RFR Management GmbH Privacy Notice as of 26th February 2021
Thank you for visiting our website and for your interest in our company and our services. Data protection and privacy is very important to RFR Management GmbH. If we need to process Personal Data for reasons other than those provided by statute, we will always seek the consent of the Data Subject.
Personal Data will be processed only in conformity with the EU General Data Protection Regulation (GDPR) and with national data protection laws and regulations applicable to RFR Management GmbH. For the purposes of this Privacy Notice, “Personal Data” means all data relating to you personally, e.g. your name, address, email address, IP address or user behaviour.
By means of this Privacy Notice, we would like to inform the general public about why and how we collect, use and process what type and amount of Personal Data, and about Data Subjects’ rights relating to the collection and processing of Personal Data.
RFR Management GmbH, in its capacity as Controller, has implemented numerous technical and organisational measures to ensure the most complete protection of Personal Data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every Data Subject is free to transfer Personal Data to us via alternative means, e.g. by telephone.
1. Name and address of the Controller
The “Controller” for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
RFR Management GmbH
60325 Frankfurt am Main
Telephone: +49(0)69/71 71 299-0
2. Name and address of the Data Protection Officer
The Data Protection Officer of the Controller is:
Any Data Subject may contact our Data Protection Officer directly at any time with questions and suggestions related to privacy.
3. Collection of Personal Data and information
(1) The website of RFR Management GmbH collects a range of Personal Data and information every time the website is called up by a Data Subject or by an automated system, including if it is used purely for information. These data and information are sent from your browser to our server, where it will be saved in server log files. If you wish to view our website, we will collect the following data, which is a technical necessity for us to display the website and ensure its stability and safety, for example:
- your IP address,
- the date, time and duration of your visit,
- the subject of your request (the exact page you viewed)
- access status/http status code
- the referring website (i.e. the website you came from before visiting our website)
- the name and version of your browser,
- the name and version of your operating system.
(2) When we use these data and information, RFR Management GmbH does not draw any conclusions about the identity of the Data Subject. Rather, this information is needed to
- deliver the content of our website correctly,
- ensure the long-term viability of our information technology systems and website technology, and
- provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.
(3) Therefore, RFR Management GmbH analyses collected data and information statistically and with the aim of increasing data protection and data security at our company to ensure an optimal level of protection for the Personal Data we process. The data from the server logfiles are stored separately from all Personal Data a Data Subject may have provided.
(4) If you contact us by email, we will store the information you provide (your email address and, if applicable, your first and last name) to process your enquiry. All data created in this context will be deleted when they are no longer needed, or if statutory retention requirements apply to them, we will restrict their processing.
(1) The website of RFR Management GmbH uses both transient and persistent cookies. Cookies are small text files that are placed in the web browser of a computer system, where they remain stored. Cookies cannot execute programs or transmit viruses to your computer. Their purpose is to make the general online experience more user-friendly and effective.
(2) Many cookies contain a “cookie ID”. A cookie ID is a unique identifier of the cookie. It consists of a string of characters that can be used to assign web pages and servers to the specific web browser where the cookie was stored. This makes it possible for the web pages and servers visited to distinguish the specific browser of a Data Subject from other web browsers containing other cookies. A specific web browser can be recognised and identified based on the unique cookie ID.
(4) Most browsers are set to accept cookies by default. However, Data Subjects can change their browser settings to reject cookies from our website at any time and thus object to the placement of cookies permanently. Moreover, cookies already placed can be deleted by a user at any time through a web browser or other software programs. This is possible in all common web browsers. If a Data Subject disables cookies in his or her web browser, he or she may not be able to use all the features of our website.
(5) Such stored information will be retained separately from any other data provided to us. In particular, we will not combine data gathered from cookies with any other data we may have stored about you.
5. Categories of recipients to whom Personal Data may be disclosed
(1) We use service providers (e.g. IT service providers) to carry out some of the processes and provide some of the services described above. The service providers we work with are carefully selected and commissioned in accordance with applicable data protection laws and regulations. These third-party service providers are bound by our instructions and are subject to regular performance reviews. They will not disclose your data to third parties.
