Data policy

Disclaimer:
For clarification and better understanding, an English translation of this privacy policy has been provided below. However, it is important to note that this translation is for informational purposes only and is not legally binding. In case of discrepancies or conflicts between the English and German versions of this privacy policy, the German version shall prevail and is considered the legally binding and final version.

Data protection declaration under the GDPR

The protection of your personal data is very important to us. This Privacy Policy describes how McMakler GmbH and the McMakler Group companies (hereafter McMakler) process your personal information on this website and through our online services. In addition, you will receive data protection information (Articles 13 and 14 GDPR) in advance of processing operations and contractual relationships in a simple, precise, transparent, understandable and easily accessible form (Art. 12 (1) GDPR). In order to protect your personal data, McMakler has concluded appropriate agreements with the contracted service providers and cooperation partners (especially Art. 26 and 28 GDPR) and has taken technical and organizational measures to ensure the protection of your personal data. This site uses state-of-the-art SSL or TLS encryption for security purposes and to protect the transmission of confidential content that you send to us as the operator of the website via online forms. Our employees are regularly trained in the handling of personal data and are obliged to the confidentiality of personal data (Article 5 (1) (f), Art. 32 (4) GDPR). You can also make privacy-prone preferences using your web browser settings, such as: Through the Do-Not-Track feature, security updates, or blocking cookies/third party-cookies. Additional settings can be made by browser extensions and / or these are described separately in this privacy policy. We point out that a complete protection of data transfer on the Internet is not possible and the protection of your data can depend strongly on the individual surfing behavior. Never share your information with third parties who may misuse it.

In the event of changes to this privacy policy, we will post the amended policy and the effective date of the amended policy on this website. We therefore recommend that you check our website regularly. Changes that affect your consent will only be made by renewed consent.

1. Scope and Definitions

he protection of your personal data is of particular concern to us. This privacy policy describes how the McMakler Group processes your personal data on this website and with the help of our online services, as part of the provision of our services and in the case of applications. In addition, you will receive data protection information in accordance with Art. 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") in advance of the processing operations and contractual relationships in a simple, precise, transparent, comprehensible and easily accessible form (Art. 12 para. 1 GDPR). In order to protect your personal data, McMakler has concluded appropriate agreements with the commissioned service providers and cooperation partners (in particular in accordance with Art. 28 GDPR) and has taken technical and organizational measures to ensure the protection of your personal data.

In this privacy policy, we refer to the respective responsible company or the responsible companies from the McMakler Group as "McMakler", "we" or "us". We will explain who this is in each individual case below under the name and address of the controller.

For your better understanding, you will find here a brief explanation of the terms used within the meaning of Art. 4 para. 1 GDPR.

1.1. Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.2. Processing

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.3. Restriction of processing

"Restriction of processing" means the marking of stored personal data with the aim of restricting its future processing.

1.4. „Profiling“

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject to evaluate aspects relating to a natural person, in particular to analyze or predict aspects  concerning that natural person's performance at work, economic situation, health, personal  preferences, interests, reliability, behavior, location or movements.

1.5. Pseudonymisation

"Pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

1.6. Controller

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

1.7. Processor

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

1.8. Recipient

"Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

1.9. Third party

"Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

1.10. Consent

"Consent" of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

2. Controller’s name and address

2.1 Responsible for data processing in connection with

• the use of the www.mcmakler.de website, including its subpages (the "Website"), and

• the sale of real estate, including the preparation of offers and marketing and other classic brokerage services

is the

McMakler GmbH

Am Postbahnhof 17

10243 Berlin - Germany

Tel.: 0800 500 80 02

E-mail: [email protected]

The respective McMakler company to which you apply is responsible for data processing in connection with your application for employment. If the application is made via the website and no specific McMakler company is specified therein, McMakler GmbH is also responsible.

