Privacy Policy

Contents

1 General information
1.1 Objectives and responsibilities
1.2 Legal bases
1.3 Rights of data subjects
1.4 Data deletion and storage duration
1.5 Security of processing
1.6 Transmission of data to third parties, subcontractors and third-party providers

2 Processing in the context of our Online Services
2.1 Collection of information on the use of the Online Services
2.2 Contact form and contact via email
2.3 Links to other websites
2.4 Google Analytics
2.5 Cloudflare
2.6 Consent management
2.7 Google Tag Manager
2.8 Google Web Fonts
2.9 Google reCAPTCHA
2.10 Vimeo

3 Processing for the purpose of executing our business processes
3.1 Direct marketing
3.2 Advertising to existing customers
3.3 Responding to enquiries about projects

4 Cookie policy
4.1 General information
4.2 Overview of cookies
4.3 Options to object

5 Amendments to the Privacy Policy


1 General information

1.1 Objectives and responsibilities

  1. This Privacy Policy notifies you about the type, extent and purpose of processing activities concerning personal data related to our online services and the associated web pages, functions and content (hereinafter referred to collectively as “Online Services” or “Website”). Details about these processing activities can be found in section 2.
  2. Details about data processing activities undertaken for the purpose of carrying out our business processes are described in section 3.
  3. The provider of the Online Services and the controller under data protection law is UBM Development Deutschland GmbH (Bachforellenweg 4, 60327 Frankfurt am Main, Germany), hereinafter referred to as “Provider”, “we” or “us”.
  4. Our Online Services are made available by PORR AG (Absberggasse 47, 1100 Vienna, Austria).
  5. Our data protection officer is: Sven Meyzis – IT.DS Beratung (Phone: 0049 40-21091514 / email: s.meyzis@itdsb.de).
  6. The term “User” covers all users of and visitors to the Online Services.

1.2 Legal bases

We collect and process personal data in accordance with the following legal bases:
a. Consent pursuant to Article 6 (1) (a) General Data Protection Regulation (GDPR). “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by other clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
b. Necessity for the performance of a contract or in order to take preparatory steps pursuant to Article 6 (1) (b) GDPR, i.e. the data is necessary in order for us to be able to fulfil the contractual obligations towards you or we require the data in order to prepare to enter into a contract with you.
c. Processing in order to comply with a legal obligation pursuant to Article 6 (1) (c) GDPR, i.e. processing of the data is prescribed e.g. by law or other stipulations.
d. Processing in order to preserve legitimate interests pursuant to Article 6 (1) (f) GDPR, i.e. the processing is necessary to preserve our legitimate interests or those of third parties, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

1.3 Rights of data subjects

Your rights in respect of data processing by us are as follows:
a. The right to lodge a complaint with a supervisory authority pursuant to Article 13 (2) (d) GDPR and Article 14 (2) (e) GDPR
b. Right of access pursuant to Article 15 GDPR
c. Right to rectification pursuant to Article 16 GDPR
d. Right to erasure (“right to be forgotten”) pursuant to Article 17 GDPR
e. Right to restriction of processing pursuant to Article 18 GDPR
f. Right to data portability pursuant to Article 20 GDPR
g. Right to object pursuant to Article 21 GDPR
Note: Users may object to the processing of their personal data at any time with future effect in accordance with the statutory provisions. They may object in particular to processing for purposes of direct advertising.

Without prejudice to any other administrative or judicial remedy, you have a right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or of the alleged infringement, if you are of the opinion that the processing of the data concerning you is in breach of the GDPR.

1.4 Data deletion and storage duration

  1. The data subjects’ personal data will be erased or made unavailable as soon as the purpose of storage ceases to apply. Data may additionally be stored if this is provided for by European or national legislators under EU regulations, legal acts or other stipulations to which the controller is subject. The data will also be made unavailable or erased if a storage period prescribed by the specified regulations expires, unless continued storage of the data is required in order to enter into or carry out a contract.
  2. To the necessary extent, we will process your personal data for the duration of our business relationship, which for instance also extends to the initiation and execution of a contract. Additionally, we are subject to various retention and documentation obligations arising under the German Commercial Code (Handelsgesetzbuch, HGB) and the German Fiscal Code (Abgabenordnung, AO). The retention and/or documentation periods stipulated therein are six years for correspondence related to the conclusion of a contract and ten years for accounting records (sections 238, 257 (1) and (4) HGB, section 147 (1) and (3) AO). Such retention and documentation obligations apply in particular in cases where you enter into a contract with us. Ultimately, the storage duration is also determined by the statutory limitation periods, which are generally three years for instance under sections 195 et seq. German Civil Code (Bürgerliches Gesetzbuch, BGB), but in certain cases may also be up to thirty years. We will delete the data on expiry of the retention and documentation obligations as well as the applicable limitation periods. Log files and cookies will be deleted within the periods specified below.

