Name and address of the company
The controller within the meaning of the General Data Protection Regulation (hereinafter “GDPR”) and other national data protection laws of the member states, as well as other data protection regulations, is:
FORUM Invest S.à r.l.
, registered in the Registre de Commerce et des Sociétés
under registration number B181062
Managing Directors: Frédéric Meyer | Francesco Abbruzzese
37a Avenue J.F. Kennedy
1855 Luxembourg
Phone: +49 (0) 304 220 699 0
Email: infoeastsidemall.de
General Information
Scope and Permission for the Processing of Personal Data
We generally collect and use our users’ personal data only to the extent necessary to ensure the functionality of our website as well as our content and services. The collection and use of our users’ personal data generally takes place only with the user’s consent.
An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by law.
The legal basis for processing personal data where consent has been obtained from the data subject is Article 6(1)(a) of the GDPR. The legal basis for the processing of personal data necessary for the performance of a contract or for the implementation of pre-contractual measures is Art. 6(1)(b) GDPR. When processing personal data to fulfill a legal obligation, the legal basis is Art. 6(1)(c) of the GDPR. In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party, and these interests outweigh the interests of the data subject while taking into account the fundamental rights and freedoms of the data subject, Article 6(1)(f) of the GDPR serves as the legal basis for the processing of the data.
Data Erasure and Retention Period
The data subject’s personal data will be deleted or blocked as soon as the purpose for which it was stored no longer applies. Data may also be stored if this is required by a legal provision governing the processing of the data. In this case, the data will be blocked or erased when the legally prescribed retention period expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.
Data Processing Through Use of Our Website
Visiting our website
When you access our website, the browser on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called log file. The following information is collected without any action on your part and stored until it is automatically deleted: IP address of the requesting computer, date and time of access, name and URL of the file accessed, website from which access is made (referrer URL), browser used, and, if applicable, your computer’s operating system as well as the name of your internet service provider.
We process the aforementioned data for the purposes of ensuring a smooth connection to the website, ensuring a comfortable user experience on our website, evaluating system security and stability, and for other administrative purposes.
The legal basis for data processing is Art. 6(1)(f) GDPR. Our legitimate interest arises from the purposes listed above for data collection. Under no circumstances do we use the collected data for the purpose of drawing conclusions about your identity.
Disclosure of Data
Your personal data will not be transferred to third parties for purposes other than those listed below. We will only disclose your personal data to third parties if you have given your explicit consent pursuant to Art. 6(1)(a) GDPR, if the disclosure is necessary pursuant to Art. 6(1)(f) GDPR for the assertion, exercise, or defense of legal claims, and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data, in the event that there is a legal obligation for the disclosure pursuant to Article 6(1)(c) of the GDPR, 1(c) of the GDPR, and this is legally permissible and necessary under Article 6(1)(b) of the GDPR for the performance of contractual relationships with you.
Use of Cookies and Consent Management
We use cookies and similar technologies on our website to ensure the technical functionality of the website, improve user-friendliness, conduct statistical analyses, and—provided you consent—enable marketing activities.
Cookies are small text files that are stored on your device and contain specific information. They enable, for example, the recognition of your browser, the storage of settings, or the analysis of how our website is used.
When you visit our website for the first time, our cookie banner will inform you about the use of cookies. You can decide which categories of cookies you wish to allow. You may change or withdraw your consent at any time with future effect.
We use the following categories of cookies:
Essential Cookies
These cookies are technically necessary to provide the website and its basic functions. Without these cookies, the website cannot operate properly.
The storage of information on your device is based on Section 25(2)(2) of the TDDDG. To the extent that personal data is processed in this context, the processing is based on Article 6(1)(f) of the GDPR. Our legitimate interest lies in the secure, stable, and technically error-free provision of our online services.
Functional Cookies
Functional cookies enable advanced features and a more convenient use of the website, such as the storage of user settings or language preferences.
Processing is carried out exclusively on the basis of your consent in accordance with Section 25(1) of the TDDDG and Article 6(1)(a) of the GDPR.
Statistical cookies
Statistical cookies help us analyze the use of our website and continuously improve our services. The information collected is processed pseudonymously whenever possible.
Processing is carried out exclusively on the basis of your consent in accordance with Section 25(1) TDDDG and Article 6(1)(a) GDPR.
Marketing cookies
Marketing cookies are used to display relevant content and interest-based advertising to users, to measure the success of advertising measures, and to optimize marketing campaigns.
Processing is carried out exclusively on the basis of your consent in accordance with Section 25(1) of the TDDDG and Article 6(1)(a) of the GDPR.
