Privacy Policy

Table of Contents

1. Name and address of the controller
2. General information on data processing
   1. Scope of processing of personal data
   2. Legal basis for the processing of personal data
   3. Data erasure and storage period
3. Provision of the website and creation of log files
   1. Description and scope of data processing
   2. Legal basis for data processing
   3. Purpose of data processing
   4. Duration of storag
   5. Right to object and remove
4. Use of cookies
5. E-mail contact
   1. Description and scope of data processing
   2. Legal basis for data processing
   3. Purpose of data processing
   4. Duration of storage
   5. Right to object and remove
6. Use of Google Maps
7. Rights of the data subject
   1. Right of access
   2. Right to rectification
   3. Right to erasure
   4. Right to notification
   5. Right to data portability
   6. Right to object
   7. Right to withdraw the declaration of consent under the Data Protection Act
   8. Automated individual decision-making, including profiling
   9. Right to lodge a complaint with a supervisory authority

I. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as data protection regulations is:

Kornmarkt Arkaden
Mainzer Landstraße 11-17
60329 Frankfurt am Main
Germany
Phone: +49 (0) 69 9101-6263
Email: info@kornmarkt-arkaden.com

II. General information on data processing

1. Scope of processing of personal data

We process personal data of our users in principle only where this is required to provide a functional website as well as the contents and services we offer. Our users’ personal data is usually only processed with the consent of the user. An exception applies to cases where prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

Where we obtain the consent of the data subject for the processing of personal data, Article 6 (1) (a) EU General Data Protection Regulation (GDPR) serves as legal basis.
Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, Article 6 (1) (b) GDPR is the legal basis. This also applies to processing operations that are necessary for measures required prior to entering into a contract.
Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6 (1) (c) GDPR is the legal basis.
If the processing of personal data is required in order to protect the vital interests of the data subject or of another natural person, Article 6 (1) (d) GDPR is the legal basis.
If the processing is required to protect the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interests, Article 6 (1) (f) GDPR is the legal basis for the processing.

3. Data erasure and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. In addition, personal data may be stored if this is provided for by European or national legislators in EU regulations, laws, or other regulations to which the controller is subject. Data is also blocked or deleted when a storage period that has been prescribed by the standards mentioned expires, unless there is a requirement for the continued storage of the data for the conclusion or performance of a contract.

III. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected thereby:

1) Information about the browser type
2) The user’s operating system
3) The IP address of the user (the two last octets are anonymised, i.e. they always end with “.0.1”)
4) Date and time of the access as well as the time zone of the server
5) The request (http_request)
6) The http status code
7) The size of the response
8) The referer (http_referer)

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6 (1) (f) GDPR.

3. Purpose of data processing

Temporary storage of the IP address by the system is required to enable the delivery of the website to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session. Log files are used for the storage in order to ensure the functionality of the website. The data also helps us to optimise the website and to safeguard the security of our IT systems. In this context, the data is not evaluated for marketing purposes.

Our legitimate interest in data processing also lies in these purposes, in accordance with Article 6 (1) (f) GDPR.

4. Duration of storage

The data will be deleted as soon as it is no longer required for the purpose of its collection. The data is automatically erased after no later than two months.

5. Right to object and remove

The capture of data for the delivery of our website and the storage of the data in log files is imperative for the operation of our website. The user therefore does not have the option to object.

IV. Use of cookies

The front end functions ‘stand-alone’ and does not set any cookies.

V. E-mail contact

1. Description and scope of data processing

Contact can be established via the e-mail addresses provided. In this case, the user’s personal data which is transmitted with the e-mail will be stored.

Data will not be passed on to third parties in this context. This data will be used exclusively for processing the conversation.

2. Legal basis for data processing

The legal basis for the processing of data transmitted in the course of sending an e-mail is Article 6 (1) (f) GDPR. If the e-mail contact is aimed at forming a contract, an additional legal basis for the processing is Article 6 (1) (b) GDPR.

3. Purpose of data processing

If contact is made via email, this also provides the required legitimate interest in the processing of the data.

4. Duration of storage

The data will be deleted as soon as it is no longer required for the purpose of its collection. This applies to personal data which was sent via e-mail when the respective conversation with the user has ended. The conversation ends when it can be inferred from the circumstances that the relevant facts have been conclusively clarified.

5. Right to object and remove

The user has the right to withdraw consent to the processing of their personal data at any time. A user contacting us by e-mail may object to the storage of their personal data at any time. In this case, the conversation cannot be continued.

VI. Use of Google Maps

This website uses the Google Maps API to visually present geographical information. During the use of Google Maps, data on the use of the Maps functions by the visitors of the websites is also collected, processed and used by Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, California, 94043).
Further information on data processing by Google can be found in Google’s Privacy Policy, which you can view at www.google.com/privacypolicy.html.

Note:
The controller of this website does not have any influence on the data transmission.

VII. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of GDPR and you have the following rights against the controller:

1. Right of access

You have the right to obtain confirmation from the controller as to whether or not personal data relating to you is being processed by us.