1.5 Security of processing

  1. We have implemented technical and organisational security measures (TOMs) that are both adequate and comply with the state of the art. As a result, the data processed by us is protected from chance or intentional manipulation, loss, destruction and unauthorised access.
  2. The security measures include in particular the encrypted transfer of data between your browser and our server.

1.6 Transmission of data to third parties, subcontractors and third-party providers

  1. Personal data will only be transmitted to third parties within the framework of the statutory provisions. We will only pass Users’ data to third parties if this is necessary for e.g. invoicing purposes or for other purposes if the transmission is necessary to satisfy contractual obligations vis-à-vis the Users.
  2. Where we deploy subcontractors for our Online Services, we have put in place suitable contractual precautions as well as corresponding technical and organisational measures vis-à-vis these companies.
  3. Where we use content, tools or sundry resources of other companies (hereinafter referred to collectively as “Third-Party Providers”) and their specified headquarters are located in a third country, it can be assumed that data will be transferred to the countries of the Third-Party Providers’ headquarters. We will only transmit personal data to third countries if an appropriate level of data protection is in place, the Users have consented or another form of statutory authorisation applies.

2 Processing in the context of our Online Services

2.1 Collection of information on the use of the Online Services

  1. When using the Online Services, information is automatically transmitted from the User’s browser to us; this includes name of the webpage accessed, file, date and time of the access, data volume transferred, report of successful access, browser type including version, User’s operating system, referrer URL (the previous page visited), IP address and the requesting provider.
  2. This information is processed on the basis of legitimate interests pursuant to Article 6 (1) (f) GDPR (e.g. optimisation of the Online Services) as well as to guarantee the security of the processing pursuant to Article 5 (1) (f) GDPR (e.g. to avert and investigate cyber-attacks).
  3. The information will be deleted automatically 30 days after the connection – i.e. use of the Online Services – is ended, unless this is precluded by other retention periods.
  4. The collection of the data and storage thereof in log files is essential for the provision of the Online Services. For that reason, the User has no option of deletion, objection or rectification.

2.2 Contact form and contact via email

  1. If you contact us, your data (name and contact details, if provided by you) and your message will be used exclusively for the purpose of processing and handling your enquiry. We will process this data on the basis of Art. 6 (1) (a) GDPR (consent) in order to deal with your enquiry.
  2. The data will only be used for other purposes subject to the User’s consent.

2.3 Links to other websites

  1. When using some of our services, you may be automatically forwarded to other websites; this occurs for example via references in blog articles.
  2. Please note that this Privacy Policy does not apply there. The privacy policy of the website to which the link refers may vary significantly from this one.

2.4 Google Analytics

  1. We deploy Google Analytics, a web analytics service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) – hereinafter referred to as “Google”, on the basis of your consent for the purpose of analysing, optimising and economically operating our Online Services pursuant to Art. 6 (1) (a) GDPR. Google uses cookies and other technologies. Information about the Users’ usage of the Online Services generated by the service will be transferred to a server of Google in the USA and processed there.
  2. Google acts for us as a processor pursuant to Article 28 GDPR. We have entered into a data protection agreement with Google that contains the EU standard data protection clauses.
  3. Additionally, we have entered into a joint controller agreement pursuant to Article 26 GDPR with Google for the use of Google’s measurement services (cf. https://support.google.com/analytics/answer/9012600?hl=en). In this context, we have agreed with Google to bear responsibility for complying with the information obligations and for guaranteeing the rights of data subjects pursuant to chapter 3 GDPR as well as for the security of the processing and the reporting/notification obligations (Article 32 to 34 GDPR). Google uses this information to analyse Users’ usage of our Online Services, to compile reports on activity within these Online Services, and to provide further services connected to the use of these Online Services and Internet for our benefit. In the course of this, pseudonymised user profiles of the Users may be created using the processed data.
  4. We use Google Analytics to ensure that the advertisements placed within the advertising services of Google and its partners are only shown to those Users who have also demonstrated an interest in our Online Services or who demonstrate certain characteristics (e.g. interest in certain topics or products that can be determined via the websites visited), which we transmit to Google (known as “Remarketing Audiences”, or “Google Analytics Audiences”). We also seek to use the Remarketing Audiences to ensure that our advertisements are in line with the Users’ potential interests and do not appear bothersome.
  5. We deploy Google Analytics with activated IP anonymisation.
  6. Google Analytics stores cookies in your web browser for a period of two years from your last visit. These cookies contain a randomly generated user ID that enables you to be identified again on future visits to the Website. Users can prevent cookies from being stored by making a corresponding setting in their browser software. Users can further prevent the information generated by the cookie about their use of the Online Services from being transmitted to and processed by Google by downloading and installing the browser plug-in available from the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.
  7. The recorded data is stored along with the randomly generated user ID, enabling the analysis of pseudonymised user profiles. This user-related data is automatically deleted after 26 months. Other data is stored for an indefinite period in an aggregated form.
  8. For further information on the use of data by Google as well as options concerning settings and revocation, refer to Google’s websites:

