Back

1. Data processing in connection with renting

2. Data processing for the Vonovia app

3. Data processing in connection with recruiting applicants

4. Data processing in connection with transactions for buyers and sellers of property

5. Data privacy information for shareholders and investors of Vonovia SE

6. Data processing in connection with business partnerships for (future) business partners/subcontractors

7. Data processing in connection with marketing measures

I. Scope of application 

1. This Data Protection Information informs you about the data processing on the websites of Vonovia SE (hereafter referred to as “Vonovia,” “we” or “us,”) and of the companies that are affiliated with Vonovia SE (“Vonovia Group,” “we” or “us,” see Definitions No. 16) pursuant to the EU General Data Protection Regulation (hereafter “GDPR”) and the German Federal Data Protection Act (hereafter “BDSG”). 

If you are acting as a legal entity within this context, the rights set out in this data protection information only apply to a limited extent (the GDPR only covers rights of natural persons).  

2. You can access, save and print out this Data Protection Information from any Vonovia SE website free of charge at any time.  

3. This general section of the Data Protection Information applies to all natural persons (data subjects) whose personal data is processed by companies belonging to the Vonovia Group. The general section contains, in particular, definitions, basic information on the data controllers, the Group Data Protection Officer and explanations of general data processing rules with regard to recipients, processors, legal bases, your rights as a data subject and general information about retention periods and the erasure of data. 

In the Special Data Protection Information provided below, you will also find specific information on the purposes and details of data processing relating to the respective categories of data subjects for the following areas of activity: 

No.Areas of activity**Categories of data subjects***
(1)*RentalTenants, subtenants or interested parties/prospective tenants, rent guarantors, interested parties or users of our services and additional services
(2)*Vonovia AppTenants when using the app
(3)*Recruiting/application processes Applicants
(4)*Property transactionsInterested parties, buyers or sellers of property
(5)*Vonovia SE investor relationsShareholders and investors
(6)*Business partnershipsBusiness partners
(7)*Marketing measuresCompetition or customer survey participants
(8)

Customer website: vonovia.de 
Group website:
vonovia.com

Visitors to the customer website and Group website 

 

The specific information provided in the Special Data Protection Information* that applies to the data processing in each case is based on the specific areas of activity** mentioned above and the categories of data subjects*** indicated next to each of these. As a general rule, the General Data Protection Information provided in this section applies in addition to the specific information provided in the Special Data Protection Information*. The information on special data processing only applies to the specified area of activity in each case and the data subjects that fall within this area. The Data Protection Information for Website Visitors contains all the data protection information and the cookie policy.

Definitions

This Data Protection Information is based on the following terms, which we have defined in order to make them easier to understand:

1. The GDPR is the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46/EC).

2. The BDSG is the (German Federal Data Protection Act) and sets outs the provisions of the GDPR in sub-areas (e.g., data processing of employees by the employer) in more specific terms.

3. “Recipient” means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. In connection with the collection of rent, recipients may include, for example, banks or the post office via which we send you your lease documents.

4. Joint controllers are two or more controllers within the meaning of Article 26 GDPR that jointly determine the purposes of the processing of personal data and the means by which this is carried out. For example, Vonovia Kundenservice GmbH and Vonovia SE jointly determine the means used to process, and the purposes of processing, personal data of prospective tenants, meaning that they are joint controllers (see II).

5. You are considered to be an interested party if, for example, you visit our websites to find out more about Vonovia and our offers and services, create an account in the app or make viewing appointments with us.

6. Applicants are applicants with Vonovia SE or one of the Vonovia Group’s companies that retains personnel (employer company), in particular when using the Vonovia SE careers website.

7. You are considered to be the “tenant” from the time at which you receive a signed copy of your lease agreement back.

8. You are considered to be a (future) subtenant if an existing tenant submits a subletting application to us in which you are named as the subtenant.

9. You are considered to be a (rental) guarantor from the time at which you assume the guarantee for an existing rental agreement.

10. Buyers or sellers are considered to be prospective buyers and sellers from the time at which they countersign the contract for the purchase or sale of a property with a Vonovia Group company at the notary’s office.

