Aroundtown SA
37, Boulevard Joseph II, L-1840 Luxembourg
Mr. Frank Roseen, Ms. Jelena Afxentiou, Mr. Ran Laufer (Non-Executive Director),
Mr. Markus Leininger (Independent Director), Ms. Simone Runge-Brandner (Independent Director), Mr. Markus Kreuter (Independent Director),Mr. Daniel Malkin (Independent Director).
The company is duly incorporated in the Grand Duchy of Luxembourg under the commercial register number B217868.
Dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful.
We are the Aroundtown group of companies, a group of real estate companies for commercial and residential properties throughout Europe. In this Privacy Policy, we inform you about how the Aroundtown group entities handle your personal data as part of its business operations. Any reference to data processing by “us” or “we” throughout this policy is referencing the applicable, data controller for the respective data processing activity.
Data is considered personal if it relates to an identified or identifiable natural person. This includes, for example, your name, your address and your IP address. The provisions below serve to provide information as to the manner, extent and purpose in which we process your personal data.
If you visit one of our websites for informational purposes, we process your IP address, information on the device and browser you are using (operating system, browser type and version, host name of the device), the referrer URL and time and date of your request. We process this data to display to you our website correctly, enable its core functions, and to ensure the stability and security of our site.
To provide our website and its basic functions (e.g. language settings, cookie settings), we place cookies on your device. A cookie is a small piece of data placed on your computer’s hard drive that permits it to identify a specific device or browser. Most of these cookies are session cookies that expire at the end of your browsing session. The cookie we use to determine your preferred language which is based on your location as well as the cookie we use to store your cookie settings for our website will both expire within 12 months.
The legal basis for this data processing is Art. 6 (1) (1) (b) GDPR, insofar as it serves to provide our website to you, and Art. 6 (1) (1) (f) GDPR, as we have a legitimate interest to ensure the security of our website, a user-friendly, effective and secure experience and smooth access to its key functions.
We may communicate with each other via various communication channels. In these cases, we may, inter alia, process your personal data for the following purposes:
You may contact us via various channels, including by post, email, fax or telephone. If we communicate, we share personal data with each other. Therefore, we may process your contact data and communication data (e.g. messages, conversations, shared files). The purpose of this data processing is to enable ongoing communication between us and to take care of your request. Based on the communication channel used, additional data may be processed. For example, if we communicate via video conferencing tools, such tools may additionally process technical and service-related data to ensure an uninterrupted connection for our communication. We also sometimes conclude contracts electronically or sign related documents electronically using an electronic signature tool.
The legal basis for the processing relating to communication with you is Art. 6 (1) (1) (b) GDPR or, if the contact does not relate to the conclusion or performance of a contract, Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in having optimized and comprehensible communication and document approval processes with our customers, contract and business partners and respond to their requests.
To attract potential tenants, buyers and sellers, we list our real estate on different real estate platforms. If you make an inquiry to us via such a platform (either for yourself personally or on behalf of your employer), we will receive your name, your contact information and the content of your inquiry (including any personal data that you mention therein and in particular information on the real estate object you are interested in) from the platform operator.
The legal basis for listing our real estate with the help of third-party providers is Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in presenting our real estate in a professional, easily accessible and commercially attractive manner via third party platforms and in improving the quality of and consistency in our interaction with interested parties across real estate platforms.
On some of our websites, you can subscribe to newsletters and mailing lists (such as for investor relations). In the newsletters and mailing lists and depending on the specific newsletter or mailing list you subscribe to, we will periodically inform you about financial results and other investor-related topics or other information related to our company that may be of interest to you. If you subscribe to our newsletters or mailing lists, we process your email address to send relevant information related to the content for which you have registered.
The legal basis for the aforementioned data processing activities is your consent, Art. 6 (1) (1) (a) GDPR. You have the right to withdraw your consent for the newsletter at any given time by clicking on the “unsubscribe” link included in each newsletter or by sending us an email to the email address indicated in Section 17 below. In some cases, even without a subscription, we may send you relevant updates and newsletters if you have entered into a contract with us before, if the mailing contains advertising for similar goods or services such as the ones that were part of our contract, if you have not objected to this use of your email address, and if we have informed you about your right to object upon collection of your email address and in any mailing we may sent to you. The legal basis for such processing is our legitimate interest (Art. 6 (1) (1) (f) GDPR) for marketing our products and services to our customer base. To exercise your right to object, you may use the aforementioned “unsubscribe” mechanism or contact us via email.