2.5 Cloudflare

  1. Our Website deploys services by “Cloudflare” (provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA). Cloudflare operates a content delivery network (CDN) and provides protective functions for the Website (web application firewall).
  2. Data transfer between your browser and our servers flows through the Cloudflare infrastructure and is analysed there in order to avert attacks. Cloudflare uses cookies to enable you to access our Website.
  3. Cloudflare is used in the interest of ensuring safe usage of our Website and to avert harmful external attacks. This constitutes a legitimate interest as defined under Art. 6 (1) (f) GDPR.
  4. For further information, refer to the Cloudflare privacy policy: https://www.cloudflare.com/en-gb/privacypolicy/

2.6 Consent management

  1. Our Website uses the cookie consent technology provided by “Osano” to obtain your consent to certain cookies being saved in your browser and to document this in a manner compliant with data protection legislation. The provider of this technology is Osano, Inc. (3800 North Lamar Blvd, Suite 200, Austin, TX 78756, USA – hereinafter referred to as Osano).
  2. When you access our Website, a cookie (cookieconsent_status) required for technical purposes is stored in your browser. This cookie stores the consents you have issued or your revocation of these consents. This data is not passed to the provider of the Osano cookie. The Osano cookie does not process any personal data whatsoever.
  3. The captured data is stored until you ask us to delete it, you delete the Osano cookie yourself or the purpose of the data storage lapses. This is without prejudice to binding statutory retention periods.
  4. Details on the data processed by Osano can be found at
    https://www.osano.com/legal/privacy
    https://www.osano.com/articles/cookie-laws
  5. Osano’s cookie consent technology is used to obtain the prescribed statutory consent for the use of cookies. The legal foundation for this is Art. 6 (1) (1) (c) GDPR.

2.7 Google Tag Manager

  1. This Website uses Google Tag Manager, a service that enables website tags to be managed via an interface. Google Tool Manager merely implements tags, meaning that no cookies are deployed and no personal data is collected. Although Google Tool Manager initiates other tags that in turn may collect data, Google Tag Manager does not access this data.
  2. Any deactivation performed at domain or cookie level will remain in force for all tracking tags, provided that these are implemented with Google Tag Manager.

2.8 Google Web Fonts

  1. We use “Google Web Fonts” by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter referred to as “Google”) on this Website for the display of fonts in order to present our content correctly and in a visually appealing way on a range of browsers.
  2. The privacy policy of Google as library operator can be found here: https://policies.google.com/privacy?hl=en-GB
  3. Google Fonts are installed locally on our server. No connection to Google servers is made.

2.9 Google reCAPTCHA

  1. We use Google’s reCAPTCHA service to protect our Website from spam and abuse. The service prevents automated software (known as bots) from carrying out abusive activities on our websites. In other words, it checks to make sure that any input made actually emanates from a person. Google collects the following data:
    • Referrer (address of the page on which the CAPTCHA is used)
    • User’s IP address
    • Google account (recognised and assigned if the user is logged on to Google)
    • The user’s input behaviour (e.g. speed of input into the form fields, sequence of selection of the input fields by the user) is used to improve pattern recognition at Google.
    • Browser, browser size and resolution, browser plugins, date, language setting
    • Website’s display instructions (CSS) and scripts (JavaScript)
    • Mouse or touch events within the page
  2. Google also reads cookies from other Google services such as Gmail, Search and Analytics. All specified data is sent to Google in an encrypted form. No personal data is read or stored from the input fields of the respective form.

2.10 Vimeo

  1. We use the provider Vimeo for the integration of videos. Vimeo is operated by Vimeo, LLC (headquarters: 555 West 18th Street, New York, New York 10011; USA).
  2. We use plugins by the provider Vimeo on some of our websites. When you access the web pages on our Website that feature such a plugin, a connection is made to the Vimeo servers and the plugin is displayed. During this process, the Vimeo server is notified about which of our web pages you have visited. If you are logged on as a member of Vimeo, Vimeo will allocate this information to your personal user account. When using this plugin, such as by clicking the start button on a video, this information will similarly be allocated to your user account. You can prevent this allocation from being made by logging out of your Vimeo user account before using our Website and deleting the corresponding Vimeo cookies.
  3. For further information about data processing and tips on data protection, refer to https://vimeo.com/privacy.