11. Business partners are current and future contractual partners who, as subcontractors, craftsmen or service providers, supply or provide services (e.g., trade and building services, construction services) to the Vonovia Group companies, support the Vonovia Group in managing and renting out its portfolio and help to provide services to tenants and customers.

12. Shareholders are the shareholders of Vonovia SE. Investors are business partners with a financial investment.

13. “Personal data” refers to all information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 (1) GDPR). Personal data can include, by way of example, your name and contact details, user behavior, tax number or bank account details (e.g., IBAN).

14. The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Vonovia SE, and others as are herein described, is the controller for the purposes of the data processing described in this Privacy Policy (see Controller within the meaning of Article 4 (7) GDPR above).

15. “Processing” includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data (Article 4 (2) GDPR). Processing may include the collection and use of your contact details to arrange a viewing appointment.

16. The Vonovia Group includes all the companies affiliated with Vonovia SE pursuant to Section 15 German Stock Corporation Act (AktG), in particular Vonovia Customer Service GmbH, Vonovia Energie Service GmbH, Deutsche Multimedia Service GmbH and Living Innovations- und Beteiligungs GmbH (LIB) in addition to Deutsche Wohnen SE, Deutsche Wohnen Management GmbH, SYNVIA media GmbH, SYNVIA energy GmbH, SYNVIA technology GmbH and SYNVIA mobility GmbH.

II. Controller for data processing 

As a general rule, the controller for personal data processing is Vonovia SE and, within the scope of collaboration involving divided responsibilities, other companies in the Vonovia Group, insofar as this is specified in the following Special Data Protection Information on the respective areas of activity.

The contact details for Vonovia SE (Universitätsstraße 133, 44803 Bochum, Germany) are as follows:

Telephone: +49 (0)234 414 700-000
Contact form: kontakt.vonovia.de

Contact details for the other controllers responsible for specific areas of activity can be found in the section Special Data Protection Information.

The Group Data Protection Officer for all Vonovia Group companies to whom all questions concerning data protection can be directed is: 

Dr. Stefan Drewes
c/o Vonovia SE
Universitätsstraße 133
44803 Bochum, Germany
Email: datenschutz@vonovia.de

We expressly point out that when you use this email address, the content of your message will be noted by parties other than just our Data Protection Officer. If you would like to exchange confidential information, we would therefore ask you to first contact us directly via this email address without describing the facts of the matter in detail.

III. General data processing procedures for law enforcement, compliance with legal obligations, video surveillance and public relations  

1. Reminders

1.1 In cases in which we have receivables outstanding (such as outstanding payments), we track these in our receivables management system, evaluate them, contact you by telephone to inform you and, if necessary, send you a payment reminder.

1.2 If, for example, you do not fulfill your contractual obligations (e.g., rent arrears despite having been issued a payment reminder or improper use of the rented property) and in the context of legal disputes with you, we will engage external lawyers or collection agencies to provide legal advice and to enforce and/or defend our rights. We may also process personal data from other public sources (e.g., credit agencies) within this context.

1.3 We process your personal data in order to execute and, where appropriate, perform the lease agreement with you on the basis of Article 6 (1) sentence 1b GDPR, and based on our legitimate interest in asserting, enforcing and/or defending our legal interests on the basis of Article 6 (1) sentence 1f GDPR.

2. Legal disputes, legal advice and enforcement and defense of legal claims and corporate transactions

2.1 In the context of legal disputes with you, we commission external lawyers to provide legal advice and to enforce and/or defend our rights. In order to enforce and/or defend our rights, we may also collect personal data from other public sources (e.g., credit agencies).

2.2 We process your personal data in order to execute and, where appropriate, perform the contract with you on the basis of Article 6 (1) sentence 1b GDPR, and based on our legitimate interest in asserting, enforcing and/or defending our legal interests on the basis of Article 6 (1) sentence 1f GDPR. 

2.3 In the event of breaches of contract committed by our employees and in cases involving work-related criminal proceedings against our employees, we also engage external lawyers to provide legal advice and to enforce and/or defend our rights. The handling of these cases may also involve processing of your personal data. We process your personal data based on our legitimate interest in asserting, enforcing and/or defending our legal interests on the basis of Article 6 (1) sentence 1f GDPR.

