-PRIVACY STATEMENT-

We take privacy very seriously. Cannon & Cannon fully respects your right to privacy and will only process personal information about you, processed on or off this website, unless otherwise explicitly objected to. Any personal information which you volunteer to us will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts, 1998 - 2018; namely the General Data Protection Regulations taking effect 25 May, 2018.

Our codes of conduct at Cannon & Cannon place a great emphasis not only on being accountable, but also being transparent to you as a data subject. For these reasons, we unambiguously wish to provide you with the information listed in the following three APPENDIX:

APPENDIX I - data collected on our website

APPENDIX II - data collected off our website

APPENDIX III – definitions and references

Furthermore, we at Cannon & Cannon believe in providing nothing less than a quality service to all of our clients. In providing this service, we require the processing of certain categories of data. These categories are only processed for the explicit services which you, as our client, can reasonably expect. We under no circumstances abuse or exploit your data for purposes other than what is stated in this Privacy Statement. We only process data in direct relation to the required stage of processing in administering you a service. This is required for our General Data Protection Regulation.

Through the submission of data to us or to a third party in direct relation to the processing of your data, you are acknowledging you understand and have read our Privacy Statement. However in order for transparency, Cannon & Cannon will make every attempt to direct you to this statement before the submission of data, giving you the chance to object or raise any questions surrounding the processing.

As a data subject, you reserve the right to object at any time to the processing of your submitted data.

Cannon & Cannon may change this Statement by updating this page. Please check back from time to time to ensure you are happy with any changes that may occur. Any major changes you will be notified via email.

Our Privacy Statement was last updated on 11 May, 2018

-PRIVACY STATEMENT INDEX -

APPENDIX I: WEBSITE DATA

  1. PROCESSING AND USAGE OF PERSONAL DATA
  1. online contact form
  2. data processed via contact form
  3. usage of this data for
  1. PROCESSING AND USE OF TECHNICAL INFORMATION
  1. technical details we log
  2. anonymizations
  1. LEGAL BASIS FOR PROCESSING THE DATA
  1. expectations
  2. risk assessment
  3. legal instrument
  4. explanation
  1. DATA SHARED WITH THIRD PARTIES
  1. commissioned sharing
  2. administrative expectations
  3. rule against exploitation
  1. THIRD PARTY WEBSITES
  1. endorsement
  2. responsibility for your privacy
  1. SUB-PROCESSING
  1. direct obligation
  2. authorisation
  3. liability
  1. DURATION OF STORAGE
  1. legal limitation
  2. holding period
  3. objection
  1. SECURITY
  1. appropriate measures
  2. additional obligation
  3. joint compliance
  4. cooperation
  1. BREACHES
  1. obligation of processors
  2. notification
  3. time limit
  1. ON-GOING MONITORING
  1. due diligence
  2. evidence of compliance
  3. risk assessments
  1. RIGHTS OF THE DATA SUBJECT
  1. effect
  2. overriding for compelling reason
  3. list of rights
  4. explanation
  1. QUESTION AND OBJECTIONS TO PROCESSING
  1. designated DPO
  2. contact information
  3. legal instrument
  4. explanation

APPENDIX II: NON-WEBSITE DATA

  1. PROCESSING OF THE DATA
  1. commissioned processing
  2. direct relationship
  1. DATA THAT IS BEING PROCESSED
  1. necessary processing
  2. list of functional categories
  3. objecting
  1. PURPOSE OF THE DATA BEING PROCESSED
  1. list of purposes
  2. validity
  3. viability
  4. objection
  1. LEGAL BASIS FOR PROCESSING THE DATA
  1. expectations
  2. risk assessment
  3. legal instrument
  4. explanation
  1. DATA SHARED WITH THIRD PARTIES
  1. commissioned sharing
  2. administrative expectations
  3. rule against exploitation
  1. SUB-PROCESSING
  1. direct obligation
  2. authorisation
  3. liability
  1. SECURITY
  1. appropriate measures
  2. additional obligation
  3. joint compliance
  4. cooperation
  1. BREACHES
  1. obligation of processors
  2. notification
  3. time limit
  1. ON-GOING MONITORING
  1. due diligence
  2. evidence of compliance
  3. risk assessments
  1. DURATION OF STORAGE
  1. legal limitations
  2. holding period
  3. objection  
  1. RIGHTS OF THE DATA SUBJECT
  1. effect
  2. overriding for compelling reason
  3. list of rights
  4. explanation
  1. QUESTIONS AND OBJECTIONS TO PROCESSING
  1. designated DPO
  2. contact information
  3. legal instrument
  4. explanation

