent to us and any personal data contained therein. In the opinion of the European Court of Justice, your personal data are nevertheless not protected in a comparable way in the USA as within the EU. There is no adequacy decision by the European Commission or comparable guarantees. The rights of data subjects listed in No. 11 of this data protection declaration cannot therefore be enforced as they are within the EU.

We therefore ask you - if necessary - to send file attachments only in the following formats:

• PDF (Portable Document Format)
• Image files (JPG, JPEG, HEIC, TIFF, GIF)

16. Up-to-dateness of and changes to this data protection statement

This data protection statement is currently valid and is dated December 2020.

It may become necessary to change this data protection statement due to the further development of our website and offers relating thereto or due to altered legal and/or regulatory requirements. You may retrieve the current data protection statement from the website at Data Protection Notice and print it at any time.