Privacy Policy


We at Galleon Capital Management GmbH take the protection of your privacy and your personal data seriously. Personal data are therefore processed by us exclusively on the basis of the statutory provisions (in particular GDPR, Austrian Data Protection Act, Telecommunications Act).

The purpose of this privacy policy is to inform you,

  • for what purpose collect and process your personal data and
  • what your rights are, how you can exercise them and how we support you in exercising your rights.

Name and address of the controller

Controller according to GDPR is:

Galleon Capital Management GmbH

Singerstraße 8/8, 1010 Wien, Austria

Tel: +43 1 533 55 33 10


1. Which Data we Process

We process personal data that we receive from you, our customers and business partners, within the framework of our business relationship. In addition, to the extent necessary for the provision of our services, we process personal data which we may obtain from publicly accessible sources (e.g. land registers, trade and association registers, commercial register, press, Internet) or which are legitimately transmitted to us by other third parties (e.g. brokers, clients).

Personal data processed by us are name, address and other contact data, and in the context of execution and performance of a contract, possibly date of birth, nationality, identification data (e.g. ID data) and authentication data (e.g. specimen signature). In addition, this may include order data/payment data, data from the fulfilment of contractual obligations, information about your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets), documentation data (e.g. minutes of meetings) and other data comparable with these categories.

Within the framework of execution and performance of a contract, we require the personal data necessary to enter into contract and for the performance of the contract and such data we may be obliged to collect for compliance with our legal obligations.  If you do not provide us with such data, we may not conclude or execute the contract. However, you are not obliged to give your consent to the processing of data that is not relevant to the performance of the contract or is not required by law or regulation.

We do not use fully automated decision making according to Article 22 GDPR for the establishment and performance of a business relationship.

2. Purpose and Legal Basis of the Processing of Your Data

Fulfilment of contractual obligations (Art. 6 para. 1 (b) GDPR)

We use your personal data for the execution of our contracts with you, the execution of your orders and for the execution of pre-contractual measures. The purposes of data processing are primarily based on the specific contract with you as our client (e.g. asset management contract, consulting contract) or as our supplier/service provider (e.g. supply contract) or on your or our need for products/services prior to the conclusion of a contract.

Fulfilment of legal obligations (Art. 6 para. 1 (c) GDPR)

Processing of personal data may be necessary for the purpose of fulfilling various legal obligations (e.g. Federal Tax Code, Company Code, Trade Code).

Protection of legitimate interests (Art. 6 para. 1 (f) GDPR)

If necessary for the purposes of the legitimate interests pursued by us or by a third party (except where such interests are overridden by your interests or fundamental rights and freedoms) personal data may be processed beyond the actual fulfilment of the contract to safeguard our legitimate interests or the legitimate interests third parties pursuant to Art. 6 para 1 (f) GDPR. In connection with the further development of real estate that we manage for our clients, financing or an intended sale of real estate, it is necessary for the purpose of legitimate interests in the development, financing or sale of real estate to process personal data for this purpose and to disclose personal data – however only to the absolutely necessary extent – to potential equity and debt capital providers, appraisers, rating agencies, brokers, prospective buyers, purchasers, investors and their advisors.

Within the scope of your consent (Art. 6 para. 1 (a) GDPR)

If you have given us your consent to process your personal data for certain purposes, processing will only take place in accordance with the purposes and to the extent agreed in the declaration of consent.

3. Transfer of Data to Third Parties

Your personal data will only be passed on to third parties if this is necessary for the execution of the contract, if there is a legal obligation or in the context of safeguarding legitimate interests.

Recipient categories of personal data can be:

  • Real estate owners
  • Interested parties, investors, buyers and sellers of real estate and their consultants (tax consultants, legal consultants, technical consultants)
  • Consultant to the person responsible (Tax, Legal, Technical)
  • Associated companies of the person responsible
  • Property Manager (Accounting, Regulations, Billing, Accounting)
  • Facility manager
  • Intermediaries
  • Legal representatives, tax consultants, auditors, notaries
  • Commissioned professionals/service providers in the context of the execution of a transaction
  • Tax office and other authorities
  • Banks, insurance companies
  • Lenders or equity capital providers of the owners of the real estate or the interested parties or buyers
  • Persons necessarily participating in the transaction,
  • Bodies compiling public statistics on a statutory basis
  • Rating agencies, valuation experts
  • Our permanent cooperation partners for acquisition and management

Furthermore, if necessary for the purposes of the legitimate interests pursued by us or by a third party personal data may be disclosed to banks, lenders or equity investors, valuation experts, rating agencies, brokers, prospective buyers, purchasers, investors and their advisors in order to safeguard the legitimate interests of the landlord or a third party with regard to the financing, development or sale of the property.