APPENDIX III - DEFINITIONS AND REFERENCES

  1. DEFINITIONS
  1. company name
  2. terminology
  3. servicing
  4. commissioned parties
  1. REFERENCES
  1. what was used
  2. online sources
  3. research

APPENDIX I: WEBSITE DATA

  1. PROCESSING AND USE OF PERSONAL DATA
  1. Cannon & Cannon does not process any personal data about you on this website, apart from information you may volunteer to us via email or via our online Contact Form.
  2. From our Contact Form we may process the following information:
  • Your first and last name
  • Your Contact information including email address and telephone number
  1. We require this information to understand your needs and what you reasonably expect for    the purpose of conducting future business with you and for our marketing activities, such as writing to you with details of our services, to provide you with a better service, and in particular for the following reasons:
  • Internal record keeping
  • We may use the information to improve our services
  • We may periodically send promotional emails information which we think you may find interesting using the email address which you have provided
  • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests

  1. PROCESSING AND USE OF TECHNICAL INFORMATION
  1. This website uses temporary cookies which assist us in analysing web traffic to our website, for statistical purposes. No information is processed that can be used by us to personally identify website visitors. The technical details logged are as follows:
  • the IP Address of the visitor’s web server, in order to display the website in either English or German languages
  • the top-level domain name used (for example, .com or .de)
  • the previous website address from which the visitor reached us, including any search terms used
  • Google Analytics which shows the traffic of visitors around this website (for example, pages accessed, and documents downloaded)
  1. Cannon & Cannon make no attempt to identify individual visitors or to associate any technical details above with any individual. The majority of web browsers automatically accept cookies; however, you can usually modify your web browser to decline cookies if you prefer. It is the policy of Cannon & Cannon never to disclose such technical information in respect of site visitors to any third party unless obliged to disclose such information by law.

  1. LEGAL BASIS FOR PROCESSING THE DATA
  1. Cannon & Cannon only process client data based on legitimate interests in direct correlation to Sales & Marketing, and what is expected by you as a data subject. Before the submission and collection of your data, we will make every attempt to direct you to this Privacy Statement.
  2. As per GDPR requirements, we have performed, documented, and continually update a ‘Legitimate Interests Assessment.’ This assessment balances our legitimate interest to your fundamental rights and freedoms. The assessment ensures none of your rights are infringed upon and that the processing can be reasonably expected in regards to the service(s) which we provide.
  3. This legal basis can be found in the following GDPR Article:
  1. Explanations of this legal basis can be found in the following GDPR Recitals:

  1. DATA SHARED WITH THIRD PARTIES
  1. Your data will only be shared with commissioned third parties in direct relation to us and our business practice.
  2. This sharing of data is in direct correlation to what you as a ‘data subject’ can reasonably expect in the administration of service by Cannon & Cannon. All third parties in direct relation to us are under a strict obligation to comply with the GDPR; acting only under our clear instruction. We hold no responsibility for any contradictory actions to our clear instruction in regards to this Privacy Statement by one of our third parties.
  3. We under no circumstances will share your data with a third party not in direct relation to us; nor will we share it for purposes other than what is stated in section 3 above. This includes the selling of your data to bodies not within the EU.

  1. THIRD PARTY WEBSITES
  1. Our website may contain links to other websites of interest, and also to our partners. The inclusion of a link does not imply endorsement of the linked website by us.
  2. Once you have used a link to leave our website, we cannot be responsible for the privacy of any information you may provide whilst visiting the linked website. Please check the Privacy Statements of the relevant website.

