Imprint & Data Protection

This website is hosted by Grand City Properties S.A.

Principal office:

Grand City Properties S.A.
37, Boulevard Joseph II,
L-1840 Luxembourg

Trade register:

Registre de Commerce et des Sociétés de Luxembourg, section B, number 165.560

Board of Directors:

Christian Windfuhr, Simone Runge-Brandner, Markus Leininger, Scot Wardlaw, Monica Porfilio

Questions or feeback?

Phone: +352 28 77 87 86

Privacy Policy

Grand City Properties S.A. takes the protection of your personal data very seriously. We treat your personal data confidentially and according to the legal data protection regulations and this Data Privacy Policy.

Data is considered personal if it relates to an identified or identifiable natural person. This includes, for example, your name, your address and your IP address. The provisions below serve to provide information as to the manner, extent and purpose for collecting, using and processing personal data.

Please be aware that data transfer via the internet (e.g. e-mail communication) is subject to security risks and, therefore, complete protection against unauthorised third-party access to transferred data cannot be ensured.

1. Cookies

On our website we make use of so-called cookies in order to recognize repeat use of our website by the same user/internet connection subscriber. This recognition occurs through an IP address saved to the cookies. Cookies are small text files that your internet browser downloads and stores on your computer. They do not cause damages to your computer and do not contain viruses. Cookies allow us to make our offer more user-friendly, more efficient and more secure.

You can adjust your browser that way in order to be informed when cookies are placed, to individually allow cookies or to exclude cookies in certain cases or generally as well as to activate the automatic deletion of cookies when closing the browser. You should be aware, however, that by deactivating cookies you may not be able to make full use of all the functions of our website.

2. Server Data

For technical reasons, data such as the following, which your internet browser transmits to us or to our web space provider (so called server log files), is collect

  • Type and version of the browser you use,
  • Operating system,
  • Websites that linked you to our site (referrer URL),
  • Websites that you visit,
  • Date and time of your visit, and
  • Your Internet Protocol (IP) address.

This anonymous data is stored separately from any personal information you may have provided, thereby making it impossible to connect it to any particular person. The data is used for statistical purposes in order to improve our website and services.

The legal basis for the processing of personal data is Article 6 (1) (1) (b) GDPR, provided the data processing is necessary for the provision of our offer. The additional data processing is based on Article 6 (1) (1) (f) GDPR. We have a legitimate interest in ensuring the security and effective use of our website. We assume that the problem-free use of the website is in your interest as well. The automatically collected personal data will be stored temporarily and will be deleted upon request

3. Contacting Us

On our website we offer you the opportunity to contact us, either by email and/or by using a contact form. If you send enquiries to us via the contact form, your data entered into the contact form, including the stated contact data, are stored for the purpose of dealing with your current enquiry and in case of future enquiries. Those data will not be passed on to third parties without your permission. The legal basis for the processing is Article 6 (1) (1) (b) GDPR. Where the contact does not relate to the performance of a contract the legal basis is Article 6 (1) (1) (f) GDPR. We have a legitimate interest in providing optimized. The personal data will be stored for later enquiries. For the contacting e-mail we are using a Contact Manager offered EQS-Group AG, Karlstraße 47, Munich, Germany. The legal basis for the data transfer is Art. 28 GDPR in connection with the data processing agreement.

4. Emailing and sending SMS via SendGrid

We use SendGrid, a service from Twilio Inc. 1801 California Street, Suite 500, Denver, Colorado 80202, USA, to send emails and SMS. We use the service to send SMS with one-time passwords for the tenant portal and to send SMS with links for digital forms. This service does support us with sending e-mails as well. We receive analysis reports of sent e-mails and SMS. These reports provide an overview of the delivery and details about the email and SMS performance. The statistics contain for example information as to whether recipients have received and opened emails and which links the recipients clicked within an email. We also receive feedback on which browser and mailbox provider our recipients use. The reports are only provided in aggregate form. We have no way of assigning the analysis to individual recipients.

The legal basis for data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. We have a legitimate interest in evaluating our e-mail and SMS sending in order to constantly improve the effectiveness of this means of communication.

Twilio Inc. acts as a processor. Data access is therefore privileged according to Art. 28 GDPR. We have a data processing contract with Twilio. The transfer of data to Twilio in the USA is secured by the conclusion of standard contractual clauses.

