Category(ies) of personal data
Privacy policy
1. Purpose and scope of the document
The purpose of this document is to inform you about how we collect and process your personal data.
We form a group of companies (hereinafter referred to as “INOWAI”, “the Group”, “we”) which includes the following entities:
- INOWAI Group S.A., a public limited company under Luxembourg law, established and headquartered at 52, route d’Esch, L-1470 Luxembourg, registered with the Luxembourg Trade and Companies Register (“R.C.S. Luxembourg”), section B under number 118752.
- INOWAI S.A., a public limited company under Luxembourg law, established and headquartered at 52, route d’Esch, L-1470 Luxembourg, registered with R.C.S. Luxembourg, section B under number 72368.
- INOWAI Residential S.A., a public limited company under Luxembourg law, established and headquartered at 52, route d’Esch, L-1470 Luxembourg, registered with R.C.S. Luxembourg, section B under number 154071.
- Cocoonut, a limited liability company under Luxembourg law, established and headquartered at 52, route d’Esch, L-1470 Luxembourg, registered with R.C.S. Luxembourg, section B under number 242432.
- byld S.à r.l., a limited liability company under Luxembourg law, established and headquartered at 52, route d’Esch, L-1470 Luxembourg, registered with R.C.S. Luxembourg, section B under number 274506.
We determine how your personal data is collected and the purposes for which it is used as the “data controller” for the purposes arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”).
When certain provisions of this information notice apply only to specific companies within the Group, these companies will be clearly identified in the relevant sections of the notice. In such cases, the terms “we”, “our”, or “us” will refer only to the specific companies concerned. These companies should then be considered as the sole “data controllers” for the personal data processing activities in question. If none of the Group’s companies is specified, the provisions apply to all companies in the Group, and each of them should be considered an independent data controller for their own activities.
We may share your personal data among the different companies in the Group to provide consistent and quality services, as well as for internal administrative purposes. When this occurs, we ensure that appropriate security measures are in place to protect these data and ensure their confidentiality. These measures may include confidentiality agreements, data security protocols, and strict internal controls.
For the purposes of this information notice, the terms “you” and “your” refer collectively or individually to:
- Tenants/applicants for rental properties managed by one of the Group’s companies.
- Clients of the Group (owners, prospective buyers, landlords).
- Consultants, service providers, or employees of a service provider of the Group.
- Participants in events organized by one of the Group’s companies.
- Job applicants at one of the Group’s companies.
- Directors and shareholders of the Group’s companies.
- Users of our website and social media.
2. Data protection officer
INOWAI Group has appointed Sophie LAURENT as the Group’s Data Protection Officer (DPO). You can contact our DPO at the following address: gdpr@INOWAI.com.
3. Personal data processed
The personal data mentioned in this information notice is processed for various purposes by the Group.
We always process your personal data for a specific purpose and only process the personal data that is relevant to achieving that purpose. We most often collect these data directly from you; however, we may sometimes obtain personal data about you from third parties (for example, from the supplier of goods or services for whom you work as an employee).
We have structured the remainder of our information notice to address the specific needs of different categories of individuals concerned by our activities. Below are sections dedicated to each group.
a. If you are a tenant/applicant for rental properties managed by one of the Group’s companies
| Purpose of processing | Tenant search
Accounting obligations and obligations imposed by anti-money laundering and counter-terrorism financing regulations Identification and verification of tenant applicants Regulatory compliance for real estate properties Operational management of real estate projects Property visits, inventory reports, and lease agreements Property management (including contract management, communication, and handling tenant requests), use of the property management platform Legal disputes Internal accounting Management of third-party rights under GDPR |
| Legal basis for processing | Execution of a contract
Legal obligation Legitimate interests of the Group (tenant search, commercial activity and prospecting, management of disputes between tenants and property owners, customer service, protection of assets, reputation, and the rights of the Group’s companies) |
| Categories of personal data | Identification data
Contact data Economic and financial data Personal life data Professional life data Location data Contractual documents Biometric data (unique identification) Data related to criminal convictions or offenses National unique identification number (registration number) |
| Recipients | Public authorities (tax, municipal)
Banks, notaries, property managers, insurance companies, and contractors Landlord Credit and insurance brokers Financial Intelligence Unit/Police Regulatory bodies UK Business Register (Companies House, UK) Authorities responsible for various permits Participants in general meetings of property management associations LBC/FT research platforms Software and IT solution providers Survey organizations Digital transaction management entities Marketing tool providers Law firms In certain cases, recipients of client transfers |
| Type of collection | Direct
Indirect (source: professional information tool Factiva – Dow Jones & Company) |
| Data transfer to third countries or international organizations | Yes, to the United Kingdom, covered by an adequacy decision from the European Commission, and to the United States (organizations participating in the EU-US data privacy framework, also covered by an adequacy decision from the European Commission). |
| Data retention period | Data are mostly deleted 10 years after invoicing, accounting recording, or the end of the tenancy, except:
|
| Requirement to provide data | Yes |
| Consequences of failure to provide data |
|
| Automated decision-making (including profiling) | No |
For the processing activities mentioned above related to property management (contract management with tenants, communication with tenants, and handling tenant requests, use of the property management platform), the data controller for your data is Cocoonut.
For operational management of real estate projects and regulatory compliance, your data is processed by INOWAI S.A. and byld S.à.r.l. as independent data controllers.
b. If you are an INOWAI client (owners, prospective buyers, landlords)
| Purpose of processing | Search for tenants and property buyers/sellers
Distribution of rental and sale offers for properties Property valuation Regulatory compliance for properties Operational management of real estate projects Property visits, inventory reports, and lease agreements Accounting obligations Coordination with Lalux Group S.A. insurance company Management of an auction system Legal disputes Management of third-party rights under GDPR |
| Legal basis | Execution of a contract
Legal obligation Legitimate interests (commercial activity and prospecting, management of disputes between tenants and property owners, customer service, protection of assets, reputation, and the rights of the Group’s companies) |
| Categories of personal data | Identification data
Contact data Economic and financial data Personal life data Professional life data Contractual documents Location data National unique identification number (registration number) |
| Recipients | Public authorities (tax, municipal)
Banks, notaries, property managers, insurance companies, and contractors Financial Intelligence Unit/Police Participants in general meetings and co-ownership meetings Service providers (construction trades based on issues in co-owned properties) Real estate valuation offices Credit and insurance brokers Regulatory bodies UK Business Register (Companies House, UK) Authorities responsible for various permits Auction platform LBC/FT research platforms Software and IT solution providers Survey organizations Digital transaction management entities Other real estate companies Marketing tool providers Law firms In certain cases, recipients of client transfers |
| Type of collection | Direct
Indirect (source: professional information tool Factiva – Dow Jones & Company) |
| Data transfer to third countries or international organizations | Yes, to the United Kingdom, covered by an adequacy decision issued by the European Commission regarding data protection, and to the United States (organizations participating in the EU-US data privacy framework, also covered by an adequacy decision from the European Commission). |
| Data retention period | Data are generally deleted 10 years after the end of the business relationship (mandate, rental, business introduction to the insurance company), except:
In case of legal disputes or potential disputes, data may be retained until the statute of limitations for civil or criminal actions (up to 30 years for civil disputes). If requested by the data subject, data will be retained for up to 3 years after the closure of the request. |
| Requirement to provide data | Yes |
| Consequences of failure to provide data | Inability to implement and execute the real estate transaction, rental contract, or property management contract. |
| Automated decision-making (including profiling) | No |
For the processing activities mentioned above related to property management (management of the contractual relationship with tenants, communication with tenants, and handling their requests, use of the property management platform), the data controller for your data is Cocoonut.
For the operational management of real estate projects and regulatory compliance of properties, your data is processed by INOWAI S.A. and Byld S.à.R.L. as independent data controllers.
c. If you are a consultant, service provider, or an employee of a service provider
|
|
Management and administration of consultants, suppliers, and service providers (selection, contact, payment)
Accounting obligations Property Management (carrying out work, building maintenance) Legal disputes Management of third-party rights under GDPR |
| Legal basis for processing | Execution of a contract
Legal obligation Legitimate interests of the Group (processing contact data of supplier employees, supplier selection, protection of assets, reputation, and the rights of the Group’s companies) |
|
|
Identification data
Contact data Economic and financial data |
|
Recipient(s) of personal data |
Internal use
Tax authorities Banks Luxembourg Business Register (Registre du Commerce et des Sociétés, Luxembourg) LBC/FT platform Law firms |
|
Type of collection |
Direct
Indirect (Source: Internet, Dow Jones & Company Inc.) |
|
Transfer to a third country or international organization |
Yes, to the United Kingdom, covered by an adequacy decision from the European Commission, and to the United States (organizations participating in the EU-US data privacy framework, also covered by an adequacy decision from the European Commission). |
|
Data retention period |
Data are generally deleted 10 years after the end of the business relationship, or possibly 10 years after the end of the fiscal year if related to an accounting entry for the service.
In case of legal disputes or potential disputes, data may be retained until the statute of limitations for civil or criminal actions (up to 30 years for civil disputes). If requested by the data subject, data will be retained for up to 3 years after the closure of the request. |
|
Is the provision of data a condition for the contract? |
Yes |
|
What are the consequences of not providing this data? |
Inability to implement and execute the service contract |
|
Automated decision-making (including profiling) |
No |
For the operations described above, the data controller for your personal data is the company for which you work or provide services as a consultant, service provider, or employee of a service provider.
d. If you participate in one or more events organized by INOWAI
| Purposes of processing | Organization of commercial prospecting events
Legal disputes Management of third-party rights under GDPR |
|
|
Consent
Legal obligation Legitimate interest (the Group’s commercial activity and prospecting, protection of assets, reputation, and the rights of the Group’s companies) |
| Category(ies) of personal data | Data related to event participation
Identification data Contact data Photographs |
| Recipient(s) of personal data | Internal use
Photographers Software and IT solution providers Marketing tool providers Law firms |
| Type of collection | Direct |
| Transfer to a third country or international organization | Yes, to the United States (organization participating in the EU-US data privacy framework, also covered by an adequacy decision from the European Commission). |
| Data retention period | Data are deleted at the end of the respective event.
In case of legal disputes or potential disputes, data may be retained until the statute of limitations for civil or criminal actions (up to 30 years for civil disputes). If requested by the data subject, data will be retained for up to 3 years after the closure of the request. |
For the operations described above, the data controller for your personal data is the company within the Group organizing the event you are attending.
e. If you are a candidate for a job offer at INOWAI
| Purposes of processing | Management of applications
Recruitment and selection of received CVs Management of job interviews Legal disputes Management of third-party rights under GDPR |
| Legal basis for processing | Pre-contractual measures
Legal obligation Legitimate interests (active search for candidates, processing of temporary worker data, protection of assets, reputation, and the rights of the Group’s companies) |
| Category(ies) of personal data | Identification data
Contact data Economic and financial data Professional life data National unique identification number (registration number) |
| Recipient(s) of personal data | Internal use – Human Resources Department
Law firms |
| Type of collection | Direct
Indirect (Source: specialized recruitment firms, temporary employment agencies, social media) |
| Transfer to a third country or international organization | Yes, possibly to Japan, covered by an adequacy decision issued by the European Commission regarding data protection, and to the United States (organizations participating in the EU-US data privacy framework, also covered by an adequacy decision from the European Commission). |
| Data retention period | Here is the professional English translation:
– 10 years after the end of the contractual relationship if an employment contract is concluded, except: – Regarding professional background, CV, and salary expectations: until the end of the recruitment period. |
| Is the provision of data a condition for the contract? | Yes |
| What are the consequences of not providing this data? | Inability to implement and execute the employment contract. |
| Automated decision-making (including profiling) | No |
For the operations described above, the data controller for your personal data is the company within the Group to which you have submitted your application.
f. If you are a director or a shareholder of one of the companies in the group
| Purposes of processing | Maintaining records (associates and beneficial owners)
Decision-making by directors and shareholders (notices, proxies, minutes) Keeping minutes Opening bank accounts Administration and operational management of the company IT management (tools, storage, equipment, security measures, and audits) Legal disputes Management of third-party rights under GDPR |
| Legal basis for processing | Execution of a contract
Legal obligation Legitimate interests (protection of assets, reputation, and the rights of the Group’s companies) |
| Category(ies) of personal data | Identification and contact data
Economic and financial data Connection data Technical information, content, and metadata Professional life data |
| Recipient(s) of personal data | Internal use
Luxembourg Business Registers (Companies Register, Luxembourg and Beneficial Owners Register) IT and software solution providers Digital transaction management companies Law firms |
| Type of collection | Direct
Indirect |
| Transfer to a third country or international organization | Yes, to the United States (organizations participating in the EU-US data privacy framework, also covered by an adequacy decision from the European Commission). |
| Data retention period | Maximum 5 years after the publication date in the official journal of the loss of legal personality of INOWAI S.A.
In case of legal disputes or potential disputes, data may be retained until the statute of limitations for civil or criminal actions (up to 30 years for civil disputes). If requested by the data subject, data will be retained for up to 3 years after the closure of the request. |
| Is the provision of data a condition for the contract? | Yes |
| What are the consequences of not providing this data? | Inability to implement and execute the service contract. |
| Automated decision-making (including profiling) | No |
In the context of the operations described above, the data controller for your personal data is the Group company for which you act as a shareholder or director.
g. If you are a user of our website and/or our social media platforms
| Purposes of processing | Provision of information, dissemination of photos, and description of real estate properties
Contact form/electronic contact methods Proposal for the “Kadran” auction system Subscription to our newsletter Direct marketing through social media Search for new clients Legal disputes Management of third-party rights under GDPR |
| Legal basis for processing | Consent
Legitimate interests (commercial activity and prospecting, protection of assets, reputation, and the rights of the Group’s companies) |
| Category(ies) of personal data | Identification and contact data
Personal life data Economic and financial data Connection data Some of this data may be provided to us via contact tools on social media |
| Recipient(s) of personal data | Internal use
IT and software solution providers Social media Law firms |
| Type of collection | Direct
Indirect (source: third-party cookies, social media) |
| Transfer to a third country or international organization | Yes, to the United States (organizations participating in the EU-US data privacy framework, also covered by an adequacy decision from the European Commission). |
| Data retention period | No storage, except if the relationship between the data subject and the company is contractual, except for:
– Duration of navigation or duration specified in the cookie policy |
| Is the provision of data a condition for the contract? | No |
| What are the consequences of not providing this data? | Inability to provide the requested services. |
| Automated decision-making (including profiling) | No |
In the context of the operations described above, the data controller for your personal data is INOWAI Group S.A.
4. Your rights
In accordance with Articles 13 and 14 of the General Data Protection Regulation, we inform you that you have the right to request access to your personal data, the rectification or deletion of such data, and/or a limitation of processing concerning you. Furthermore, you have the right to object to the processing and to obtain the implementation of your right to data portability.
According to Article 7 of the General Data Protection Regulation, in the case of processing activities based on your consent, you also have the right to withdraw your consent at any time. The withdrawal will not affect the lawfulness of the processing based on consent before its withdrawal.
To exercise your rights, please contact the DPO whose contact details are provided in the section “2. Data Protection Officer” of this information notice. You may also file a complaint with the National Commission for Data Protection in Luxembourg.
5. Security
We use appropriate technical and organizational measures to protect the personal data we collect and process. The measures we take are designed to ensure a level of security appropriate to the risks associated with the processing of your personal data.
6. Cookie management
Cookies are small electronic text files that are placed on your device (web browser, computer, mobile device, etc.) by the server of the online service used (the visited website) or by a third-party server. They are generally used to enable websites to function effectively and to provide various information to website owners and third parties.
To provide our services, we use both essential cookies necessary for the proper functioning and security of our website and non-essential cookies, which are placed and read by us and third parties, such as preference cookies, statistical cookies, and marketing cookies.
For more information, please consult our cookie policy.
7. Links to third-party sites
Our website contains links to third-party websites, services, social media, or applications that are not part of our site and are outside our control. We encourage you to review the privacy policies and terms of use of these third-party websites or services before providing them with your personal data.
8. Updates to our information notice
We regularly review this information notice and publish any updates on our website. This information notice was last updated on 26/09/2024.