If required by law, public authorities and institutions (e.g. tax authorities) may be recipients of your personal data.

In addition, contractors (in particular IT service providers) commissioned by us receive your data if they require the data to perform their respective services. All contractors are contractually obliged to treat your data confidentially and to process it only within the scope of the provision of services (see point 6.).

4. Deletion Periods

In the event of a contract being concluded, all data from the contractual relationship will be stored until the expiry of the tax retention period (7 years) and as long as the limitation periods for potential legal claims have not yet expired.

If no contractual relationship is established, the data stored with us will be deleted 3 years after the last contact.

5. Security Measures

We apply security measures to protect your personal data from misuse and unauthorized access, e.g. measures for network security (use of firewalls, use of anti-virus software), access and access controls (measures to ensure confidentiality, integrity and availability of personal data and processing systems).

6. Data Processing Inside and Outside the EU

We use external service providers (hereinafter „processors“) in the area of support for the hardware, software and network technology we use (IT service providers, web hosting, support for our hardware and our network, etc.).

We have concluded a contract with each processor. Processors are permitted to process the data exclusively on our behalf and in accordance with our instructions.

Basically we process your data within the European Union. If we transfer personal data to third countries, we ensure that your personal data is sufficiently protected and that the transfer complies with the requirements of GDPR for transfer to third countries (e.g. adequacy decision, privacy shield, standard contractual clauses).

Please note, however, that some processors may be located outside the EU, such as Microsoft, whose services we use through Microsoft Online Services, and who may access and process your personal information from outside the EU. In the case of transmission outside the EU, we only use processors who meet the requirements of GDPR (e.g. adequacy decision, privacy shield, standard contractual clauses) to ensure that your personal data is adequately protected when accessed and processed from there. Microsoft is Privacy Shield certified, Microsoft’s privacy information can be found at:

7. Your Rights

You can exercise your rights by sending us a request by letter or e-mail. You will find our contact details above under „Name and address of the controller“.

If necessary, we may ask you to provide proof of your identity to ensure that the request was sent by you. We will respond within one month of receiving your request, but we reserve the right to extend this period by two months if there are reasons to do so. We will in any case contact you within one month of receiving your request if we decide to extend the processing period. The assertion of your rights is basically free of charge for you. Only if the applications are manifestly unfounded or an excessive number of applications can they be subject to a fee.

Information and Acces

You have the right to request information on what personal data we process about you. You also have the right to request a copy of your data if we process personal data about you. As part of a request for information, we will inform you, among other things, about the processing purposes and the categories of personal data that are processed.


You have the right to request the correction of incorrect or, taking into account the purposes of the processing, also the completion of incomplete personal data concerning you.


You have the right to request the deletion of your personal data. If you request us to delete your personal data, we will immediately delete all of your personal data unless there is a legal right of retention or a legal duty of retention. We will delete all personal data even if you revoke your consent or if we are legally obliged to do so.

Restriction of Processing

You have the right to request that the processing of your personal data be restricted. You can request a restriction of the processing of your personal data if you dispute the accuracy of the data, if the processing is unlawful but you do not wish the data to be deleted, if the data is not necessary for the purpose of processing but we need it to assert, exercise or defend legal claims or if you file an objection and it is not yet clear whether there are legitimate reasons for further processing of the data. If processing is restricted, we will reduce the processing of your personal data to the minimum necessary (storage) and, if necessary, use it only to establish, exercise or enforce legal claims or to protect the rights of other natural or legal persons or for other limited reasons specified by applicable law. If the restriction is lifted and we process your personal data again, you will be informed immediately.


You have the right to object to the processing of your personal data. You may object to the processing of your personal data if we base the processing on our legitimate interests (Art 6 para 1 (f) GDPR). In such cases, the data will only be processed further by us if there are compelling grounds for processing that are worthy of protection, which outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

Data Portability

You have the right to receive personal data about yourself in a structured, common and machine-readable format. You also have the right to request the transfer of personal data about yourself directly from us to another person responsible. We will comply with an application to transfer your personal data to another person responsible, provided that the rights or freedoms of third parties are not violated and provided that the transfer is technically feasible.

Complaint to a Supervisory Authority

You have the right to file a complaint to a data protection authority about the processing of personal data by us. In Austria, the Austrian Data Protection Authority is responsible (

Due to changed legal requirements, it may become necessary to change this privacy policy.  

This privacy policy is valid as of July 2018.