  1. SUB-PROCESSING
  1. Processors have a direct obligation not to engage another processor without prior specific or general written authorisation of the controller.
  2. Where a controller provides general written authorisation, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
  3. Processors shall remain liable for sub-processors of personal data and are responsible to impose the same contractual obligations accordingly.

  1. DURATION OF STORAGE
  1. The storage of your data is first and foremost subject to legal limitations.
  2. If your provided data does not fall within a legal limitation period, it will be stored by us, unless objected to, in order to provide the continuation of the service granted unto you by Cannon & Cannon. If we know longer are providing you with a service, or if we are no longer legally obliged to hold your data, it will be deleted.
  3. If you wish to object to the storage of your data, clear instruction can be found in section 12 of this Appendix.

  1. SECURITY
  1. Both controllers and processors are individually responsible for implementing appropriate security measures.
  2. The processor is under an additional obligation requiring them to take all required measures to comply with the GDPR security.
  3. Both controllers and processors will work together to insure all security measures are appropriate in light of these measures, and where necessary, the processor shall provide details of the steps they have taken should a breach occur.
  4. The relationship of controller and processor should not lower the level of protection afforded to the personal data.

  1. BREACHES
  1. Taking into account the nature of the processing and the information available to the processor, there is an obligation on the processor to assist the controller in complying with the security obligations, personal data breach notification (to the supervisory authority and the data subject as appropriate), carrying out data protection impact assessments and consulting with the supervisory authority as appropriate.
  2. Personal data breaches shall be notified to the controller without undue delay or immediately once the processor becomes aware of it.
  3. The controller is under an obligation to the supervisory authority to notify within a 72-hour time period.

  1. ONGOING MONITORING
  1. Due diligence will be sufficiently performed when identifying data protection risks in order to meet accountability requirements set out in the GDPR.
  2. Evidence of compliance must at a minimum be obtained by controllers annually from their processors.
  3. Risk assessments should be revisited periodically to see if all measures remain appropriate in implementing breach prevention and response.

  1. RIGHTS OF THE DATA SUBJECT
  1. The rights granted unto the data subject take immediate effect upon the initial submission of data to Cannon & Cannon.
  2. These rights shall not be infringed upon, lest the legitimate interests of Cannon & Cannon as data controller override these rights for compelling reason, which ought to have been reasonably foreseen or expected by you as a data subject.
  3. These rights can be found in the following GDPR Articles:
  1. Explanations of these rights can be found in the following GDPR Recitals:

  1. QUESTIONS AND OBJECTIONS TO PROCESSING
  1. If you as a data subject wish to object to the processing of your data, or have any questions regarding the processing, you may do this at any time. In raising questions or objecting to processing, your request will be directed to our appointed Data Protection Officer (DPO), named:
  • Samuel Patrick Jaeger
  1. For questions or to object, our DPO can be reached by the following means:
  1. The right to object is provided in the following GDPR Article:
  1. Explanation of this right is provided in the following GDPR Recitals

APPENDIX II: NON-WEBSITE DATA

  1. PROCESSING OF THE DATA
  1. Here at Cannon & Cannon, only those commissioned by us are permitted to process your data.
  2. Under no circumstances will anyone not in a direct relationship to the processing of your data be used.