For the subscription process, we use a so-called "double opt-in" procedure. You will receive an email with a link confirming that you are the owner of the email address that has been used for the subscription and that you want to receive our newsletters. If your subscription is not confirmed within 30 days of requesting such confirmation from you, your personal data will be automatically deleted.
You may be our contract partner, or you may be about to conclude a contract with us, or you may be employed by one of our (potential) contract partners. If you provide us with personal data of other individuals (e.g. your employees, your managing directors or others), please make sure that they are aware of this Privacy Policy and that you only provide us with their data if you are allowed to do so and such personal data is correct.
As part of our business, we may, inter alia, conclude contracts with each other for the following purposes:
If there is a contract or contract negotiations between you and us or between your employer or company and us, we may process your personal data in connection with the contract conclusion and execution. This may include your name and your contact details as well as other data that is relevant for the contract (e.g. financial information) as far as this information relates to you personally. We may also process contact information of your employees who are in charge of handling the contractual relationship for you.
The purpose of this data processing is to prepare, conclude or execute the contract between you or your employer or company. The legal basis for the processing relating to contract conclusion or execution is Art. 6 (1) (1) (b) GDPR, or, if the contract is concluded with your employer or company, our legitimate interest in conducting and managing this contractual relationship with your employer or company, Art 6 (1) (1) (f) GDPR. Please note that if the services you provide to us include your appearance as a speaker in one of our events or calls and we have agreed on a recording of it, the data processed for contract execution (Art. 6 (1) 81) (b) GDPR) includes video, voice and/or image recordings and their subsequent use / distribution, as the case may be.
In the context of contracts for the purchase and sale of real estate, we may additionally process data on the identity of individuals that are directly or indirectly involved in such sale or purchase to check that the information provided to us in this regard is correct. We do so for compliance with anti-money laundering legislation based on Art. 6 (1) (1) (c) GDPR in connection with the respective legal obligations.
For the conclusion of agreements, such as rental agreements, and as far as this information relates to you as an identifiable individual, we may additionally process information about you that we collected to prepare a contract to check your creditworthiness. The legal basis for this data processing is Art 6 (1) (1) (b) GDPR or Art. 6 (1) (1) (f) GDPR as we have a legitimate interest in ensuring the solvency of our tenants. Please note that such creditworthiness checks may lead to use of your data for credit scoring in order to gather information on your creditworthiness for your future contract partners that may carry out such checks as well.
You may apply for a job with us, including via careers websites operated by us. In order to enable us to make you the best possible job offer and to fill open positions within the Aroundtown group of companies and within Aroundtown-affiliated companies in the best possible way, your application data will be shared with the relevant group or affiliated company with a suitable job opening, which is responsible for data processing in this case (Art. 6 (1) (1) (f) GDPR). This is in our interest as well as in the interest of the entities involved to be able to fill vacancies with the best possible candidates. We also do so with your best interest in mind to make you the best possible job offer.
In the case of your application, we process your name, contact details, information on your qualifications and previous work experience and other information to select a suitable candidate for the respective positions for the application process. This data processing is necessary to process job applications and, ultimately, to prepare an employment contract (Section 26 (1) (1) Federal Data Protection Act (BDSG)). We cannot consider you for a position without processing the aforementioned data. You may also provide us with information that has been marked as voluntary on our career website (e.g. on how you were attracted to the position you apply for). If you do so, we process this as part of your job application based on your consent (Section 26 (2) BDSG in conjunction with Art. 6 (1) (1) (a) GDPR). If your application is unsuccessful, your data will be deleted after the hiring process has been concluded, at the latest within 6 months.
If you are interested in receiving information about other positions in the future, we will retain and process your data for this purpose based on your consent (Art. 6 (1) (1) (a) GDPR). In this case, the data will be retained for 12 months, unless you revoke your consent at an earlier point.