5. Collection/Entry of Personal Data

In accordance with the applicable laws Grand City Properties S.A. only retains your data as long as they serve a legitimate business purpose. We always comply with data protection regulations as far as the collection, use and processing of data is concerned. The data provided by you are only used by Grand City Properties S.A. in order to offer you the services shown on our website (e.g. Corporate News, Financial Reports, and Portfolio Updates). The data provided to access our restricted areas will be stored for as long as the services provided are available. We do not share this data with third parties without your consent. This data will be deleted upon request. The legal basis for the processing is Article 6 (1) (1) (b) GDPR.

6. Whistleblowing system of the Grand City Properties S.A group of companies

The Grand City Properties S.A. group of companies has implemented a whistleblowing system that enables employees, business partners and service providers to submit reports on relevant compliance violations via different reporting channels, including the possibility to submit these reports anonymously, if you wish to do so. You may find information about the different reporting channels on our website. We offer reporting via post, email, telephone, personal meetings as well as a digital reporting system. You may access the aforementioned digital reporting system here: Under this hyperlink, you will also find more detailed information on the functioning of this system, security measures and data protection in connection with the digital reporting system.

We may process personal data contained in reports from the whistleblowing system as well as any follow-up communication relating to the reported incident, including on potential witnesses and any accused persons, as part of our investigations and potential subsequent measures (e.g. disciplinary measures). If a potential whistleblower reaches out via post, telephone, email or personal meeting, they may voluntarily provide information on their contact details (such as address, telephone, email) for follow-up communication which could reveal their identity. The selected individuals handling the communication and investigations receive regular training on confidentiality and data protection and are bound to confidentiality. As part of the investigation and, depending on which Aroundtown group entity is affected by the incident, some data may be processed by said relevantly affected Aroundtown group entity.

We process this personal data based on our legitimate interests (Art. 6 (1) (1) f GDPR) to have reporting channels that enable us to receive and investigate reports on potential criminal offenses, serious compliance violations and other cases of abuse throughout Grand City Properties S.A. Additionally, some of the Grand City Properties S.A group entities may be, or may in the future be, subject to legal obligations to introduce a respective whistleblowing system. If this is or will be the case, the legal basis for data processing is Art. 6 (1) (1) c GDPR in connection with the relevant legal obligations under the applicable national law.

7. Transfer Control

Your data stay with us. We only disclose the data to third parties outside the Grand City Properties S.A. or enable third parties to use them as stated in this policy. We do not disclose your personal data to third parties for promotional purposes. Please note that with a transmission (in unencrypted form) through third-party networks - e.g. if you use Internet services or send emails - the risk of (unauthorised) access by third parties cannot be entirely excluded. As a matter of course, we do our best to effectively protect our clients and users of Grand City Properties S.A. as well as the joint communication against unauthorised access at any time according to the current and recommended high security standards.

8. Enforcement of our Data Privacy Policy vis-à-vis Third Parties

As far as Grand City Properties S.A. draws on third party services required for the fulfilment of the contract, these third parties are bound to adhere to the same level of data protection standards as applied by Grand City Properties S.A..

9. Subscription Data for mailing list

We offer you the opportunity to sign up for our website. If you want to make us of this “Subscribe”-function, we need your email-address, your name, surname, and further information. When signing up for our website, we also store your IP address and the date and time you registered. The data entered for this purpose will only be used for the purpose of use of the respective offer or service for which you have registered. The mailings also contain a so-called web beacon (invisible graphics) which is retrieved from the EQS server when the newsletter is opened. During this retrieval, technical information is collected first, such as information about the browser and your system, as well as your IP address and time of the retrieval. This information is used to improve the technical performance of services based on the technical data or target audience and their reading behaviour based on their retrieval locations (which can be determined using the IP address) or access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be associated with the individual newsletter recipients. However, it is neither our aim nor the aim of EQS to monitor individual users. Instead, the evaluations serve to identify the reading habits of our users and to adapt our content accordingly or to send different content according to the interests of our users.