(2) We may disclose data about you to other recipients only as required by applicable law, or with your consent, or where such disclosure is authorised. If these conditions are met, recipients of Personal Data may include:
- government agencies or institutions (e.g. fiscal and law enforcement authorities) if we are required to do so by law or regulation, or
- other companies or similar organisations to whom we may transfer Personal Data for the administration of our business relationship with you.
(3) The Recipients may, on their own responsibility, transfer Personal Data to their agents and/or delegates (the "Subrecipients") who will process the Personal Data for the sole purpose of assisting the Recipients in providing their services to the Controller and/or assisting the Recipients in fulfilling their own legal obligations.
Recipients and sub-recipients may be located either inside or outside the European Economic Area (the "EEA"). If recipients outside the EEA are located in a country that does not offer an adequate level of protection for personal data, controllers will conclude a legally binding transfer agreement with the recipients concerned in the form of model clauses approved by the EU Commission. In this context, the data subjects have the right to request copies of the relevant document to enable the transfer of personal data to these countries. The Recipients and Subrecipients can process data as a data processor or as a controller to discharge their own legal liabilities.
6. Legal basis and purpose of processing
We process your Personal Data in compliance with applicable data protection laws and regulations (as amended from time to time). Such processing is lawful if any one of the following conditions applies:
- Consent, Article 6(1)(a) GDPR
The processing of Personal Data is lawful if the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes (e.g. to process his or her enquiry, use of data for marketing purposes).The Data Subject has the right to withdraw consent at any time with effect for any further processing.This also applies to consent Data Subjects may have given to us before the GDPR came into force, i.e. before 25 May 2018.
- Performance of a contract, Article 6(1)(b) GDPR
We process Personal Data in order to perform our obligations under a contract with you or in order to take steps at your request prior to entering into a contract. The purpose of such processing depends mainly on the nature of your request.
- Compliance with a legal obligation, Article 6(1)(c) GDPR
RFR Management GmbH is subject to a range of legal obligations, including, but not limited to
- retention requirements under commercial and tax law, specifically under the German Commercial Code [Handelsgesetzbuch– HGB] and the German Tax Code [Abgabenordnung – AO],
- monitoring and reporting obligations under tax law.
- Legitimate interests, Article 6(1)(f) GDPR
Where necessary, we process your Personal Data not only in order to perform a contract but also for the purposes of legitimate interests pursued by RFR Management GmbH or third parties, for example
- in order to establish and exercise legal claims or defend litigation,
- to ensure IT security and IT operations,
- to analyse and enhance your use of our website.
7. Criteria used to determine the period of storage of Personal Data
(1) Personal Data are retained in compliance with applicable data processing legislation and statutory record retention requirements. We process and use your data only for purposes for which we have been authorised and only as long as they are needed for those purposes.
(2) If the data we hold about you are no longer needed for the purpose for which they were collected or for compliance with a legal obligation, they are usually deleted, unless further processing is necessary – for a limited time and, if applicable, subject to certain restrictions – for the following purposes:
- To comply with record retention requirements under commercial and tax law:Such requirements are stipulated, for example, in the German Commercial Code (HGB) and the German Tax Code (AO).These laws provide for documentation and record retention periods of up to 10 years.
- To preserve evidence within the statutes of limitation:Pursuant to Secs. 195 et seq. of the German Civil Code [Bürgerliches Gesetzbuch – BGB], the general limitation period is three years, however, in certain circumstances, limitation periods of up to 30 years may apply.
8. Data protection in relation to job applications and during the application process
The Controller collects and processes Personal Data of job applicants for the purpose of processing a job application. Such data may be processed electronically, in particular if an applicant submitted an application to the Controller by electronic means, e.g. by email. If the Controller enters into an employment contract with an applicant, the data provided by the applicant will be stored in compliance with applicable laws and regulations for the purpose of the employment relationship. If the Controller does not enter into an employment contract with an applicant, all documents submitted by the applicant in support of his or her application will be automatically deleted six months after the decision to refuse the application.
9. Data Subject Rights
(1) Every Data Subject has the right of access according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right to erasure (“right to be forgotten”) according to Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR, the right to object according to Article 21 GDPR and the right to data portability according to Article 20 GDPR. The right of access and the right to erasure are subject to the restrictions of Secs. 34 and 35 of the German Federal Data Protection Act [Bundesdatenschutzgesetz – BDSG]. In addition, Data Subjects have the right to lodge a complaint with a data protection supervisory authority of competent jurisdiction (Article 77 GDPR in conjunction with Sec. 19 BDSG).