If you visit our business premises, we process your name and the reason for your visit in order to enforce our access control measures to safeguard the security of our business operations. We cannot grant you access to our premises without processing this information. We process this data based on our legitimate interests to enforce suitable security measures (Art. 6 (1) (1) (f) GDPR). In limited specific cases, we may also be required by law to collect certain personal data for security, public health or other important reasons (such as information about the time and date of your visit for compliance with mandatory measures for protection against the Covid-19 pandemic). We process respective data based on Art. 6 (1) (1) (c) GDPR in connection with our relevant legal obligations.
To further ensure the safety and security of our buildings, assets, staff and visitors, we may operate a video surveillance system in certain areas of our business premises. If you visit our premises, these cameras might capture your image. We process data using video surveillance based on our legitimate interest to protect our business premises, property and information, as well as staff and visitors against threats (Art. 6 (1) (1) (f) GDPR). Video surveillance recordings are not evaluated in the regular course but only in exceptional cases, e.g. suspected criminal offences. The images are retained for a maximum of 72 hours. Thereafter, all images are deleted unless images need to be stored for further investigations or as evidence of a security incident.
We may invite you to our events. For this purpose, we may process your name, contact details as well as relevant information on your relationship with us (e.g. business partner, press contact, etc.). The legal basis for this processing is either your consent to receive respective invitations (Art. 6 (1) (1) (a) GDPR) or our legitimate interests to maintain and further our relationship with you (Art. 6 (1) (1) (f) GDPR).
At our events, we may take photographs and, as part of this, potentially capture your image. The legal basis for this data processing is Art. 6 (1) (1) (f) GDPR as we have a legitimate interest in internally documenting our events. In case we intend to use images where you are clearly recognizable for marketing and press-related purposes, we will only do so with your consent (Art. 6 (1) (1) (a) GDPR).
Some of our events may be held digitally, e.g. as webcasts, video meetings, etc. In this case, we may process additional personal data, such as your IP address and technical information (e.g. browser version) to be able to provide you a secure and user-friendly access to the digital event. The legal basis for this data processing is Art. 6 (1) (1) (b) GDPR as well as Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in enabling digital events to run smoothly. If you participate in a digital event and we wish to record it (e.g. video, audio), we will only do so with your consent (Art. 6 (1) (1) (a) GDPR).
If you appear as a speaker or take an active role in one of our (digital) events, please take note of additional information on data processing as part of your contractual engagement in Section 3 above.
We send out press releases and updates with information about development projects, business updates and other initiatives to journalists and press representatives we have met (e.g. you may have given us your business card at an event). If you are such a press representative, we process your contact data to provide you with such updates based on our legitimate interest to manage our public image (Art. 6 (1) (1) (f) GDPR).
You may also contact us to receive these updates by sending us your contact details (name, e-mail address, the name of your company/institution/employer) by e-mail to [email protected]. We will then add you to the respective mailing list for relevant topics or locations. The legal basis for this processing activity is Art. 6 (1) (1) (b) GDPR (provision of updates based on your request).
You can unsubscribe from receiving press releases at any time by sending us an email to the contact address provided above.
If you are a shareholder or proxy of a shareholder of Aroundtown SA, we may process your personal data in connection with the convening and holding of shareholder meetings by Aroundtown SA. This personal data may be received directly from you or provided to us by third parties (such as depository banks).
We may process your personal data for the purpose of holding the Annual General Meeting and /or an Extraordinary General Meeting and/or an Ordinary General Meeting (“General Meeting(s)”). In order to enable you to participate in and vote at the General Meetings, we may process the number of shares that you hold on the relevant record date according to the record date confirmation issued by your depository bank that is holding your shares. Additionally, we may process personal data concerning your attendance at the General Meeting(s). This includes, for example, your name, address, email address and phone number, if you will attend the General Meeting(s) in person or if you will be represented by a proxyholder, and, if applicable, the voting instructions you provided to your proxyholder. Your personal data may be processed even if you do not attend the General Meeting(s). e.g. in case you request to add items to the agenda of the General Meeting(s) and/or to table draft resolutions for items included or to be included on the agenda of the General Meeting(s) and/or you send questions to the Company about items on the agenda of the General Meeting(s) before such meeting(s). The legal basis for this processing is Art. 6 (1) (1) (c) GDPR in connection with Art. 4, Art. 5 (3), Art. 7 and Art. 9 of the Luxembourg law of 24 May 2011 on the exercise of certain rights of shareholders in general meetings of listed companies, as amended, (“Shareholders’ Rights Law”) and Art. 450-1 (2) of the Luxembourg law of 10 August 1915 on commercial companies, as amended from time to time. If we decide to or are required to hold a virtual General Meeting, we may additionally process your name, e-mail address and IP address via web conferencing tools based on our legitimate interest in enabling such virtual meetings to run smoothly and in compliance with applicable laws and regulations (Art. 6 (1) (1) (f) GDPR).