2.2 Responsible for data processing in connection with the provision of financing services, including financing brokerage, credit assessment and valuation of the properties concerned, is

McMakler Finanz GmbH

Am Postbahnhof 17

10243 Berlin - Germany

Tel.: 0800 500 80 02

E-mail: [email protected]

2.3 Responsible for data processing in connection with the production and sale of energy performance certificates, energy consulting and the creation of an individual refurbishment roadmap is

McMakler Energie GmbH

Am Postbahnhof 17

10243 Berlin - Germany

Tel.: 0800 500 80 02

E-mail: [email protected]

3. Data protection officer’s name and address

You can contact McMakler's data protection officer as follows: DS

Compliance GmbH

Carlsplatz 24

40213 Düsseldorf

E-mail: [email protected]

4. Data collection when you visit our website

If you only use our website for informational purposes, i.e. if you do not register or otherwise actively transmit information to us, we only collect the data that your browser transmits to our server (so-called "server log files"). When you visit our website, we collect the following data:

a. IP address of the requesting computer,

b. Date and time of access,

c. Name and URL of the expired file,

d. Website from which access is made (referrer URL),

e. the browser used and, if applicable, the operating system of your computer and the name of your access provider

This processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in being able to display and provide you with the website, as well as to ensure and improve the stability and functionality of our website. The data will not be passed on or used in any other way. However, we reserve the right to use the server log files retrospectively if there are concrete indications of unlawful use.

Supplementary note: For security reasons and to protect the transmission of confidential content that you send to us as the website operator via online forms, the website uses state of-the-art SSL or TLS encryption. Our employees are regularly trained in the handling of personal data and are obliged to maintain the confidentiality of personal data (Art. 5 para. 1 lit. f, Art. 32 para. 4 GDPR). However, we would like to point out that complete protection of transmissions on the Internet is not possible and the protection of your data can depend heavily on individual surfing behavior. Therefore, never pass on your data to third parties who may misuse it. In the event of changes to this data protection declaration, we will publish the amended declaration and the effective date of the amended declaration on this website. We therefore recommend that you check our website regularly. We will only make changes that affect consent you have given by obtaining your consent again.

4.2 Cookies and tracking

4.2.1 Basics and cookie types

In order to make visiting our website attractive and to enable the use of certain functions, we use various tracking tools on different pages, in particular so-called cookies. These are small text files that are stored on your end device. Some of the cookies we use are deleted after the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your end device and enable us or our partner companies to recognize your browser on your next visit (persistent cookies). Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. If cookies are set, they collect and process certain user information such as browser and location data and IP address values to an individual extent.

With regard to their function, a distinction is made between "technically necessary cookies", "functional cookies" and "marketing cookies" for tracking measures and in particular cookies (hereinafter collectively referred to as "cookies"). You can find more information on this distinction in our cookie consent manager, which is displayed when you first visit our website and can be accessed at any time via the link "Cookie settings" in the footer of the website. When you visit our website, data may be collected and processed either by our own cookies or by cookies from third-party providers. This processing is carried out for the purpose of operating and optimizing our website, for marketing purposes and for the purposes of providing and performing our brokerage services. Our online forms and marketing tools are also integrated into partner websites via which you can access our website and/or make use of our services.

4.2.2 Legal basis for the use of tracking measures

The respective legal basis for the use of tracking measures and in particular cookies is displayed in our cookie consent manager. In principle and subject to deviations in individual cases, the legal basis for all technically necessary cookies is our legitimate interest in operating a functional website and making it available to you as requested by your visit, in accordance with Art. 6 para. 1 lit. f GDPR (as well as § 25 para. 2 no. 2 TDDDG).

Any further use of cookies that is not absolutely technically necessary constitutes data processing that we only carry out with your express and active consent in accordance with Art. 6 para. 1 lit. a GDPR (or § 25 para. 1 TDDDG). This applies in particular to the use of functional cookies and marketing cookies.

We may work with partner companies that help us to make our website more interesting for you. For this purpose, cookies from these partner companies are also stored on your device when you visit our website. If we work with the aforementioned partner companies, we will inform you about the use of such third-party cookies and the scope of the information collected in each case as well as the specific recipients for each cookie in each individual case using our cookie consent manager.

Many of these services are active on partner and/or other third-party sites, so there is a high probability that your device/browser already recognizes these services and executes the corresponding cookies.