2.4 In connection with a corporate transaction, a risk assessment (due diligence) is performed on the Vonovia Immobiliengruppe company to be sold. Personal data is also processed within this context. The data is processed based on our legitimate interest in having the company to be sold evaluated for the purposes of a sale using a risk assessment, on the basis of Article 6 (1) sentence 1f GDPR.

3. Compliance audits and measures and internal auditing

3.1 We document breaches of contract within our Group in order to clarify the facts, point out the breach of contract to the specific employee, issue them with a reprimand if necessary and/or terminate the contract in certain circumstances. The documentation of the breaches of contract may also contain your personal data, depending on the individual scenario surrounding the breach of contract.

3.2 If there is a suspicion of criminal conduct on the part of the employee, we carry out a special audit to determine the facts of the case, to check whether a criminal offense has been committed and, if necessary, to secure evidence. This may also involve processing of your personal data.

3.3 Your personal data may also be processed in connection with auditing activities at Vonovia.

3.4 We process your personal data in order to meet our legal obligations on the basis of Article 6 (1) sentence 1c GDPR. In addition, we process your personal data on the basis of our legitimate interests in conducting the audits specified by the Supervisory Board in order to review the processes and efficiency within the Group, to exercise, enforce and/or defend our legal interests and to guarantee the prevention of cases of fraud and misuse within the company, as well as IT and network security within the company, on the basis of Article 6 (1) sentence 1f GDPR. 

4. Press releases, reports on our events and photographs

4.1 We regularly receive press inquiries. In individual cases, these inquiries can also involve personal data (e.g., the name of a tenant). In such cases and in the context of press reports, we process this data based on our legitimate interest in issuing a statement and, if necessary, correcting misrepresentation, on the basis of Article 6 (1) sentence 1f GDPR. 

4.2 We report on our events on a regular basis. Within this context, we also take photos and/or record videos, and save and publish these photos/videos.  

4.3 If the photos/videos do not specifically depict individual event visitors (e.g., portraits), but are photographs of the event in which individuals can only be seen as part of a group/in the background, we process this personal data based on our legitimate interest in documenting and reporting on our events on the basis of Article 6 (1) sentence 1f GDPR.

4.4 Photos depicting individual persons (such as portraits)/video sequences (such as video recordings including interviews with specific individuals) are processed with the consent of the data subject within the meaning of Article 6 (1) sentence 1a GDPR. We process photos/video sequences of public figures based on our legitimate interest in informing the public about the event and its content, on the basis of Article 6 (1) sentence 1f GDPR.

5. Video surveillance

5.1 We use video surveillance at our headquarters in Bochum. The outside of the headquarters building is monitored. Inside the building, video surveillance is used in certain areas and when circumstances require, e.g., automatically when attempts are made to override the access control at the entrance using force. In connection with video surveillance, there is a chance that personal data will be processed via the recorded image material. The monitored areas are marked accordingly. The data processing is carried out on the basis of Article 6 (1) sentence 1f GDPR and serves the following purposes, which also represent Vonovia’s legitimate interests:

  • Safeguarding customers, suppliers and employees, and their property
  • Protecting the company’s physical and intellectual property
  • Implementing and upholding the rules that apply to the premises
  • Safeguarding evidence in connection with criminal offenses 

5.2 In normal operation, image files are recorded in self-overwriting memory storage; the standard retention period is less than 72 hours. If an event triggers an alarm, the recordings are transferred to permanent memory storage and erased as soon as they are no longer needed for the purpose of reconstructing the recorded event, but after 7 days at the latest. The following groups of people are authorized to access the recordings: system administrators, selected employees from the new construction, land management and facility management departments and security service providers.

