Privacy Policy
We take data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (EU-GDPR) as well as current national data privacy regulations. Please read this privacy policy carefully as it sets out the details of data processing through our whistleblowing system, which may affect you as an individual submitting a report as well as, potentially, as an individual mentioned in a report. The latter specifically affects employees of one of the entities of the GCP group of companies.
Our whistleblowing system enables individuals to submit reports on compliance concerns via different reporting channels (post, email, telephone, personal meeting, digital reporting system).
Data controller
The party responsible for data processing through the whistleblowing system is Grand City Property Ltd - Zweigniederlassung Deutschland, Wittestraße 30, Haus F, 13509 Berlin, Germany (also referred to as “GCP” throughout this privacy policy).
Data recipients
The digital reporting system (as one of the different reporting channels) is operated by a specialised company, EQS Group AG, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of GCP. The data transfer to EQS Group AG is based on Art. 28 EU-GDPR in connection with the data processing agreement concluded with this provider. We also use further data processors to assist us in the handling of reports. These data processors are bound by our instructions and act on our behalf. The data transfer to these providers is based on Art. 28 EU-GDPR in connection with the data processing agreement concluded with these providers. As part of the internal investigations and depending on which GCP group entity is affected by a reported incident, some of the data may be processed by said relevantly affected GCP group entity.
Purpose of the whistleblowing system
Our whistleblowing system serves as an early warning system to uncover and combat misconduct and non-compliance within the GCP group of companies. The whistleblowing system is set up in such a way as to enable individuals to reach out securely and confidentially by making reports regarding misconduct or violations of the compliance rules of the GCP group of companies and to enable GCP to receive, process and manage such reports with the help of a limited number of persons on a need-to-know basis. Individuals do not have to reveal their identity in order to submit a report but may choose to do so, depending on the reporting channel they choose. For example, a report via the digital reporting system can be made anonymously, while individuals may leave contact or other data via other reporting channels that may allow their identity to be revealed (e.g. in the case of a report by post or email).
Use of post as a reporting channel
You may submit a report via post addressed to “Group Compliance, Grand City Property Ltd - Zweigniederlassung Deutschland, Wittestraße 30, Haus F, 13509 Berlin, Germany”. In case of reporting via post, you may or may not choose to provide your contact details to allow for follow-up communication.
Use of email as a reporting channel
You may submit a report via email to compliance@grandcity.lu. In this case, we may contact you via email for follow-up communication.
Use of telephone as a reporting channel
You may submit a report via telephone by reaching out to +49 (0) 800 646 377 219. Your call will then be taken by the Group Compliance department in charge of handling and investigating reports.
Use of personal meeting as a reporting channel
You may make a report as part of a personal meeting by visiting the staff in charge of handling reports in Room 3.16, Wittestraße 30, Haus F, 13509 Berlin.
Use of the digital reporting system
The digital reporting system, which is accessible here via this site, has a number of functionalities that we will outline below.
Reporting
When you submit a report, the digital reporting system stores a cookie (which is a small text file) on your device to enable and maintain an SSL-encrypted connection between your computer and the digital reporting system. The cookie only processes a session ID and expires when you close your browsing session. Your IP address or other identifying information will not be stored as part of this.
Please note: While we will not use this information to identify you, if you are a staff member of one of the entities of the GCP group of companies and wish to access the digital reporting system, we recommend not doing so from our corporate internet network or company devices to eliminate any hypothetical risk of identification based on your device.
Mailbox
As part of its reporting component, the digital reporting system offers individuals who make a report the option to set up a secure mailbox within the system that is secured by an individually chosen user name and password. This mailbox allows the reporting individual to anonymously exchange further messages and information with the responsible staff to conduct their review and allows GCP to, among other aspects, provide the reporting individual with acknowledgement of receipt.
Attachments to the report
When submitting a report or exchanging messages through the mailbox, it is also possible to provide attachments (e.g. documents) to GCP. Please be aware that if you wish to submit an anonymous report, you should choose and include such attachments carefully. Files can contain hidden personal data that could compromise anonymity. In this case, we would suggest the following:
- Remove data revealing your identity before sending files.
- If you are unable to remove this data from the file or are unsure how to do so, copy the text of your attachment into your report text and redact it.
Type of the collected personal data
Use of the whistleblowing system and any of its reporting channels takes place on a voluntary basis.