4.3 Special website features

4.3.1 Customer portal

If you wish to access your desired properties and further information via our customer portal, you must register by entering your e-mail address and a password of your choice. Providing the above-mentioned data is mandatory; you can provide all other information voluntarily by using our portal. You can manage and change all details (except the e-mail address used for registration) in the protected customer area.

The legal basis is the necessity of such data processing for the provision of the user account and thus for the fulfillment of these contractual measures, which is carried out at your request, Art. 6 para. 1 sentence 1 lit. b GDPR.

4.3.2 Newsletter

If you are registered via our customer portal, we will inform you by e-mail about current developments in the real estate sector and provide you with personalized information in the context of your previous inquiries. We collect, store and process the following "newsletter data" for this purpose:

• the page from which the page was requested (so-called referrer URL) • the date and time of the call

• the description of the type of web browser used

• the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established

• the e-mail address

• the date and time of registration and confirmation

We would like to point out that we evaluate your user behavior when sending the newsletter. For this analysis, the emails sent contain so-called web beacons or tracking pixels, which are single-pixel image files stored on our website. For the evaluations, we link the aforementioned data and the web beacons with your e-mail address and an individual ID. Links contained in the newsletter also contain this ID. The data is collected exclusively in pseudonymized form, i.e. the IDs are not linked to your other personal data, and direct personal identification is excluded.

As you are a registered user of our customer portal, we have a legitimate interest (Art. 6 para. 1 lit. f GDPR) in informing you about similar services (see also Section 7 para. 3 UWG). If you no longer wish to receive these emails, please send us a declaration of objection to [email protected]. You can also unsubscribe from these emails at any time by following the unsubscribe link in the respective email.

4.3.3 Chatbot

To answer your questions about a property marketed by us quickly and easily, we offer you a chatbot as our virtual advisor via our customer portal.

For this purpose, we use the service of OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland. If you use the chatbot, data such as the chat content itself will be processed and transmitted to the service provider OpenAI. We carry out the associated data processing and the further development of this service on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR.

In order to enable the chatbot to be delivered to you and to optimize and continuously improve our chatbot, data that may allow identification is automatically stored in a log file when the chatbot is used. The complete conversation history that you have had with the chatbot is stored for a maximum period of 180 days. The recorded chat histories are used exclusively for the continuous improvement of the chatbot. To object to the collection and storage of clearly personal data that you have inadvertently or deliberately entered in the chat history or to delete it, you must contact us. When contacting us, please inform us of the personal data you have entered so that we can subsequently delete it. Since the chatbot processes user input automatically and does not request any personal data, only you can know whether and which personal data has been collected and provide this as a feature for the investigation when contacting us. In principle, personal data, such as your name, is not required to use the chatbot and should therefore not be entered into the chatbot.

Data is sometimes transferred to third countries as part of its use. For this purpose, we have concluded an order processing agreement with OpenAI, which includes internal group agreements and appropriate transfer mechanisms. More information about how OpenAI processes personal data can be found here https://openai.com/policies/privacy-policy.

4.4 Provision of our services

4.4.1 Basic processing

For the provision of our real estate brokerage services (including the initial listing of properties, the preparation of exposés, the organization of viewings, the establishment of contact between potential contractual partners, etc.), we process personal data relating to the property, the owners and the potential interested parties, including

• General contact details of owners and interested parties

• Data on personal financial circumstances/creditworthiness of owners and interested parties

• Property-related data (in particular areas, prices, condition data, energy data) • Other voluntary information provided by you (e.g. in free text fields)

If relevant, the respective McMakler Group company processes the corresponding data to the same extent when you use the associated online forms on the website.

The legal basis for this processing with regard to the processing of data of our contractual partners and in the context of contract initiation with interested parties at their request (buyer or seller) is Art. 6 para. 1 lit. b GDPR insofar as the processing is necessary for the specific contract. Insofar as personal data is otherwise processed in the context of our offers, which are not necessary for the specific fulfillment of the contract, but only beneficial, this is done on the basis of our legitimate interests in providing the most effective brokerage services possible, Art. 6 para. 1 lit. f GDPR.