  1. DATA THAT IS BEING PROCESSED
  1. We stress, only categories necessary to cater to our clients will be used in processing your data. These categories are collected only insofar as the data you have provided us or a commissioned third party with, and the stage of service you expect to receive.
  2. Below is a list of the main functional categories of data we normally use in processing. The description of each only applicable to the data willingly provided by you as data subject. These categories are collected to serve the Legitimate Interests of Cannon & Cannon in regards to Sales & Marketing business functions.
  • PII - Name, title, address (work and home), former addresses, telephone number (work and home), IDs assigned by the controller.
  • Identification information assigned by government institutions, other than the social security number - ID card number, passport number, driver’s license number, license plate number, etc.
  • Financial identification data - ID numbers, bank account numbers, credit or debit card numbers, secret codes.
  • Financial means - Income, possessions, investments, total income, professional income, savings, start and end dates of investments, investment income, debts owed on assets.
  • Solvency - Evaluation of the income, of the financial statute, of solvency.
  • Loans, mortgages, lines of credit - Nature of the loan, the amount borrowed, remaining balance, start date, loan period, interest rate, payment overview, details regarding the guarantees.
  • Financial transactions - Amounts paid and payable by the data subject, awarded credit lines, sureties, payment method, payment overview, deposits and other guarantees.
  • Personal details - Age, sex, date of birth, place of birth, marital status, nationality.
  • Rental/Lending data - Details regarding the goods and services provided, loaned, or rented to the data subject.
  1. If you wish to object to one of the below categories, please see section 8 of this Appendix for clear instruction.

  1. PURPOSE OF THE DATA BEING PROCESSED
  1. The below purposes of processing are only applicable to the given reasonably expected stage of service provided to our clients upon the submission of their data. These expected stages of service provided, directly correlate to the Legitimate Interests of our processing.
  • Direct Marketing - Canvassing, activities and services offered to population segments by commercial companies, charities, or other clubs or foundations, including those of a political nature. The means of communication for these actions can be mail, telephone or other direct means (e.g. email). It is of no importance whether the addressee is already a customer or not.
  • Market research - Studies related to the buying behaviour, preferences and purchase intentions of people for the purpose of determining market strategies.
  • Combating fraud and customer breaches - Intended are activities to prevent and detect such acts.
  • Management of elevated risks - Processing of data across various branches of insurance regarding persons with an elevated risk for the purpose of avoiding unacceptable risks and fraud.
  • Customer management - Customer administration, management of orders, deliveries, invoicing of material and immaterial services. Solvency monitoring. Personalized marketing and advertising. Registering customers of a business and profiling them based on purchases.
  • Claims management - Management of claims, including repayment of monies owed.
  • Vendor management - Vendor administration. Management of orders received and payment of vendors. Prospecting possible vendors and their evaluation.
  • Public relations - This includes creating goodwill for the organization.
  • Business intelligence - Analysing competitors and potential partners.
  • Security - Data processing to ensure the safety of people or goods.
  • Protection of society, the industry, or the organization - Processing of data regarding persons that represent a certain risk, such as hooligans.
  • Account management - The management of individual debit and savings accounts, whether or not a credit balance is present, belonging to customers of the financial institution. These activities include the payment transactions related to the account.
  • Credit management - This refers to the actions related to the monitoring and repayment of credit balances, including claims and the actions related to those claims, regardless whether a third party is involved.
  1. The above purposes are limited to what is provided to us upon initial and ongoing collection of data. These purposes were selected based on our Legitimate Interests as per the GDPR Recitals; which provide guidance in assessing their validity.
  2. The reasonably expected administration of service to our clients, can only be reached if we are able to utilize data for these purposes. The description of each purpose is only applicable to the given stage of service provided.
  3. If you wish to object to one of the above purposes, please refer to section 8 of this Appendix for clear instruction

  1. LEGAL BASIS FOR PROCESSING THE DATA
  1. Cannon & Cannon only process client data based on legitimate interests in direct correlation to Sales & Marketing, and what is expected by you as a data subject. Before the submission and collection of your data, we will make every attempt to direct you to this Privacy Statement.
  2. As per GDPR requirements, we have performed, documented, and continually update a ‘Legitimate Interests Assessment.’ This assessment balances our legitimate interest to your fundamental rights and freedoms. The assessment ensures none of your rights are infringed upon and that the processing can be reasonably expected in regards to the service(s) which we provide.
  3. This legal basis can be found in the following GDPR Article:
  1. Explanations of this legal basis can be found in the following GDPR Recitals:

