§ 1 Name and Address of the Controller
Controller in terms of the General Data Protection Regulation and other national privacy laws of the member states of the European Union as well as further privacy provisions is:
GMBC RE GmbH
§ 2 Privacy Officer
You can reach the appointed privacy officer under:
Deutsche Datenschutz Consult GmbH
Phone: +49 40 228 60 70 402
§ 3 Business Correspondence
If you correspond with us via email, we collect, store and process your name, email address and all contents of the correspondence. This data is processed for the purpose of initiating or conducting a contractual relationship with the controller that you represent.
As a rule, the legal basis for the processing is Art. 6 (I) lit. f GDPR, whereby our legitimate interest lies in the establishment and support of business relationships. In individual cases, processing may also be based on Art. 6 (1) lit. a GDPR if you have given us your consent for contact and/or correspondence. In the rare cases where we enter into contracts with natural persons, the communication required for this is based on Art. 6 (1) lit. b GDPR.
Where required for the fulfilment of a contract or by law, we disclose or transfer personal data of our customers to third parties if and insofar as this serves the provision of our services pursuant to Art. 6 (1) lit b. GDPR, is required by law according to Art. 6 (1) lit c. GDPR, serves our interests or those of our customers in the efficient and cost-effective provision of services as a legitimate interest pursuant to Art. 6 (1) lit. f. GDPR, or in the context of consent pursuant to Art. 6 (1) lit. a. GDPR. Possible third parties to whom your personal data may be transferred are
• external professionals involved in the provision of services, and
• third parties necessarily or typically involved in the performance of the contract, such as companies in the insurance chain.
As a matter of principle, your data will only be kept for as long as it is needed to process the correspondence. In addition, we are legally obliged to retain business correspondence for a period of 6 years. In individual cases, a retention period of 10 years under tax law may also be relevant. In this respect, your data is stored based on Art. 6 (1) lit. c GDPR for the fulfilment of the statutory retention obligations. After expiry of these retention obligations, your data will be deleted, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
§ 4 Processes on the Website
1. Server Statistics
Upon visiting our website, we collect the following data that is transmitted by your browser:
• IP address
• content of the request
• user agent
• HTTP status code
The data is collected on the basis of Art. 6 sec. 1 lit. f GDPR.
The temporary storage and processing of the IP address is required for delivery of the requested website to your system. This constitutes our legitimate interest for processing the IP address.
The website hoster stores this data in an access log which will be overwritten after 7 days. The access log is stored in order to analyze threats and protect against misuse, which also constitutes a legitimate interest for processing the data.
2. Piwik Analytics
We use Piwik PRO Analytics Suite as our website/app analytics software and consent management tool. We collect data about website visitors based on cookies. The collected information may include a visitor’s IP address, operating system, browser ID, browsing activity and other information. See the scope of data collected by Piwik PRO.
We calculate metrics like bounce rate, page views, sessions and the like to understand how our website/app is used. We may also create visitors’ profiles based on browsing history to analyze visitor behaviour, show personalized content and run online campaigns.
We host our solution on Microsoft Azure in Germany, and the data is stored for 14/25 months.
The purpose of data processing is analytics and conversion tracking based on consent, which we obtain via the consent manager and which is all time accessible via the link “Cookie Settings” at the bottom of the website. The legal basis for processing is Art. 6 (1)(a) GDPR.
In our specific configuration, Piwik PRO places the following cookies:
Expires after: 30 minutes (can be changed)
Type: First-party cookie
About: Shows an active session of the visitor. If the cookie isn’t present, the session has finished over 30 minutes ago and it was counted in a pk_id cookie.
Expires after: 13 months (can be changed)
Type: First-party cookie
About: Used to recognize visitors and hold their various properties.
• cookieCreationTimestamp: Cookie creation time.
• visitsCount: 0 means there are no previous visits.
• currentVisitTimestamp: Current time. Refreshed with every user action.
• lastVisitTimestamp: Time of the last visit. Empty if there are no previous visits. It is also used to increase the number of visits (together with the cookie pk_ses).
• lastEcommerceOrderTimestamp: Time of the last ecommerce order. Empty if there are no ecommerce orders.
For the consent management, the following cookie is required:
Module: Consent Manager
Expires after: 365 days (can be changed), 30 minutes (for anonymous tracking)
Type: First-party cookie
About: Stores visitor’s consent to data collection and usage.
Value: A JSON encoded object that holds visitor’s consent to data collection and usage.
• -1: A visitor didn’t make any decision.
• 0: A visitor didn’t agree to the use of their data.
• 1: A visitor agreed to the use of their data.
Created if: You use Consent Manager and display the form on your site.
§ 5 Your Rights
1. Right of Access
You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed. Upon request we gladly inform you in writing about which personal data are being processed by us, including their origin, any recipients of your personal data as well as the purpose of processing.
2. Right to rectification
You have the right to obtain from us rectification of personal data concerning you to the extent we save such data and provided it is inaccurate.
3. Right to restriction of processing
You have the right, under the preconditions of art. 18 sec. 1 GDPR (for example if the accuracy of the data is disputed or the processing is unlawful), to obtain from us restriction of processing, which means that we may only process your personal data subject to such restriction under the preconditions of art. 18 sec. 2 GDPR (for example with your consent or for the exercise or defence of legal claims).
4. Right to erasure
You have the right to obtain from us the erasure of your personal data under the preconditions of art. 17 sec. 1 lit. a-f GDPR (for example if the personal data is no longer needed or processing is unlawful) unless exceptions following art. 17 sec. 3 lit. a-e GDPR apply (for example if there are legal obligations to process the personal data).
5. Right to data portability
You have the right to receive from us your personal data that you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us.
6. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, if you feel our processing of your personal data is unlawful. The supervisory authority responsible for us is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
7. No automated Decision-Making
While using our services, you are not subject to any exclusively automatic decision-making process – including profiling – that takes legal effect or affects you significantly in any similar manner.
§ 6 IT Security Notice
For our website we make use of ssl encryption (secure socket layer) with the highest encryption level supported by your browser. Usually this will be 256-bit encryption. If your browser doesn’t support this, our website falls back to 128-bit technology. Most browsers show encryption status by displaying a closed lock icon next to the URL or in the status bar.
Access to your data
Fill out the form to request access to your data. We'll only use your email to process this request.
We may need to update our Privacy Notice. The latest version of the Privacy Notice is always available on our website. We will communicate any material changes to the Privacy Notice, for example how we use your personal data, the identity of the Controller or your rights.