If an individual submits a report via the whistleblowing system, we collect the following personal data and information, depending on the reporting channel that has been used:
- Information contained in reports, which – based on the choice of the individual making a report – may contain personal data such as names, employment-related information or other information relating to itself as well as other individuals mentioned in the report,
- in case the person making a report via the digital reporting system chooses to set up a mailbox within the digital reporting system, information for login purposes (user name, password),
- contact information of the person making a report (if provided), such as address, telephone number or email address which could reveal their identity,
- information exchanged in any follow-up communication, if applicable
- information from follow-up actions as part of an internal investigation (e.g. disciplinary measures), if applicable.
Legal basis for data processing
We process the aforementioned personal data based on our legitimate interests to introduce reporting channels that enable us to receive and investigate reports on potential criminal offenses, serious compliance violations and other cases of abuse within our company group (Article 6 (1) (1) (f) EU-GDPR). Additionally, some of the GCP group entities are subject to legal obligations to introduce a whistleblowing system. The legal basis for data processing is Art. 6 (1) (1) (c) EU-GDPR in connection with the relevant legal obligations under the applicable national law
Security
We take security precautions to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration or destruction. In this regard, we have implemented state-of-the-art technical and organizational security measures.
Report handling and data disclosure
Incoming reports are received by a small selection of expressly authorised and specially trained personnel that are bound by strict confidentiality obligations. These individuals will evaluate the matter and perform any further investigation required by the specific case.
During the processing of a report or the conducting of an investigation, it may become necessary to share information contained in reports with additional staff members of one or more of the entities of the GCP group of companies. As part of this, information revealing the identity of the reporting individual, where available, will not be revealed, unless this individual has explicitly consented to it.
In specific cases, we may process personal data where we have a legal obligation to participate in investigations and proceedings of public authorities, including court proceedings. As part of this, we may disclose your personal data to respective authorities and courts of law. The legal basis for such data processing is Art. 6 (1) (1) (c) EU-GDPR in connection with the relevant legal provisions. Where we do not have a legal obligation to this effect, we may also process and disclose your personal data to public authorities and courts of law to initiate legal proceedings for the protection of our rights and safety as well as those of our staff members and others. This may involve data transfers to external advisors, such as law firms. The legal basis for such processing is Art. 6 (1) (1) (f) EU-GDPR.
Third country data transfers
GCP, the majority of the entities in the GCP group as well as some of GCP ’s processors process personal data within the EU only. However, one of the group entities participating in the whistleblowing system is located in the UK, which is a so-called third country. As far as required as part of internal investigations involving the respective entity, some personal data may be transferred to the UK. Such transfer is subject to the conditions of Art. 44 et seq. EU-GDPR, in this case, the adequacy decision for the UK. Some of GCP’s processors may also process personal data in third countries. In this case, the data transfers are subject to EU standard contractual clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en) as well as additional security measures, where necessary.
Retention period of personal data
Personal data is retained for as long as necessary to clarify the situation and perform an evaluation of the report or for as long as a legitimate interest of GCP exists, or it is required by law. After the report processing is concluded, this data is deleted in accordance with the statutory requirements.
Data subject rights
Under the legislation applicable to you, you may be entitled to exercise some or all of the following rights:
- require access to and/or duplicates of your personal data retained;
- request proper rectification, erasure or restriction of your personal data, e.g. because (i) it is incomplete or inaccurate, (ii) it is no longer needed for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn, or (iv) you have taken advantage of an existing right to object to the data processing; in case the personal data is processed by third parties, your request for rectification, erasure or restriction will be forwarded also to such third parties unless this proves impossible or involves disproportionate effort;
- object to the processing at any time - based on grounds relating to your particular situation – insofar as we process your personal data based on our legitimate interests; and/or
- take legal actions in relation to any potential breach of your rights regarding the processing of your personal data, as well as to lodge complaints before the competent data protection regulators.
Contact
Grand City Property Ltd - Zweigniederlassung Deutschland has designated a Data Protection Officer (DPO), which you may reach at datenschutzbeauftragter@grandcityproperty.de or via post at
Personal/Confidential
Dataprotection Officer
Grand City Property Ltd. Zweigniederlassung Deutschland,
Wittestraße 30, Haus F
13509 Berlin
The company can only guarantee the direct accessibility of the DPO and the anonymity of the request if the requestor notes the letter accordingly.
Miscellaneous
We reserve the right to change this privacy policy from time to time in accordance with applicable data protection law. Please regularly check for updates on this page. This privacy policy was last updated on 05.09.2022.