  1. DATA BE SHARED WITH THIRD PARTIES
  1. Your data will only be shared with commissioned third parties in direct relation to us and our business practice.
  2. This sharing of data is in direct correlation to what you as a ‘data subject’ can reasonably expect in the administration of service by Cannon & Cannon. All third parties in direct relation to us are under a strict obligation to comply with the GDPR; acting only under our clear instruction. We hold no responsibility for any contradictory actions to our clear instruction in regards to this Privacy Statement by one of our third parties.
  3. We under no circumstances will share your data with a third party not in direct relation to us; nor will we share it for purposes other than what is stated in section 3 above. This includes the selling of your data to bodies not within the EU.

  1. SUB-PROCESSING
  1. Processors have a direct obligation not to engage another processor without prior specific or general written authorisation of the controller.
  2. Where a controller provides general written authorisation, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
  3. Processors shall remain liable for sub-processors of personal data and are responsible to impose the same contractual obligations accordingly.

  1. SECURITY
  1. Both controllers and processors are individually responsible for implementing appropriate security measures.
  2. The processor is under an additional obligation requiring them to take all required measures to comply with the GDPR security.
  3. Both controllers and processors will work together to insure all security measures are appropriate in light of these measures, and where necessary, the processor shall provide details of the steps they have taken should a breach occur.
  4. The relationship of controller and processor should not lower the level of protection afforded to the personal data.

  1. BREACHES
  1. Taking into account the nature of the processing and the information available to the processor, there is an obligation on the processor to assist the controller in complying with the security obligations, personal data breach notification (to the supervisory authority and the data subject as appropriate), carrying out data protection impact assessments and consulting with the supervisory authority as appropriate.
  2. Personal data breaches shall be notified to the controller without undue delay or immediately once the processor becomes aware of it.
  3. The controller is under an obligation to the supervisory authority to notify within a 72-hour time period.

  1. ONGOING MONITORING
  1. Due diligence will be sufficiently performed when identifying data protection risks in order to meet accountability requirements set out in the GDPR.
  2. Evidence of compliance must at a minimum be obtained by controllers annually from their processors.
  3. Risk assessments should be revisited periodically to see if all measures remain appropriate in implementing breach prevention and response.

  1. DURATION OF STORAGE
  1. The storage of your data is first and foremost subject to legal limitations.
  2. If your provided data does not fall within a legal limitation period, it will be stored by us indefinitely, unless objected to, in order to provide the continuation of the service granted unto you by Cannon Berlin Group. If we know longer are providing you with a service, or if we are no longer legally obliged to hold your data, we will notify you of its planned erasure, giving you the chance to first retrieve it.
  3. If you wish to object to the storage of your data, clear instruction can be found in section 12 of this Appendix.

  1. RIGHTS OF THE DATA SUBJECT
  1. The rights granted unto the data subject take immediate effect upon the initial submission of data to Cannon & Cannon.
  2. These rights shall not be infringed upon, lest the legitimate interests of Cannon & Cannon as data controller override these rights for compelling reason, which ought to have been reasonably foreseen or expected by you as a data subject.
  3. These rights can be found in the following GDPR Articles:
  1. Explanations of these rights can be found in the following GDPR Recitals:

  1. QUESTIONS AND OBECTIONS TO PROCESSING
  1. If you as a data subject wish to object to the processing of your data, or have any questions regarding the processing, you may do this at any time. In raising questions or objecting to processing, your request will be directed to our appointed Data Protection Officer (DPO), named:
  • Samuel Patrick Jaeger
  1. For questions or to object, our DPO can be reached by the following means:
  1. The right to object is provided in the following GDPR Article:
  1. Explanation of this right is provided in the following GDPR Recitals