We also process the personal data collected in connection with your registration in order to fulfill our legal obligations, in particular under tax and commercial law as well as ancillary criminal law and the regulations for the protection of public safety and order. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

We store your data for as long as this is necessary for the specific contract (in particular the purchase or sale of the property). Your data will be regularly deleted as soon as the property is sold elsewhere (unless you have consented to further use, e.g. for offers of similar properties). For evidence purposes, we must also retain contractual data for three years from the end of the year in which the business relationship with you ends. Any claims expire at the earliest at this time in accordance with the statutory limitation period. Even after this time, we still have to store some of your data for accounting and tax law reasons. We are obliged to do so due to statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act. The periods specified there for the retention of documents are two to ten years.

4.4.2 Arrangement of viewing appointments with tenants

When property owners commission us to broker a property to prospective buyers, it is essential for McMakler - if the property is rented - to contact the tenants in order to arrange and conduct viewings. For this purpose, the owner provides us with the telephone number, name and address of tenants. We use this data exclusively for Contact for the purpose of arranging and carrying out viewings. In particular, we do not process this data for advertising purposes and do not pass it on to third parties without the express consent of the respective tenant.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR with regard to owner data and Art. 6 para. 1 lit. f GDPR with regard to tenant data: The processing is absolutely necessary vis-à-vis the owners for the fulfillment of our contract. At the same time, contacting the tenants is in our legitimate interest in being able to effectively provide broker services, which require a viewing by the broker and/or prospective buyer.

We store your data for the duration of the arrangement of viewing appointments and delete it at the latest when the property is sold or, if it is not sold, when the brokerage contract is terminated.

4.4.3 Real estate financing

In order to provide our real estate financing services (including credit checks and the preparation and brokering of financing offers), we process personal data relating to prospective financing customers, including

• Identity and contact details

• Information and documents on personal financial circumstances/creditworthiness • Details of the financing object

• Information and documents on financing and processing.

If relevant, the respective McMakler Group company processes the corresponding data to the same extent when you use the associated online forms on the website.

The legal basis for this processing is as soon as you request our financing services and during the provision of any financing services by us Art. 6 para. 1 lit. b GDPR insofar as the processing is necessary for the specific contract.

We store your data for the duration of the financing services. For evidence purposes, we must retain contractual data for three years from the end of the year in which the business relationship with you ends. Any claims expire at the earliest at this time in accordance with the statutory limitation period. Even after this time, we still have to store some of your data for accounting and tax law reasons. We are obliged to do so due to statutory documentation obligations, which are from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act. The periods specified there for the retention of documents are two to ten years.

4.4.4 Energy certificate and energy consulting

In order to provide our services in the field of energy analysis and energy consulting, we process personal data relating to the property and the owners, including:

• Identity and contact details

• Property-related data (in particular areas, condition data, energy data)

The legal basis for this processing is as soon as you request our energy analysis or energy consulting and during the provision of any services in the energy sector by us Art. 6 para. 1 lit. b GDPR insofar as the processing is necessary for the specific contract.

We store your data for the duration of the service in the energy sector. For evidence purposes, we must store contract data for up to 10 years from the end of the year in which the business relationship with you ends. We are obliged to do this due to statutory documentation obligations that may arise from the German Building Energy Act and the guidelines for federal funding for energy consulting for residential buildings. We must also store your data for accounting and tax law reasons. We are obliged to do so due to statutory documentation obligations that may arise from the German Commercial Code and the German Fiscal Code. The periods specified there for the retention of documents are two to ten years.

4.4.5 Optimization and further development of McMakler services

We are always working to continuously improve and develop our services. We therefore process personal data of our customers (names, contact details, information on real estate brokerage orders such as properties owned and equity) and our business partners (names, contact details) in order to work internally on the development or introduction of new systems and processes that enable McMakler to optimize the provision of services.

The legal basis for this processing is Art. 6 para. 1 lit. f GDPR. The legitimate interests lie in constantly developing our processes for consulting services and continuously optimizing consulting for our customers and cooperation with our business partners.

We store your data for the duration of the respective process or optimization measure and delete it as soon as the purpose achieved with the data processing has been achieved. McMakler may also process your personal data further if this is necessary for other purposes set out in this privacy policy (e.g. for the execution of real estate brokerage orders).

5. Duration of data processing

Personal data in connection with one of the aforementioned specific purposes will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.