5.3 In individual cases, where appropriate, the records may be passed on to law enforcement authorities.

5.4 Video surveillance is also used in individual cases at the regional sites; information on this can be obtained from the respective site in question. We also use video surveillance at individual properties and at some of our construction sites. This is used after careful consideration if other measures have proved unsuccessful or do not appear promising based on specific past experiences. The monitored areas are marked accordingly. The data processing is carried out on the basis of Article 6 (1) sentence 1f GDPR and serves the following purposes, which also represent Vonovia’s legitimate interests:

  • Safeguarding customers and tenants, service providers and employees, and their property
  • Protecting the company’s physical and intellectual property as well as that of tenants and service providers
  • Implementing and upholding the rules that apply to the premises
  • Safeguarding evidence in connection with criminal offenses

5.5 The specific purpose of the camera is indicated on the local signage. In individual cases, where appropriate, the records may be passed on to law enforcement authorities.

5.6 Some of our properties are also equipped with a camera doorbell. When the doorbell is pressed, these briefly generate a live image of the area immediately in front of the doorbell; this is transmitted for just a few moments to a screen inside the apartment that is connected to the pressed doorbell, allowing the tenant to decide whether to allow the person ringing the doorbell to enter. The generated image sequence is not saved. The data processing is carried out on the basis of Article 6 (1) sentence 1f GDPR and helps to keep tenants safe.

IV. General data processing rules

1. Transmission of personal data – categories of recipients

1.1 We transfer your personal data to external parties in the form of order processing, as well as to third parties for their own further processing, and also in the context of an internal process within Vonovia Immobiliengruppe, involving divided responsibilities, for the preparation, execution and, if necessary, performance of your contract within the Vonovia Group (Article 6 (1) sentence 1b GDPR). The data is transmitted based on our legitimate interest in carrying out internal administrative activities efficiently and with divided responsibilities, on the basis of Article 6 (1) sentence 1f GDPR. 

1.2 Beyond that, we only transmit your personal data insofar as we are legally obliged to do so. The data is transmitted on the basis of Article 6 (1) sentence 1c GDPR.

1.3. Details on the transmission of personal data to recipients are provided in the Special Data Protection Information section for each area of activity.

2. Data processing by service providers – contract data processing

2.1 As part of the property matching and rental process, we use IT service providers who provide us, among other things, with platforms, databases or tools for our services (e.g., our website), various contact options or marketing measures) and process personal data for us on our behalf within this context.

2.2 Details on the commissioning of processors to process personal data are provided in the Special Data Protection Information section for each area of activity.

2.3 The service providers we commission have been carefully selected and commissioned by us in writing. They are bound by our instructions and are checked by us at regular intervals. All systems used to store your personal data that can be accessed by the service providers are password-protected and only accessible to a select group of persons who require the data for processing purposes that you have authorized. In this regard, we ensure, in accordance with statutory provisions, that when transferring data to, and having data processed by, service providers, the data is processed, used and, where appropriate, transmitted under the conditions agreed here.

3. Legal bases of processing

3.1 The legal bases of the data processing stem from Article 6 (1) GDPR. The provision that applies to the processing is specified in each case in conjunction with the data protection information for the processing in question.

3.2 If the processing is carried out for a purpose other than that for which the personal data was collected (Article 6 (4) GDPR), the persons affected by the change in processing shall be informed (Article 13 (3) GDPR).

4. Legitimate interests and objection

4.1 We process your personal data on the legal basis of Article 6 (1) sentence 1f GDPR, among others, due to our legitimate interests, e.g., to ensure IT and network security for you when you visit our websites and within the company, to perform analyses to improve our products and services, to prevent fraud, for advertising purposes, to process inquiries, risk assessment in the event of a sale, to respond to press inquiries and, if necessary, to correct misrepresentations, as well as to carry out internal administrative activities efficiently and with divided responsibilities. Details on the processing of personal data based on our legitimate interest are provided in the specific areas of activity in the Special Data Protection Information section.

4.2 If we process your personal data on the basis of these legitimate interests (Article 6 (1) sentence 1f GDPR), you have the right to object, on grounds relating to your particular situation, to the processing of your personal data at any time. We will then no longer process your data for this purpose/these purposes unless we have compelling legitimate grounds that override your interests, or if the processing is necessary for the establishment, exercise or defense of legal claims. Irrespective of the above, you can object to the processing of your personal data at any time without giving reasons in cases involving direct advertising (e.g., newsletters).

