Data Protection Policy

We value your privacy

Data protection information

This Data Protection Policy contains information on the extent to which we process your personal data (referred to below as “data”).

1. Data controller

The data controller in accordance with the General Data Protection Regulation (GDPR) is:

THE FLAG Holding GmbH
Listertalstrasse 73
57439 Attendorn
Germany

Web: www.the-flag.de
E-mail: datenschutz@the-flag.de

2. Data protection officer contact details

Matthias Rosa, RMPrivacy GmbH, Große Langgasse 1a, 55116 Mainz
E-mail: datenschutz@the-flag.de

3. Joint processing

We process personal data jointly in THE FLAG group of companies to ensure effective internal management of personal data and group systems. To this end, we transfer your data to companies affiliated with us in accordance with section 18 et seq. of the German Stock Corporation Act (AktG),or process the data in systems that are jointly operated together with the companies affiliated with us.

You can view the stakeholders in our group of companies here: https://the-flag.de/wp-content/uploads/2021/05/the-flag-gruppe.pdf

The legal basis for the joint processing of data is our overriding legitimate interest in an effective administration and IT infrastructure pursuant to Art. 6 (1) f) GDPR.

We are jointly responsible together with our affiliated companies for the processes that are subject to joint data processing in accordance with Art. 26 GDPR. Accordingly, we have set out the internal authorities and responsibilities in a binding contract.

The information requirements under the GDPR will be fulfilled by the company that you contact first.

We have assigned the fulfilment of data subject rights internally to RMBC GmbH, Which you can contact at datenschutz@the-flag.de. You can also contact us at any time if you have any queries or would like to exercise your data protection rights using the contact details in section 1. We will then forward your query internally to the relevant department.

The specific processes that are covered by joint processing are indicated accordingly below.

4. General Information on data processing

We process data within the scope of our business and website operations.

This also includes disclosure in the form of transfer to third parties and, if necessary, to third countries outside the European Union (EU) and the European Economic Area (EEA). Insofar as we transfer data outside the EU or the EEA, we have indicated this accordingly below.

5. Data processing

The individual data affected, processing purposes, legal bases, recipients and where applicable, transfers to third countries are stated below:

a) Log files when visiting websites

We log your website visit. In this context, we process:

the name(s) of the accessed web page(s),
date and time of access,
transferred data volume,
browser type and version,
your operating system,
referrer URL (previously visited web page),
your IP address,
querying provider.

The legal basis for processing these data is our overriding legitimate interest in the continuous provision and security of our website in accordance with Art. 6 (1) f) GDPR.

Log files are deleted after seven days, unless they are required to clarify or substantiate specific breaches of the law that have emerged during the retention period.

b) Hosting

In order to operate our website, we employ the services of web-hosting providers which process the above-mentioned data and all data to be processed in connection with the operation of this website (website visit log file) on our behalf.

The legal basis for processing these data is our overriding legitimate interest in the provision of our website in accordance with Art. 6 (1) f) GDPR.

c) Contacting us

If you contact us, we process the following data about you for the purpose of processing and handling your enquiry: name, contact information – if you have provided it – and your message.

The legal basis for processing your data is our obligation to fulfil a contract and/or to fulfil our pre-contractual obligations pursuant to Art. 6 (1) b) GDPR and/or our overriding legitimate interest in processing your request pursuant to Art. 6 (1) f) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.

d) Contacting us for job applications

If you contact us to submit a job application, e.g. by e-mail or through a contact form, your data (e.g. name, e-mail address, requested place of work), your message and job application documents are processed for the sole purpose of processing and handling your job application.

The legal basis for these data processing activities is section 26 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which states that data may be processed which are required in connection with making a decision about concluding an employment contract with an applicant.

Should the data be required once the application process has been completed, i.e. for litigation purposes, the data may be processed to maintain our legitimate interests in accordance with Art. 6 ( 1) f) GDPR, namely for the assertion and/or defence of claims.

e) Inclusion in our applicant pool

If you wish, we can include your application profile in our pool of applicants so that we can consider and invite you to apply for suitable vacancies.

The legal basis for inclusion in our applicant pool is your consent pursuant to Art. 6 (1) a) GDPR.

f) Newsletter

You can subscribe to our e-mail newsletter to receive regular information on our company and products When you subscribe to the newsletter, we process the data entered by you (e-mail address and other voluntary information). To prevent misuse, we will send you an e-mail requesting that you confirm your subscription once you have signed up for it (double-opt-in method). Your subscription is logged in order to substantiate that the subscription process meets legal requirements. This includes the subscription and confirmation date and time as well as your IP address.