Additionally, the aforementioned personal data as well as your voting decisions will be processed in order to publish the attendance percentage and the voting results of our General Meeting(s). The legal basis for this processing is Art. 6 (1) (1) (c) GDPR in connection with Art. 11 of the Shareholders’ Rights Law.
The Aroundtown group of companies has implemented a whistleblowing system that enables employees, business partners and service providers to submit reports on relevant compliance violations via different reporting channels, including the possibility to submit these reports anonymously, if you wish to do so. You may find information about the different reporting channels on our website. We offer reporting via post, email, telephone, personal meetings as well as a digital reporting system. You may access the aforementioned digital reporting system here: https://www.bkms-system.com/bkwebanon/report/clientInfo?cin=6UhYaE&c=-1&language=eng. Under this hyperlink, you will also find more detailed information on the functioning of this system, security measures and data protection in connection with the digital reporting system.
We may process personal data contained in reports from the whistleblowing system as well as any follow-up communication relating to the reported incident, including on potential witnesses and any accused persons, as part of our investigations and potential subsequent measures (e.g. disciplinary measures). If a potential whistleblower reaches out via post, telephone, email or personal meeting, they may voluntarily provide information on their contact details (such as address, telephone, email) for follow-up communication which could reveal their identity. The selected individuals handling the communication and investigations receive regular training on confidentiality and data protection and are bound to confidentiality. As part of the investigation and, depending on which Aroundtown group entity is affected by the incident, some data may be processed by said relevantly affected Aroundtown group entity.
We process this personal data based on our legitimate interests (Art. 6 (1) (1) f GDPR) to have reporting channels that enable us to receive and investigate reports on potential criminal offenses, serious compliance violations and other cases of abuse throughout the Aroundtown group of companies. Additionally, some of the Aroundtown group entities may be, or may in the future be, subject to legal obligations to introduce a respective whistleblowing system. If this is or will be the case, the legal basis for data processing is Art. 6 (1) (1) c GDPR in connection with the relevant legal obligations under the applicable national law.
We maintain and use IT systems for processing personal data (such as email systems). Furthermore, we are obliged to protect the personal data we hold for you, our business and contract partners and our employees. We may process your personal data to facilitate the use and management of our IT systems that are accessible to you (such as email systems or websites). For these IT systems, we have implemented and constantly update our IT security measures in order to comply with our duties imposed by the GDPR and other IT and data security laws. For the aforementioned purposes, we may process information generated by such access, such as names, email addresses and passwords, user names, nature and content of emails (including date and time), IP addresses, device information, network location. The scope of data processing depends on the respective IT system and its IT security protection measures.
This data is exclusively used to maintain and grant access to our IT systems and to ensure a proper IT security standard in this process. The legal basis for data processing is Art. 6 (1) (1) (f) GDPR, as well as Art. 6 (1) (1) (c) GDPR in conjunction with Art. 32 (1) GDPR. We have a legitimate interest in using, maintaining and protecting our IT systems from cyber-threats and other security incidents that could harm our business or your data.
We may engage service providers to provide respective IT security measures. The data transfer to those service providers is justified under Art. 28 GDPR in connection with the data processing agreement.
In specific cases, we may process your personal data for the following purposes:
For some of the aforementioned purposes, we may disclose your personal data to other parties. In addition to any recipients already mentioned in this privacy policy, these categories of recipients include data processors acting on our behalf and bound by our instructions, such as:
The legal basis for respective data transfers is Art. 28 GDPR in connection with the respective data processing agreement concluded with the recipient. Through these agreements, we have contractually bound these recipients to process your personal data only on our behalf and in accordance with our instructions.