Where this is the case, you can request the following information from the controller:

(1) the purposes for which the personal data is processed;
(2) the categories of personal data that is processed;
(3) the recipients or categories of recipients to whom the personal data relating to you has been disclosed or will be disclosed;
(4) the envisaged period for which the personal data relating to you will be stored, or, if it is not possible to provide specific details, the criteria used to determine the period of storage;
(5) the existence of a right to rectification or erasure of the personal data relating to you, a right to restriction of processing by the controller and a right to object to this processing;
(6) the existence of the right to lodge a complaint with a supervisory authority;
(7) any available information on the origins of the data, if the personal data are is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic applied as well as the significance and the envisaged effects of such processing for the data subject.

You have the right to request information on whether the personal data relating to you is transmitted to a third country or to an international organisation. In this case, you may request information about the appropriate safeguards in place in accordance with Article 46 GDPR, with regard to the transmission.

2. Right to rectification

You have the right to request the rectification and/or completion of your personal data from the controller if the processed personal data relating to you is incorrect or incomplete. The controller shall process the rectification immediately.

Subject to the following conditions, you may request the restriction of the processing of personal data relating to you:

(1) if you dispute the accuracy of the personal data relating to your person for a duration which enables the responsible party to verify the accuracy of the personal data;
(2) the processing is unlawful, and you oppose the deletion of the personal data and instead request a restriction of its use;
(3) the controller no longer requires the personal data for the purposes of the processing, however, you require these for the establishment, exercise or defence of a legal claim, or
(4) if you have objected to the processing in accordance with Article 21 (1) GDPR and it has not yet been established whether the legitimate grounds of the controller outweigh your grounds.

If processing of the personal data relating to you has been restricted, then this data may only be processed, apart from its storage, with your permission or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of a significant public interest for the EU or a member state.

If the processing has been restricted in accordance with the above-mentioned conditions, you shall be notified by the controller before the restriction is lifted.

3. Right to erasure

a) Duty to delete

You can request the controller to immediately erase the personal data relating to you, and the controller has an obligation to erase such data immediately, if one of the following grounds applies:

(1) The personal data relating to your person are no longer required for the purposes for which they were collected or otherwise processed.
(2) You are withdrawing your consent, on which the processing in accordance with Article 6 (1) (a) or Article 9 (2) (a) GDPR was based, and there is no other legal basis for processing.
(3) You are objecting to the processing in accordance with Article 21 (1) GDPR, and there are no overriding legitimate grounds for the processing, or you are objecting to the processing in accordance with Article 21 (2) GDPR.
(4) The personal data relating to you was unlawfully processed.
(5) The personal data relating to you has to be erased for compliance with a legal obligation pursuant to EU law or the Member State’s law to which the controller is subject.
(6) The personal data relating to you was collected in relation to the offer of information society services in accordance with Article 8 (1) GDPR.

b) Information disclosed to third parties

If the controller has made the personal data relating to you public, and he has a duty to delete such data in accordance with Article 17 (1) GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you, as the data subject, have requested the deletion of all links to these personal data or of copies or replications of those personal data.

c) Exceptions

The right to erasure does not exist where the processing is required

(1) for the exercise of the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires the processing in accordance with EU law or Member State law which governs the controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interests in the area of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.

4. Right to notification

If you have asserted your right to rectification, erasure, or restriction of processing toward the controller, the latter has a duty to communicate this rectification or erasure or restriction of processing to each recipient to whom the personal data relating to you has been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed about those recipients by the controller.

5. Right to data portability

You have the right to receive the personal data relating to you which you have provided to the controller, in a structured, commonly used, and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance from the controller who has been provided with the personal data, if

(1) the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR and
(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data relating to you transmitted directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be adversely affected by this.

The right to data portability does not apply to the processing of personal data which is required for the performance of a task, which is in the public interest or carried out in the exercise of public power, or which has been transferred to the controller.

6. Right to object

You have the right to object at any time to processing of personal data relating to you on grounds relating to your particular situation where the processing is based on Article 6 (1) (e) or (f) GDPR.

The controller will no longer process the personal data relating to you unless the controller can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or the processing serves to establish, exercise, or defend legal claims.

Where the personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data relating to you for such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

Where you object to the processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means using technical specifications.

7. Right to withdraw the declaration of consent under the Data Protection Act

You have the right to withdraw your declaration of consent under the Data Protection Act at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent until the withdrawal.

8. Automated individual decision-making, including profiling

You have the right not to be subjected to a decision that is exclusively based on automated processing, including profiling, where such decision has a legal effect or a similar significant adverse effect on you. This does not apply if the decision

(1) is required for the formation or the implementation of a contract between yourself and the controller,
(2) is admissible due to EU law or Member State law by which the controller is governed, and if these legal provisions contain reasonable measures to safeguard your rights and freedoms as well as your legitimate interests or
(3) is made with your express consent.

These decisions may not, however, be based on special categories of personal data in accordance with Article 9 (1) GDPR, provided that Article 9 (2) (a) or (g) GDPR does not apply and reasonable steps have been taken to safeguard your rights and freedoms as well as your legitimate interests.

With regard to the cases named in (1) and (3), the controller shall take reasonable steps to safeguard the rights and freedoms as well as your legitimate interests, whereby this includes at least the right to seek intervention of a person on the part of the controller, the right to present one’s own view and the right to contest the decision.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Article 78 GDPR.