The legal basis for receipt of the newsletter is your consent pursuant to Art. 6 (1) a) GDPR.The data processed in connection with the sending of the confirmation e-mail for your registration and the associated logging of data is carried out in accordance with Art. 6 (1) f) GDPR on the basis of our legitimate interest in providing proof of your proper registration.

When you provide your consent, we also analyse if you have opened the newsletter as well as how you scroll through and click on sections of the newsletter. This is carried out in order to tailor the newsletter to suit your interests as well as to improve newsletter content. The legal basis for this analysis of the newsletter is your consent pursuant to Art. 6 (1) a) GDPR.

For the dispatch of the newsletter, we use a service provider who processes the aforementioned data on our behalf.

This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.

g) Buyer profile

If you wish to offer us a property for sale, we process your contact details within the scope of pre-contractual correspondence and/or to conclude an agreement.

The legal basis for processing data is our obligation to fulfil the agreement and/or to fulfil our pre-contractual obligations in accordance with Art. 6 (1) b) GDPR.

h) Video surveillance in our buildings

We occasionally employ video surveillance systems in our properties. The monitored areas are marked with the following pictogram and information:

We use video surveillance to protect against burglaries and vandalism. The legal basis in this context is our legitimate interest in accordance with Art. 6 (1) f) GDPR regarding the protection of property against vandalism. All persons present in the marked area are recorded. The recordings are deleted automatically after 72 hours.

i) Cookies

Information on the specific cookies we use, their providers and purposes can be found in our Consent-Banner, where you can provide or revoke your consent to the respective services or subsequently adjust your settings.

j) Member programme

If you participate in our Member Programme and thus become a member of our bonus programme, you will benefit from many advantages. For this purpose, we process your name, e-mail address, date of birth, address and password.

The legal basis for participation in the Member Programme is your consent pursuant to Art. 6 (1) a) DSGVO. This processing is carried out within the scope of joint responsibility according to section 3 of this data protection declaration.

k) Analysis/Marketing

aa) Google services

We use a range of services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) on our website. This may result in data transfers to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 in the USA.

There is no EU Commission adequacy decision for data transfers to the USA. Google ensures an adequate level of data protection via the EU standard contractual clauses. A copy of the relevant EU standard contractual clause will be provided upon request. Please contact datenschutz@the-flag.de for this.

Google Analytics

On our website, we use the Google Analytics tracking tool by Google. We use Google Analytics to evaluate your use of the website, compile reports on activities performed on our website, and provide other services related to the use of the website in order to improve user-friendliness.

When using Google Analytics, the interactions of visitors to the website are recorded primarily via cookies, and systematically evaluated.

We use Google Analytics with the “anonymizeIp()” extension. This shortens IP addresses from members states within the EU or EEA. Where data are forwarded to Google servers in the USA, the full IP address is only transferred and abbreviated there in exceptional cases. This generally rules out a direct reference to individuals. In particular, it is no longer possible to associate the data with the website visitor’s computer or end-device.

The use of Google Analytics means that the following data are processed:

3 bytes of the IP address of the website visitor’s system (anonymised IP address),
the website that was accessed,
the website that redirected the user to the requested page of our website (referrer),
the subpages accessed from our website,
the time spent on our website,
how often our website was accessed.

According to its own policy, Google never associates your IP address with other Google data.

Legal basis and revocation of consent

The legal basis for processing data within the scope of the above-mentioned Google services is your consent provided in advance in accordance with Art. 6 (1) a) GPDR.

You can revoke your consent at any time with future effect by adjusting your preferences in our Consent banner.

aa) Facebook custom audiences

On our website, we use what is known as a tracking pixel by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a subsidiary of Facebook Inc. 1601, Willow Road Menlo Park, CA 94025, USA. We use Facebook Pixel to track the success of our own Facebook advertising campaigns and to optimise the distribution of Facebook advertising campaigns among interested target groups.

After clicking on a Facebook ad or when visiting our website, a cookie is stored on your end device using the pixel on our website. The cookie processes data as to whether you have reached our website via a Facebook ad and enables us to analyse users’ behaviour up to the point of purchase. This enables us to track the success rate of our advertising campaigns on Facebook. In addition, the pixel processes data on the fact that you have visited our website and makes it possible to adapt the advertising posted on Facebook to your interests.