Management and Withdrawal of Your Consent
You can change your cookie settings at any time via the cookie banner provided on our website or revoke any consent you have given with future effect. The lawfulness of the processing carried out up to the time of revocation remains unaffected by this.
Recipients and Third-Party Providers
Depending on the consent you have provided, cookies and similar technologies may be used by us or by third-party providers. These may include, in particular, providers in the fields of web analytics, map and location services, video embedding, social media services, or online marketing.
To the extent that personal data is processed in this context, the respective service providers are granted access to the information necessary for this purpose. Further information on the specific third-party providers used can be found in the respective sections of this Privacy Policy.
Storage Period
The retention period for cookies depends on their respective purpose and may vary. Session-based cookies are typically deleted after you end your visit. Persistent cookies remain on your device until they expire automatically or are deleted by you.
Unless different timeframes are specified in the descriptions of the individual services, storage occurs only for the period necessary for the respective processing purpose.
Transfers to third countries
To the extent that personal data is transferred via individual services to recipients outside the European Union or the European Economic Area, this is done exclusively in compliance with the legal requirements of Art. 44 et seq. of the GDPR. In the absence of an adequacy decision, appropriate safeguards, in particular the Standard Contractual Clauses adopted by the European Commission, are used.
Third-Party Services
We have integrated content, services, and features from other providers on the website. These include, for example, maps provided by Google Maps, as well as graphics and images from other websites. In order for this data to be accessed and displayed in the user’s browser, the transmission of the IP address is absolutely necessary. The providers (hereinafter referred to as “third-party providers”) therefore receive the IP address of the respective user.
Although we strive to use only third-party providers who require the IP address solely to deliver content, we have no control over whether the IP address may be stored. In such cases, this process serves, among other things, statistical purposes. If we are aware that the IP address is being stored, we will inform our users of this.
Use of Google Maps
We use the “Google Maps” component from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter “Google,” on our site.
Each time the “Google Maps” component is accessed, Google sets a cookie to process user settings and data when the page on which the “Google Maps” component is integrated is displayed. This cookie is generally not deleted when you close your browser but expires after a certain period of time, unless you delete it manually beforehand.
If you do not consent to this processing of your data, you have the option to disable the “Google Maps” service and thereby prevent the transmission of data to Google. To do this, you must disable the JavaScript function in your browser. However, please note that in this case, you will not be able to use “Google Maps” at all or only to a limited extent.
Use of Google Analytics
We use the web analytics service Google Analytics on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. To the extent that data is transmitted to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, processing may also take place in the USA.
Google Analytics uses technologies that enable an analysis of the use of our website. In particular, information about the device you are using, your browser, the pages accessed, the date and time of access, interactions with the website, as well as usage and event data may be processed. This processing is carried out to statistically evaluate the use of our website, improve our offerings, and measure the appeal of our content.
According to Google, Google Analytics 4 does not store IP addresses. According to Google, IP addresses of users from the EU are discarded via EU domains and servers before logging. Nevertheless, the processing of personal or personally identifiable usage data cannot be ruled out.
The use of Google Analytics is based exclusively on your consent. The legal basis for accessing information on your device is Section 25(1) of the TDDDG. The legal basis for the subsequent processing of personal data is Article 6(1)(a) of the GDPR. You may revoke your consent at any time with future effect via the cookie settings on our website.
Google processes the data on our behalf. To this end, we have entered into the data processing agreement provided by Google. To the extent that data is transferred to the U.S., this is done, according to Google, on the basis of Google LLC’s certification under the EU-U.S. Data Privacy Framework.
The retention period for user- and event-related data stored in Google Analytics is 2 months. After this period expires, the data is automatically deleted.
Use of an AI-powered assistant
We use an AI-powered chat assistant on this website. It is designed to automatically answer your questions regarding general information about the EAST SIDE MALL (e.g., opening hours, shops, services, directions, events).
Provider and Data Processing
The AI service is technically provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The “Gemini 2.5 Flash” model is used, which is accessed via Google’s Gemini API. A data processing agreement exists with Google in accordance with Art. 28 GDPR based on the “Google Cloud Data Processing Addendum” (CDPA, as of November 8, 2023, available at
https://cloud.google.com/terms/data-processing-addendum). The cloud project used is configured as a paid service.
Processed Data
When using the chat assistant, the following data is processed:
the content of your inputs (prompts) and the AI responses
a technical session ID
your IP address and user agent identifier (browser identification)
technical usage data (AI model used, token consumption, timestamps)
Please do not enter any personal or confidential information in the chat. The assistant does not actively request such information and is not intended to handle individual, personal matters.