Please direct your inquiry/objection to

Vonovia Kundenservice GmbH
Postfach 44784 Bochum, Germany
Tel.: +49 (0)234 41 47 000-00
Contact form: kontakt.vonovia.de

or to the contact details provided in the section Special Data Protection Information. 

4.3 If you object to data processing, we will process the personal data concerning you collected within this context to answer your inquiry. Your personal data is processed to fulfill a legal obligation on the basis of Article 6 (1) sentence 1c GDPR.

5. Consent and withdrawing your consent

5.1 If you have granted us your consent to process your personal data, you can withdraw this consent at any time. Your withdrawal of consent is effective for the future. The legality of the processing of your personal data up until the time of withdrawal remains unaffected.

Please send your withdrawal notice in writing, by telephone or via contact form to 

Vonovia Kundenservice GmbH
Postfach 44784 Bochum, Germany
Tel.: +49 (0)234 41 47 000-00
Contact form: kontakt.vonovia.de

or to the contact details provided in the section Special Data Protection Information.

5.2 If you withdraw your consent, we will process the personal data concerning you collected within this context to answer your inquiry. Your personal data is processed to fulfill a legal obligation on the basis of Article 6 (1) sentence 1c GDPR.

6. Your rights

6.1 You may request at any time, in accordance with the GDPR, that we

  • provide you with information about the personal data concerning you that we process (Article 15 GDPR),
  • rectify personal data concerning you that is inaccurate (Article 16 GDPR) and/or 
  • erase (Article 17 GDPR), block (Article 18 GDPR) and/or surrender (Article 20 GDPR) your personal data stored by us.

6.2 Please direct your relevant request to

Vonovia Kundenservice GmbH
Postfach 44784 Bochum, Germany
Tel.: +49 (0)234 41 47 000-00
Contact form: kontakt.vonovia.de

6.3 If you assert your rights against us, we process your personal data collected in this context to answer your request. Your personal data is processed to fulfill a legal obligation on the basis of Article 6 (1) sentence 1c GDPR. We store correspondence sent in connection with inquiries for three years in order to fulfill our statutory obligations to provide evidence.

6.4 Without prejudice to your rights mentioned above, you can lodge a complaint with a data protection supervisory authority if you believe that the processing of personal data concerning you by us breaches the GDPR (Article 77 GDPR). Our competent data protection supervisory authority is

North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information
Kavalleriestr. 2-4
40213 Düsseldorf, Germany
Email: poststelle@ldi.nrw.de

6.5 In addition, you can view, correct, change and/or delete your data in your profile in the app under "Profile” and under “Contracts – My lease agreements.” You can delete your customer profile in the app at any time and without prejudice to your rights.

7. General information on retention periods and erasure 

7.1 VONOVIA stores your personal data for as long and insofar as is necessary for the purposes for which the data is processed. This means, for example, that when a lease agreement is concluded, the contract data is required and stored for the entire lease term.

7.2 If and to the extent that your personal data is no longer required for processing, we will only store your personal data as long as you can assert claims against us or we can assert claims against you (statutory limitation period of three years in general, beginning at the end of the year in which the claim arises, e.g., Sections 195, 199 of the German Civil Code).

7.3 In addition, we store your personal data for as long and insofar as we are legally obliged to do so. Corresponding evidentiary and retention obligations result, among other things, from the German Commercial Code (HGB), the German Tax Code (AO) and the German Money Laundering Act (GwG) (e.g., Section 257 HGB; Section 147 AO). Under these provisions, the statutory retention obligations generally apply for ten years.

7.4 If your personal data is stored in the course of initiating business, which is not subject to the statutory retention periods, this data is subject to a regular erasure check. 

8. Changes to the Data Protection Information 

8.1 The provisions of this Data Protection Information (available free of charge at www.vonovia.de/datenschutz) apply in the version valid at the time. 

8.2 We reserve the right to supplement and change the content of this Data Protection Information. The updated Data Protection Information shall apply as of its validity date.

8.3 We will notify you in good time of any changes or additions to the Data Protection Information on our website. You will be given the opportunity to view, print and save the amended Data Protection Information free of charge. 

Special Data Protection Information

privacy policy