• This is broken down for the respective cookies as part of the information in our consent manager;

• for the data collected during the registration process for the user portal, the purpose

is achieved when the registration is canceled or the data is changed by you;

• The same applies if you unsubscribe from our newsletter;

• for the other data transmitted by you to us, which we process to fulfill a contract or to carry out pre-contractual measures, this is the case if the data is no longer required for the execution of the contract (in particular, if the requested service has been provided or you inform us that you are no longer interested in ongoing services);

• For evidentiary purposes, we must regularly retain contract data for three years from the end of the year in which the business relationship with you ends. Any claims become time-barred at the earliest at this time in accordance with the statutory limitation period;

• Even after this, we still have to store some of your data for accounting and tax law reasons. We are obliged to do so due to statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act. The periods specified there for the retention of documents are two to ten years.

6. Processing of applicant data

If you apply to us via our website or otherwise, we will only use the applicant data you provide to process your application. Your application will be recorded and stored by application management software. Access to your application data is restricted to persons entrusted with the application process.

We use the application management software of SmartRecruiters, Inc, 225 Bush Street, Suite #300, San Francisco CA 94104 US ("SmartRecruiters"). Your personal data may also be transferred to servers in the USA. Further information can also be found in section 9 of this privacy policy.

If you provide us with personal data as part of the application process, it will be divided into the following data types and data categories for collection, processing and/or use:

• Personal data (first and last name, date of birth, address, school-leaving qualification) • Communication data (telephone, mobile and fax number, e-mail address) • Data on the assessment and evaluation in the application process • Education data (school, vocational training, civil/military service, studies, doctorate) • Data on your professional career to date, training and job references • Information on other qualifications (e.g. language skills, PC skills, etc.) • Application photo

• Details of desired salary

• Application history

In the event that we find your application interesting even after a rejection, we will include you in our talent pool with your express consent. In this case, we will store your personal data for up to 12 months after the rejection. If a suitable position becomes available during this period, we will contact you again.

The legal basis for the processing of personal data is Art. 6 para. 1 lit. b GDPR or § 26 BDSG insofar as the processing is necessary to carry out the application procedure. If you actively consent to inclusion in our talent pool, the legal basis for continued processing is Art. 6 para. 1 lit. a GDPR.

Furthermore, we may process (in particular retain) personal data about you if this is necessary to defend against legal claims asserted against us in the application process. The legal basis for this is Art. 6 para. 1 lit. f GDPR; the legitimate interest is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG). For these purposes, the applicant data is generally stored for 6 months.

We may also process work-related information that you have made publicly available, such as a profile on professional social media networks. Insofar as we process the

If we do not collect data directly from you and you have an active profile on StepStone, Xing or LinkedIn, or disclose an inactive or only partially active profile to us as part of the application process, we may also collect personal data via this profile. The legal basis in each case is Art. 6 para. 1 lit. f GDPR, namely our legitimate interest in checking and confirming your details.

You can object to the processing of your data at any time and request the deletion of your personal data. In addition, you are entitled to the rights mentioned in section 10.

There is no automated decision-making in individual cases or "profiling" within the meaning of Art. 22 GDPR, i.e. the decision on your application is not based exclusively on automated processing.

7. Use of / data transfer to third parties

As described below, McMakler ensures that access to your data is only granted to those bodies that need it to fulfill their tasks in connection with our services, in particular to fulfill the contract and to comply with legal obligations.

7.1 Passing on to interested parties and providers

As part of the provision of our offers and the associated functions and services, we may pass on your personal data to the persons affected by them - i.e. to providers and interested parties of real estate and their financing, if you make use of our respective services. This transfer takes place insofar as it is necessary for the use of the service or the fulfillment of a contract on the basis of Art. 6 para. 1 lit. b GDPR. Otherwise, the legal basis is Art. 6 para. 1 lit. f GDPR, because McMakler has an overriding legitimate interest in making the services offered as efficient as possible.