The legal basis for this processing is Article 6 (1) (1) (a) GDPR as well as Section 7 (2) no. 3 and (3) of the German of the Federal Act against Unfair Competition (UWG). Further, the processing is based on Art. 6 (1) (1) (f) GDPR. We have a legitimate interests to obtain the statistical surveys and analyses as well as the logging of the registration procedure. Our interest is directed towards the provision of a user-friendly and secure newsletter system that both serves our business interests and is in line with the expectations of our users.

The service is carried out using the so-called "double opt-in" procedure. You will receive an email with a link confirming that you are the owner of the email address and you want to be notified by our email service. If your subscription is not confirmed within 96 hours of requesting the confirmation email, your provided personal information will not be processed, but automatically deleted.

The mailings are distributed via EQS-Group AG, Karlstraße 47, Munich, Germany. They receive data only as far as necessary to distribute the mailings. The legal basis for the transfer is Art. 28 GDPR in connection with the data processing agreement. Besides, none of this information is transferred to other third parties. Nor is any of this information matched to any information that may be collected by other components of our website.

We will store your email address as long as you subscribe to our newsletter. You have the right to withdraw the granted consent to store the contact details and the email-address at any time by clicking on the link included in each mail or by sending a message to the above contact options.

10. Social Plugins

We use various social plugins on our website to improve the use of the website for you. The Plugins enable the providers to communicate with you and collect information about your visit to our website.

In order to enhance the protection of your data when visiting our website, the Plugins for Facebook, Xing and LinkedIn are integrated into the website via a so-called "2-click solution." This integration ensures that when you visit a page of our website that contains such Plugins, no connection is established with the servers of Facebook, Xing and LinkedIn. Only when you activate the Plugins and thus give your consent to the data transfer does your browser establish a direct connection to the servers of Xing, Facebook or LinkedIn. The content of the respective Plugin is then transmitted directly from the Provider to your browser and integrated into the page. If you are already logged in to one of the social networks, the transmission for Facebook is carried out without another window.

10.1 Facebook

Our offer uses social plugins ("Plugins") of the social network, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). The Plugins are marked with a white "f" on a tile. The list and appearance of the Facebook Social Plugin can be viewed here:

If you activate the Facebook Plugin, the content of the Plugin will be sent directly from Facebook to your browser and integrated into the website. The Provider therefore has no influence on the amount of data that Facebook collects with the help of this Plugin and therefore informs users according to its level of knowledge:

By integrating the Plugins, Facebook receives the information that a user has accessed the corresponding page of the offer. If the user is logged in to Facebook, Facebook can associate the visit with their Facebook account. If users interact with the Plugins, for example, by pressing the Like button or leaving a comment, the corresponding information is transmitted from your browser directly to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will find out and save their IP address. According to Facebook, only an anonymized IP address is stored in Germany.

The data processing takes place on the basis of your consent (Article 6 (1) (1) (a) GDPR). In addition, the use takes place in the interest of an attractive presentation and simplification of the use of our online offerings. This constitutes a legitimate interest within the meaning of Article 6 (1) (1) (f) GDPR.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the related rights and setting options for protecting the privacy of users, can be found in Facebook's privacy policy:

If a user is a Facebook member and does not want Facebook to collect data about them via this offer and associate it with their member data stored on Facebook, they must log out of Facebook before visiting the website.

10.2 XING

We use components of the network on our website. These components are a service of XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany. This includes Plugins of the kununu service offered by XING AG. Each time you visit our website which has such a component, this component causes the browser you are using to download a corresponding representation of the component from XING.

The data processing takes place on the basis of your consent (Article 6 (1) (1) (a) GDPR). In addition, the use of XING takes place in the interest of an attractive presentation and simplification of the use of our online offerings. This constitutes a legitimate interest within the meaning of Article 6 (1) (1) (f) GDPR.

To the best of our knowledge, XING does not store any personal data of the user on the visit to our website. Likewise, XING does not store IP addresses. There is also no evaluation of the usage behavior via the use of cookies in connection with the "XING Share Button." For more information, see the privacy policy for the XING Share Button at:

10.3 LinkedIn

We use components of the LinkedIn network on our website. LinkedIn is a service of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Each time you visit our website which has such a component, this component causes the browser you are using to download a corresponding representation of the component from LinkedIn.