APPENDIX III - DEFINITIONS AND REFERENCES

  1. DEFINITIONS
  1. By stating in this Privacy Statement the name Cannon & Cannon, we are referring to the following three partner companies:
  • Cannon Berlin Ltd
  • Cannon Berlin Mitte Ltd
  • Riverside Real Estate Berlin GmbH
  1. The GDPR defines the meaning of the standardised terminology such as ‘Controller’ or ‘Processor’ used in compliance to the GDPR. These definitions can be found in the following GDPR Article:
  1. When this Privacy Statement uses the terms ‘service’ or ‘services’ it is referring to the service agreements we have with Third Parties, and the services in which they then provide.
  2. In regards to Sales and Marketing, the Third Parties we have commissioned in providing you with a service are as follows:
  • Ziegert Bank – und Immobilienconsulting GmbH
  • DG – HYP
  • Berliner Volksbank
  • Dr. Hans Cobet – Rechtsanwalt, Steuerberater, Notar
  • Unique Advanced Technologies Ltd
  • Dillon IT
  • Woods & Partners
  • Domus

  1. REFERENCES
  1. The below were used to source the information and formulate this Privacy Statement.
  2. Online sources
  • Data Protection Network 'DPN Legitimate Interests Guidance ' (Dpnetworkorguk, 11 July 2017) <https://www.dpnetwork.org.uk/wp-content/uploads/2018/04/DPN-Guidance-A4-Publication.pdf> accessed 25 March 201
  • Thorsten Logemann, intersoft consulting services ag, 'General Data Protection Regulation (GDPR)' (Intersoft consulting , 08 August 2017) <https://gdpr-info.eu/> accessed 10 March 2018
  • Lexisnexis, 'search: General Data Protection Regulation' (Lexis Library, 21 October 2011) <http://www.lexisnexis.co.uk/products/lexis-library.html> accessed 15 March 2018
  1. Research
  • Krysia Oastler; PricewaterhouseCooper Legal LLP, 'GDPR series: How to engage third party suppliers in a GDPR-compliant way' [2018] 11(1) Data Protection Ireland
  • Monica Salgado; PricewaterhouseCoopers Legal LLP, 'How to build a GDPR programme - a multidisciplinary approach' [2016] 16(7) Privacy and Data Protection
  • ManishKumar Soni; PricewaterhouseCoopers Legal LLP, 'GDPR series: Data security and response planning' [2017] 10(4) Data Protection Ireland
  • Kate Brimsted; Reed Smith LLP, 'GDPR series: accountability - a blueprint for GDPR compliance' [2017] 17(3) Privacy and Data Protection
  • Katalina Bateman; Reed Smith LLP, 'GDPR series: The role of the DPO - overcoming the GDPR hurdle ' [2017] 10(3) Data Protection Ireland
  • Eduardo Ustaran; Hogan Lovells International LLP, 'EU General Data Protection Regulation: things you should know' [2016] 16(3) Privacy and Data Protection
  • Eduardo Ustaran; Hogan Lovells International LLP, 'EU General Data Protection Regulation: things you should know' [2016] 9(1) Data Protection Ireland
  • Ibrahim Hasan; Act Now Training, 'In Practice: Legal Update: data protection: Preparing for GDPR' [2017] n/a(40) Law Society Gazette
  • Nóra Ni Loideain; Information Law and Policy Centre, Institute of Advanced Legal Studies, University of London, 'Book Reviews: Guide to the General Data Protection Regulation - A Companion to Data Protection Law and Practice (4th edn)' [2017] 22(4) Communications Law
  • Stefano Varotto; Colin James, Clarke & Hartland Solicitors LLP, 'The European General Data Protection Regulation and its potential impact on businesses: some critical notes on the strenthened regime of accountability and the new sanctions' [2015] 20(3) Communications Law
  • Rosemary Jay; Hunton & Williams LLP, 'The transparent human: The new biometrics and the General Data Protection Regulation' [2017] 22(1) Communications Law
  • Rezzan Huseyin; PDP Companies Limited, 'With less than a year to go, GDPR prep tools are thick and fast' [2017] 17(6) Privacy and Data Protection
  • Laura Scaife; Datultacy, 'General Data Protection Regulation: The principles and grounds for processing' [2017] 6(5) Compliance and Risk

© Copyright Cannon & Cannon 2018