7.2 Disclosure to other third parties

We also transfer your personal data to the following categories of persons for the purposes described in each case. The transfer is only made on a case-by-case basis and we only transfer the personal data that is necessary for the respective recipient and for the provision of services or their involvement:

Insofar as the aforementioned third parties are not themselves controllers in accordance with Art. 4 No. 7 GDPR, they process your data on our behalf as so-called processors in accordance with Art. 28 GDPR. Processors only act in accordance with instructions and are contractually obliged to comply with the applicable data protection requirements by means of an order processing agreement. Further information on the transfer of your data to third countries can also be found in section 9 of this privacy policy.

7.3 Data transfer to third countries

Some of the third-party providers we use also process personal data in a third country outside the European Economic Area ("EEA"), e.g. in the USA.

The basis for the transfer of personal data to recipients outside the EEA or processing there is always an adequate level of protection in the respective third country determined by the European Commission as part of an adequacy decision (Art. 45 GDPR) or we use standard contractual clauses approved by the EU Commission (Art. 46 GDPR). Standard contractual clauses oblige third-party providers to comply with the EU level of data protection when processing relevant data outside the European Union.

Further information on the measures taken by us in each individual case and recipient is available from us on request ([email protected]).

8. E-mail contact

You can contact us via the following e-mail addresses. Data protection-relevant topics: [email protected]

General customer service: [email protected]

Other: [email protected]

If you send us an e-mail, we process and store the personal data transmitted by the e-mail. This will generally be your e-mail address and any other information you disclose. Such data processing is necessary for processing the conversation.

As long as none of the following legal bases is relevant, data processing is based on our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR to respond to your request/message. If the purpose of the contact is the conclusion or performance of a contract, the processing is lawful pursuant to Art. 6 para. 1 lit. b GDPR. If you provide additional, unnecessary personal data in this context, the processing is based on your consent within the meaning of Art. 6 para. 1 lit. a GDPR.

We delete this data as soon as the conversation has ended and there is no longer a purpose for storing it/there are no legal and/or legitimate retention periods to the contrary. The conversation is ended when it can be inferred from the circumstances that the relevant process has been conclusively clarified. All other data transmitted during the sending process will be deleted after a period of 7 days at the latest.

9. Rights of data subjects

The applicable data protection law grants you as the data subject comprehensive data subject rights (rights of access and intervention) vis-à-vis the controller (McMakler) with regard to the processing of your personal data, about which we inform you below:

9.1 Right to confirmation, Art. 15 para. 1 sentence 1 GDPR

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.

9.2 Right to information, Art. 15 para. 1 sentence 2 GDPR

If the data subject's personal data is processed, the data subject has the right to access this personal data and to the following information:

a. the purposes of processing;

b. the categories of personal data that are processed;

c. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f. the existence of a right of appeal to a supervisory authority;

g. if the personal data are not collected from the data subject, all available information about the origin of the data;

h. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

9.3 Right to rectification and completion, Art. 16 GDPR

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

9.4 Right to erasure (right to be forgotten), Art. 17 GDPR

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

b. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.

c. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) d. Objection to the processing.

e. the personal data has been processed unlawfully.

f. the deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.

g. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

However, the above does not apply if the processing is carried out for legal purposes. Deletion is also excluded if there are statutory retention obligations or overriding interests of the controller in retention.

9.5 Right to restriction of processing, Art. 18 GDPR

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,

b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims, or

d. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted accordingly, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of third parties.

rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

9.6 Right to information, Art. 19 GDPR

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the controller.

9.7 Right to data portability, Art. 20 GDPR

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where one of the following applies

a. the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b), and

b. the processing is carried out using automated procedures.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

9.8 Right to object, Art. 21 GDPR

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) and (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

9.9 Right to withdraw the consent given, Art. 7 para. 3 GDPR

The data subject has the right to withdraw their consent at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject will be informed of this before consent is given. You can send a revocation to us at any time (e-mail is sufficient) at [email protected]. Please understand that it may take up to 4 weeks for the revocation to be processed. In the meantime, there may be overlaps in the processing of your request with marketing measures.

9.10 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG)

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority responsible for us can be contacted using the

following details Berlin Commissioner for Data Protection and Information

Security

Alt-Moabit 59-61

10555 Berlin

Phone: +49 30 13889-0

Fax: + 49 30 2155050

E-mail: [email protected]