(2) Data Subjects may withdraw consent to the processing of their Personal Data at any time by notice to us with effect for any further processing. This also applies to consent Data Subjects may have given to us before the EU General Data Protection Regulation came into force, i.e. before 25 May 2018.
(3) You have the right to object, on grounds relating to your particular situation, at any time to processing of Personal Data concerning you which is based on Article 6(1e) GDPR (processing for the performance of a task carried out in the public interest) or Article 6(1f) GDPR (processing for the purposes of the legitimate interests pursued by the Controller or by a third party); this also applies to profiling based on those provisions within the meaning of Article 4(4) GDPR.
In some cases, we process Personal Data about you for direct marketing purposes. You have the right to object at any time to the processing of Personal Data about you for such marketing; this also applies to profiling related to direct marketing purposes.
If you object to processing for direct marketing purposes, we will stop processing your Personal Data for this purpose.
If you object, we will no longer process your Personal Data, unless we can demonstrate a compelling legitimate interest in such processing which overrides your interests or fundamental rights and freedoms, or if the processing is necessary for the establishment, exercise or defence of legal claims.
Your objection may be made informally and should be directed, if possible, to the following address:
RFR Management GmbH
60325 Frankfurt am Main
10. Obligation to provide Personal Data and possible consequences of non-provision
To be able to use our offerings, you have to provide the Personal Data required for the purpose concerned or which we are legally obliged to collect. Without these data, we will generally not be able to provide the service you have asked for.
11. Existence of automated decision-making
Being a responsible company, we refrain from using automatic decision-making or profiling within the meaning of Article 22 GDPR.
12. Social Media
To advertise our products and services as well as to communicate with interested parties or customers, we have a presence on the Instagram platform.
On this social media platform, we are jointly responsible with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.
The data protection officer of Instagram can be reached via this contact form:
We have defined the joint responsibility in an agreement regarding the respective obligations within the meaning of the GDPR. This agreement, which sets out the reciprocal obligations, is available via following link:
The legal basis for the processing of the resulting and subsequently disclosed personal data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the analysis, communication, sales, and promotion of our products and services.
The legal basis may also be your consent per Art. 6 para. 1 lit. a GDPR granted to the platform operator. Per Art. 7 para. 3 GDPR, you may revoke this consent with the platform operator at any time with future effect.
According the agreement on joint controllership with Facebook, Facebook ensures the rights of the data subjects according Art. 15-20 GDPR, can be exercised with regard to the personal data stored by Facebook in accordance with the joint processing.
When accessing our online presence on the Instagram platform, Facebook Ireland Ltd. as the operator of the platform in the EU will process your data (e.g. personal information, IP address, etc.).
The user data serves statistical information about the usage of our company presence on Instagram. Facebook Ireland Ltd. uses this data for market research and advertising purposes as well as for the creation of user profiles. Based on these profiles, Facebook Ireland Ltd. can provide advertising both within and outside of Instagram based on your interests. If you are logged into Instagram at the time you access our site, Facebook Ireland Ltd. will also link this data to your user account.
If you contact us via Instagram, the personal data you provide at that time will be used to process the request. We will delete this data once we have completely responded to your query, unless there are legal obligations to retain the data, such as for subsequent fulfillment of contracts.
Facebook Ireland Ltd. might also set cookies when processing your data.
If you do not agree to this processing, you have the option of preventing the installation of cookies by making the appropriate settings in your browser. Cookies that have already been saved can be deleted at any time. The instructions to do this depend on the browser and system being used. For Flash cookies, the processing cannot be prevented by the settings in your browser, but instead by making the appropriate settings in your Flash player. If you prevent or restrict the installation of cookies, not all of the functions of Instagram may be fully available.
It cannot be excluded that the processing by Facebook Ireland Ltd. will also take place in the United States by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025.
Facebook Inc. uses the EU standard contractual clauses approved by the European Commission and relies on the adequacy decisions issued by the European Commission with regard to certain countries for data transfers from the EEA to the USA and other countries.
13. Updates or amendments to this Privacy Notice
We continuously develop and improve our services. Therefore, we may add new features to this website from time to time. If this has consequences for how your Personal Data are processed, we will inform you in this Privacy Notice in due time.