Through this process, LinkedIn is informed of which specific page of our website is currently being visited. If you click the LinkedIn "Recommend Button" while logged in to your LinkedIn account, you can link the contents of our pages to your LinkedIn profile. As a result, LinkedIn is able to associate your visit to our pages with your LinkedIn user account. The data processing takes place on the basis of your consent (Article 6 (1) (1) (a) GDPR). In addition, the use of LinkedIn takes place in the interest of an attractive presentation and simplification of the use of our online offerings. This constitutes a legitimate interest within the meaning of Article 6 (1) (1) (f) GDPR.

We have no control over the data that LinkedIn collects or the extent of the data collected by LinkedIn. We also have no knowledge of the content of the data transmitted to LinkedIn. For details about LinkedIn's data collection as well as your rights and settings options, see the LinkedIn Privacy Policy. This policy can be found at

11. Data protection rights

You have the following data protection rights, depending on the circumstances of the specific case:

11.1 Information

You have the right to request information about and access to your personal data and/or copies of such data. This includes information on the purpose of the use, the category of data used, its recipients and parties entitled to access it and, if possible, the planned period for which the data will be stored or, if that is not possible, the criteria used to determine that periods.

11.2 Refusal or revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You may refuse consent or revoke your previously granted consent at any time. An informal communication to us via email is sufficient for this purpose. The legality of the data processing carried out until the revocation shall remain unaffected by the revocation.

11.3 Right to lodge a complaint with the competent supervisory authority

If you believe that your rights have been violated as a result of your personal data being processed in a manner that is not in compliance with data protection laws, you have a right to lodge a complaint with the competent supervisory authority.

11.4 Right to data portability

You have the right to have the data that you have provided to us submitted to you or to a third party in a standard, machine-readable format. If you require the direct transfer of data to another controller, this will be done to the extent technically feasible.

11.5 Automated decision-making including profiling

You have the right not to be subjected to a decision based solely on automated processing that will have a legally binding effect on you or a significant adverse effect on you in a similar manner.

11.6 Blocking, deletion

You have a right to the rectification, blocking or deletion of your personal data, to the extent the use thereof is inadmissible under data protection law. This is the case in particular if (i) the data is incomplete or incorrect, (ii) it is no longer necessary for the purposes for which it was collected, (iii) the consent on which the processing was based has been revoked or (iv) you have successfully exercised your right to object to the data processing. In cases where the data is processed by third parties, we will forward your requests for rectification, deletion or restriction of processing to these third parties, unless this proves impossible or is associated with disproportionate efforts.

11.7 Right to object

You have the right to object to the processing if we process your data for direct marketing purposes or if we process your data for the purpose of pursuing our legitimate interests and there are reasons arising from your particular situation.

12. Miscellaneous

We reserve the right to change this Privacy Policy at any time in accordance with the data protection regulations.

For questions, suggestions and comments on the topic of data protection, please feel free to contact our data protection officer under 

Consent to the use of cookies.

For our website to function properly we use cookies. To obtain your valid consent for the use and storage of cookies in the browser you use to access our website and to properly document this we use a consent management platform: CookieFirst. This technology is provided by Digital Data Solutions BV, Plantage Middenlaan 42a, 1018 DH, Amsterdam, The Netherlands. Website: referred to as CookieFirst.

When you access our website, a connection is established with CookieFirst’s server to give us the possibility to obtain valid consent from you to the use of certain cookies. CookieFirst then stores a cookie in your browser in order to be able to activate only those cookies to which you have consented and to properly document this. The data processed is stored until the predefined storage period expires or you request to delete the data. Certain mandatory legal storage periods may apply notwithstanding the aforementioned.

CookieFirst is used to obtain the legally required consent for the use of cookies. The legal basis for this is article 6(1)(c) of the General Data Protection Regulation (GDPR).

Data processing agreement

We have concluded a data processing agreement with CookieFirst. This is a contract required by data protection law, which ensures that data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.

Server log files

Our website and CookieFirst automatically collect and store information in so-called server log files, which your browser automatically transmits to us. The following data is collected:

  • Your consent status or the withdrawal of consent
  • Your anonymised IP address
  • Information about your Browser
  • Information about your Device
  • The date and time you have visited our website
  • The webpage url where you saved or updated your consent preferences
  • The approximate location of the user that saved their consent preference
  • A universally unique identifier (UUID) of the website visitor that clicked the cookie banner