Retention Period
The content of your inquiries and the corresponding AI responses are stored in our system for a maximum of 90 days, along with your IP address, session ID, and user agent. After this period expires, these personal data fields are automatically anonymized (by overwriting them with zero values). Only anonymous, aggregated usage and statistical data (model, token, timestamp) remain for a maximum of 24 months for the analysis of usage trends and cost control. After that, these data records are also completely deleted.
Transfer to the U.S.
Your requests are processed on Google servers in the U.S. The transfer is based on EU Standard Contractual Clauses (SCCs) in the version of Implementing Decision (EU) 2021/914 of the European Commission, which form part of the aforementioned CDPA (Appendix 3, Section 4.1 “Restricted Transfers”) and constitute “appropriate safeguards” within the meaning of Art. 46(2)(c) GDPR.
No Training of AI Models
Since we use the service as a paid service, the content processed in the context of our requests (prompts and responses) is not used by Google for training or improving the AI models. This assurance is based on the “Gemini API Additional Terms of Service” (
https://ai.google.dev/gemini-api/terms).
Legal basis
The legal basis for the use of the chat assistant is Article 6(1)(f) of the GDPR. Our legitimate interest lies in providing you with a modern, accessible information service and improving our services. Upon consideration, it appears that no overriding interests on your part stand in the way, as no personal data is used for profiling and you use the assistant voluntarily.
Data Protection in Job Applications and the Application Process
We collect and process the personal data of applicants for the purpose of conducting the application process. Processing may also take place electronically. This is particularly the case when an applicant submits the relevant application documents to us electronically, for example via email or through a web form on the website. If we enter into an employment contract with an applicant, the transmitted data will be stored for the purpose of managing the employment relationship in compliance with legal regulations. If we do not conclude an employment contract with the applicant, the application documents will be automatically deleted two months after notification of the rejection decision, provided that no other legitimate interests on our part preclude such deletion. Other legitimate interests in this context include, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).
Rights of the Data Subject
You have the right:
(1) pursuant to Art. 15 GDPR to request information about your personal data processed by us. In particular, you may request information regarding the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing, or objection; the existence of a right to lodge a complaint; the origin of your data, if it was not collected by us; as well as information regarding the existence of automated decision-making, including profiling, and, where applicable, meaningful information regarding its details;
(2) pursuant to Art. 16 GDPR, to request the immediate rectification of inaccurate personal data or the completion of your personal data stored by us;
(3) pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us, unless processing is necessary for the exercise of the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest, or to assert, exercise, or defense of legal claims;
(4) pursuant to Art. 18 GDPR, to request the restriction of the processing of your personal data, provided that you contest the accuracy of the data, the processing is unlawful but you oppose its erasure, and we no longer need the data, but you need it to assert, exercise, or defend legal claims, or you have objected to the processing pursuant to Article 21 of the GDPR;
(5) pursuant to Art. 20 GDPR, to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller;
(6) pursuant to Art. 7(3) GDPR, to withdraw your consent at any time; As a result, we may no longer continue the data processing that was based on this consent in the future; and
(7) to lodge a complaint with a supervisory authority pursuant to Article 77 of the GDPR. As a rule, you may contact the supervisory authority of your usual place of residence or workplace or of our firm’s registered office for this purpose.
Right to Object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the option, in connection with the use of information society services—notwithstanding Directive 2002/58/EC—to exercise your right to object by means of automated procedures that use technical specifications.
Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller,
(2) is authorized by Union or Member State law to which the controller is subject, and that law provides for appropriate measures to safeguard your rights and freedoms as well as your legitimate interests; or
(3) is based on your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9(1) of the GDPR, unless Art. 9(2)(a) or (g) applies and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests.
With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to present your point of view, and to contest the decision.
As a responsible company, we do not engage in automated decision-making or profiling.
Data Security
During your visit to the website, we use the widely adopted SSL (Secure Socket Layer) protocol in conjunction with the highest encryption level supported by your browser. This is typically 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether a specific page of our website is being transmitted securely by the closed key or lock icon in the status bar at the bottom of your browser.
We also employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
Updates and Changes to This Privacy Policy
This Privacy Policy is currently valid and is dated October 2020.
Due to the further development of our website and the services offered through it, or due to changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy. You can access and print the current version of the Privacy Policy at any time via this link.
Data Protection Officer
Gerd-Jürgen Golze
Kirchstr. 11
10557 Berlin
+49(0)30 91 43 66 11
datenschutz@eastsidemall.de