The Facebook pixel integrated on our website establishes a direct connection to the Facebook servers when you visit our website. The information generated by the cookie on your use of this website (including your IP address) is transmitted to Facebook in the USA.

There is no EU Commission adequacy decision for data transfers to the USA. Facebook ensures an adequate level of data protection via the EU standard contractual clauses. We will provide a copy of the contractual clauses upon request. Please contact datenschutz@the-flag.de for this.

The data collected are anonymous and do not enable us to identify the user. If you are registered with Facebook, Facebook can associate the information collected with your account. Even if you do not have a Facebook account or are not logged in when you visit our website, your IP address and other identification data may be processed and stored by Facebook.

You can revoke your consent for data processing by Facebook Pixel for our web domain at any time with future effect by adjusting your preferences in our Consent banner.

The legal basis for data processing is your consent pursuant to Art. 6 (1) a) GDPR.

k) External content

We use dynamic content from third parties to optimise the presentation of and offers on our website. When visiting the website, a request is made automatically to the server of the relevant content provider using an application programming interface (“API”) that transfers certain log data (such as the user’s IP address). The dynamic content is then transferred to our website, where it is displayed.

We use external content in connection with the following functionalities:

aa) Integration of YouTube videos

Our website features videos integrated from the YouTube portal operated by YouTube LLC, 901 Cherry Ave. San Bruno, CA 94066, USA (“YouTube”). The data controller for data processing at YouTube is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). However, when the videos are played, log data are transmitted to YouTube servers in the USA.

The legal basis for processing data is our overriding legitimate interest in the optimal marketing of our online services in accordance with Art. 6 (1) f) GDPR.

bb) Google Fonts

We use external fonts from Google Fonts to enhance the attractiveness of our website. These fonts are loaded from the servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) when our website is visited. This does not lead Google to save cookies in your browser However, according to our information, the IP address of the user’s end-device is transmitted to Google, where it is stored. This processing is carried out on the basis of our overriding legitimate interest in the optimal marketing of our services in accordance with Art. 6 (1) f) GDPR.

It cannot be ruled out that data may be transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

cc) Google Maps

We use the “Google Maps” mapping service on our website to provide you with an interactive map. When displaying the map, data, including your IP address and location, are transferred to Google servers in the USA, where they are stored. This processing is carried out on the basis of our overriding legitimate interest in the optimal marketing of our services in accordance with Art. 6 (1) f) GDPR.

The data controller for data processing at Maps is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). It cannot be ruled out that data may be transferred to Google- LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

6. Data retention periods

We store your personal data only as long as it is required for the purposes for which it is processed or until you withdraw your previous consent for us to do so. The retention period for certain data may be up to 10 years in the event of us having to comply with statutory retention periods, irrespective of the processing purposes.

7. Your rights as a data subject

a) Information

You can request information on all of your personal data that we have stored free of charge and at any time.

b) Correction, deletion, restriction of processing (blocking), objection

If you no longer agree to your personal data being stored or if they are no longer correct, upon your instructions, we will delete or block your data or correct them as necessary (insofar as this is permitted under the applicable law). The same applies if we are to process data only to a limited extent in the future. You have the right to object to the processing of your data especially in cases where they are required in order to perform a task which is in the public interest or in our legitimate interest, as well as where profiling is performed on the basis of your data. You also have the right to object to the processing of your data for direct marketing purposes.

c) Right of revocation of consent with future effect

You may revoke any consent you have already given with future effect at any time. Revoking your consent will not affect the legitimacy of the processing up to the point when you revoke your consent.

d) Data transferability

You may exercise your right to transfer your data in cases where they are processed on the basis of a contract, pre-contractual negotiations, consent or by automated means. Upon request, we will provide you with your data in a standard, structured and machine-readable format to enable you to transfer them to another data controller if you so wish.

e) Restriction of processing

Data that do not enable us to identify the data subject, for example where the data have been anonymised for analysis purposes, are not covered by the rights set out above. Information, deletion, blocking, correction and transfer to another company may be feasible in respect of these data if you provide us with additional information enabling us to identify the data subject.

f) Exercising your rights as a data subject and right of complaint

Should you have questions regarding the processing of your personal data as well as information on, the correction, blocking and deletion of, and objection to data, or wish to transfer the data to another company, please contact: datenschutz@the-flag.de.

You may also submit a complaint to a supervisory authority with regard to your rights as a data subject.