3 Processing for the purpose of executing our business processes

3.1 Direct marketing

  1. If you have provided your consent to us, we will regularly notify you by email about new products and services as well as construction projects. We use your name and your email address for this purpose. The legal basis for data processing is Art. 6 (1) (1) (a) GDPR. You can revoke your consent at any time with future effect, e.g. via the link at the end of each email.
  2. Our newsletter will only be sent via email with your prior, express consent in accordance with the double opt-in principle: on registering for the newsletter on our Website, you will receive an email in which you are asked to confirm your newsletter registration. This ensures that no third party has been fraudulently using your data.
  3. During the registration for the newsletter, we further obtain your consent for newsletter tracking for the purpose of personalised advertising and market research performed by us. Using what are known as tracking pixels or web beacons and links, each of which is linked to an individual ID, we collect the following personal tracking information in conjunction with the use of our newsletters:
    • Opening the newsletter, clicking the links contained therein, sending a form on our Website after clicking a link contained in the newsletter (as well as the time when these actions were performed)
    • Type of end device used if you click on images or links in the newsletter
    • Behaviour on our Website if you access this via a link in our newsletter (as well as the time when these actions were performed)
    • The place where access was made if you click on images or links in the newsletter (by matching your IP address, although we do not store this)
    We save this data in your user profile, which is matched to the data entered when you register for the newsletter. We use this data to analyse and optimise our email marketing as well as for purposes of personalised advertising and market research. This enables us to provide you with personal information on products, services and offers that are of particular interest to you via our newsletter. You can revoke your consent to this data processing at any time with future effect by unsubscribing from the newsletter. It is not (currently) technically possible to deactivate newsletter tracking in isolation. We delete the tracking data when you unsubscribe from our newsletter. This has no bearing on data stored by us for the other purposes.
  4. We use MailChimp, a service of the provider Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (“MailChimp”) to send and analyse the emails. When sending and analysing the emails, data is processed on MailChimp’s servers in the USA. MailChimp acts as a processor for us within the meaning of Art. 4 (8) GDPR.
    If you unsubscribe from our newsletter, your data (including the tracking data) is also deleted on MailChimp’s servers.
    For further information, refer to MailChimp’s Privacy Policy (https://mailchimp.com/legal/privacy/).

3.2 Advertising to existing customers

  1. If you have bought services from us in the past, we may notify you about similar services (especially new construction projects) by email or letter, provided you have not objected to this.
  2. The legal basis for data processing is Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in direct advertising (recital 47 GDPR). You may object to your email address and postal address being used for advertising purposes at any time at no extra cost with future effect.

3.3 Responding to enquiries about projects

In the event of enquiries about developers’ projects, we shall pass the data communicated in your enquiry to the developer or broker of the project in question, provided this is necessary or expedient in order for your enquiry to be answered and/or contractual or precontractual measures to be performed.

4 Cookie policy

4.1 General information

  1. Cookies comprise information that is transferred from our web server or third-party web servers to the Users’ web browser and stored there to be retrieved subsequently. Cookies may constitute small files or other types of information storage.
  2. If Users do not wish cookies to be saved on their computer, they are requested to deactivate the corresponding option in their browser’s system settings. Stored cookies may be deleted in the browser’s system settings. The exclusion of cookies may result in the functionality of this online service being limited.

4.2 Overview of cookies

NameProviderPurposeDuration
_gaGoogleRegisters a unique ID used to generate statistical data on how the visitor uses the website.2 years
_gatGoogleUsed by Google Analytics to throttle the request rate.Browser session
_gidGoogleRegisters a unique ID used to generate statistical data on how the visitor uses the website.1 day
cookieconsent_statusCookie Consent by osanoConsent management1 year

4.3 Options to object

Accept Cookies

You can object to the use of cookies that are used to measure reach and for advertising purposes via:
a. the deactivation page of the Network Advertising Initiative: http://optout.networkadvertising.org/
b. the US website http://www.aboutads.info/choices
c. the European website http://www.youronlinechoices.com/uk/your-ad-choices/

5 Amendments to the Privacy Policy

  1. We reserve the right to modify this Privacy Policy in respect of data processing in order to adapt it to changes in legal circumstances, changes to the Online Services or to the data processing.
  2. If the Users’ consent is required or components of the Privacy Policy contain provisions of the contractual relationship with the Users, the amendments shall only be made with the Users’ consent.
  3. The Users are requested to regularly update themselves regarding the content of this Privacy Policy.

Last revised: May 2021