We will also transfer your personal data to other third parties for some of the purposes and according to the legal bases mentioned above in this Privacy Policy, in particular:
As far as this is necessary for internal administrative and operational purposes, we may also transfer your personal data to other entities in the Aroundtown group of companies based on our legitimate interest in this regard (Art. 6 (1) (1) (f) GDPR).
When sharing your personal data with external recipients (see Section 12 above), some of your personal data may be transferred to other countries, including third countries outside the EU / EEA where such laws may not provide the same level of protection for your personal data as the GDPR does. Please note that data processed in a foreign country may be subject to foreign laws and accessible to foreign governments, courts, law enforcement, and regulatory agencies. However, we will endeavor to take the required measures to maintain an adequate level of data protection when sharing your personal data with recipients established in such countries.
In the case of a transfer to a country outside of the EEA, this transfer is either safeguarded by a so-called adequacy decision from the European Commission declaring that such country provides for an adequate level of data protection, or, if such adequacy decision does not exist, the conclusion of EU Standard contractual clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) and additional measures, if necessary.
We have reasonable state of the art security measures in place to protect against loss, misuse and alteration of personal data under our control. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we will use all reasonable efforts to prevent it.
We retain your personal data only for as long as is necessary for the purpose for which it is processed and delete it afterwards, unless we are required by law to retain it for a longer period (e.g. to comply with statutory retention obligations under tax law).
You have the following data protection rights, depending on the circumstances of the specific case, which you may exercise by contacting us as set out in Section 17 below:
You have the right to require information as to whether your personal data is retained and request access to your personal data and/or copies of such data, including purposes of processing, the processed data categories, its recipients as well as potential data retention periods.
You have a right to request the rectification, deletion or restriction of processing of your personal data, for example if (i) it is incomplete or inaccurate, (ii) it is no longer necessary for the purposes for which it was collected, or, (iii) the consent on which the processing was based has been withdrawn.
You have the right to refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to processing of your personal data at any time.
You have the right not to be subjected to any automated decision making, including profiling, which produces legal effects on you or affects you with similar significance.
You have the right to receive the data, which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from use. You also have the right to transmit this data directly to another controller, where technically feasible.
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, where we process your personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 6 (1) (1) (e) GDPR) or where we process your personal data based on our legitimate interests (Art. 6 (1) (1) (f) GDPR). In case we process your personal data for direct marketing purposes, you also have the right to object at any time.
You have a right to take legal action against any potential breach of your rights regarding the processing of your personal data, as well as to lodge a complaint with the competent supervisory authority.
For questions, suggestions and comments on the topic of data protection, please feel free to contact our group Data Protection Officer under [email protected] concerning the processing of your personal data.
If you are an investor, please reach out to [email protected] for investor-related questions, including on data processing. Please contact this email address to be removed from investor mailing lists or newsletters to which you may be subscribed.
We reserve the right to change this Privacy Policy from time to time in accordance with applicable data protection regulations. Please check this website regularly for updates.
For our website to function properly we use cookies. To obtain your valid consent for the use and storage of cookies in the browser you use to access our website and to properly document this we use a consent management platform: CookieFirst. This technology is provided by Digital Data Solutions BV, Plantage Middenlaan 42a, 1018 DH, Amsterdam, The Netherlands. Website: https://cookiefirst.com referred to as CookieFirst.
When you access our website, a connection is established with CookieFirst’s server to give us the possibility to obtain valid consent from you to the use of certain cookies. CookieFirst then stores a cookie in your browser in order to be able to activate only those cookies to which you have consented and to properly document this. The data processed is stored until the predefined storage period expires or you request to delete the data. Certain mandatory legal storage periods may apply notwithstanding the aforementioned.
CookieFirst is used to obtain the legally required consent for the use of cookies. The legal basis for this is article 6(1)(c) of the General Data Protection Regulation (GDPR).
We have concluded a data processing agreement with CookieFirst. This is a contract required by data protection law, which ensures that data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.
Our website and CookieFirst automatically collect and store information in so-called server log files, which your browser automatically transmits to us. The following data is collected: