Privacy Policy on Kowac S.à r.l.’s Customer and Partner Register

Data Controller

KOWAC S.À R.L., Business ID B240412, Address: 40 rue de la Vallée , 2661 Luxembourg.

Contact Person for Data-Related Matters

In matters related to data protection please contact via email to

Name of Register

Customer and partner register

Legal Basis and Purpose of Processing Personal Data

The processing of personal data is based on (i) performance of the rights and obligations of a lease and/or service agreement between a controller and a customer, or a data controller and its partner, for a supplier agreement, and performance of the preliminary measures required for the agreement, (ii) and/or for the purposes of the legitimate interests of the controller or of a company belonging to the same group.
Personal data is used for managing, developing and maintaining the customer (including potential customer) relationship between the controller and the customer, and the related analysis, compilation of statistics, customer communication, organizing of events, customer experience evaluation, identification of the customer’s users, user management, troubleshooting of electronic services, and management of relationships between the cooperation partners. In addition, personal data is used for direct marketing by the controller and its group companies (including electronic newsletters), targeting and profiling of online advertising, and for designing and development of the controller’s products and services.

Data Content of the Register, and the Data Protection Groups

Decision-makers and contact persons of current and potential customers , suppliers and partners of the controller, and newsletter subscribers. The register may contain following personal data:

  • First name
  • Last name
  • Position in the organization (title)
  • Language of communication
  • Company
  • Company address
  • Email address
  • Phone number
  • Electronic services username and password
  • Communication information (such as emails and e-forms)
  • Marketing and promotional data (such as marketing measures targeted at data subjects, participation in events)
  • Data on the use of electronic services (e.g. browsing and search data, IP addresses, and cookies)
  • Direct marketing consent and prohibition
  • Any other information provided by the data subject themselves

Regular Sources of Data

Data is collected regularly about the data subject by telephone, email, on the internet, in meetings, and in conjunction with concluding agreements and contractual relations. Personal data can also be collected and updated from public and private registers, such as the population register, other authorities, credit information companies, contact information providers, and other similar trustworthy parties.

Regular Disclosure and Transfer of Data, and Data Transfer Outside the EU or EEA

The controller does not regularly disclose the registered data to third parties.
The controller uses external subcontractors to handle the tasks described in this policy, and in such cases, the service providers act on behalf of the controller. Subcontractors, i.e. recipients of personal data, include e.g. marketing and communication agencies, asset managers, event organizers, data system suppliers and partners in property services and services for space. The controller is responsible for the activities of its subcontractors as for the controller’s own activities. The controller will ensure, by means of data processing agreements with subcontractors, that these parties are committed to protecting the personal data of the data subject in the manner stated in this document. In addition, the controller may disclose contact details for marketing purposes to its subcontractors used within its business operations and companies directly or indirectly owning the shares in the controller as well as companies being under common control.
Some of the personal data contained in this policy may be processed outside the EU and the EEA, whereby the data controller has ensured that its subcontractor is covered by the Privacy Shield data protection system or other similar arrangements (e.g. EU Commission Model Clauses).
Personal data are also disclosed and transferred to asset management and other service providers engaged by the controller concerning the property owned by the controller.

Principles of Register Protection and Data Storage Period

The only persons who have access rights to the personal data system are those employees of the controller who have the right to process personal data contained in this register for the purposes of carrying out their work. Each user has their own username and password for the system. Data is collected in databases that are protected by firewalls, passwords, and other technical measures. Databases and backups are located in locked spaces, and only certain pre-designated persons can access them.
Personal data is stored for as long as it is necessary for fulfilling the purpose of the personal data. As a rule, the data are kept for the full duration of the customer or partnership relationship, and for six (6) months after its end. However, the controller always has the right to store personal data or otherwise process them after the aforementioned period of storage in the circumstances permitted by law in force from time to time, such as the retention periods to be observed in accounting and tax laws. The personal data of decision-makers will be stored permanently for direct marketing purposes within the limits of the law.
The controller will regularly assess the need for the storage of personal data, and will also take reasonable measures to ensure that incompatible, obsolete or inaccurate personal data on data subjects is not saved in the register.

Rights of the Data Subjects

The data subject has the right to inspect the data on him or her that is stored in the register, as well as to demand that any incorrect data be corrected and that any data on him or her be deleted from the register. Any such requests must be submitted in writing personally to property’s reception service (if any) or to
The data subject has the right to deny the controller access to data about the subject for the purposes of direct advertising, market research, opinion polling or related profiling. Such a prohibition may be provided at any time to or, for example, by opting out of the mailing list in the manner instructed in the marketing messages themselves.
In accordance with the General Data Protection Regulation, the data subject has the right to object or request restriction of processing of the subject’s data, and to file a complaint against the processing of their personal data to the relevant supervisory authority.

Privacy Policy

This privacy policy as in force from time to time is available at