Privacy Policy

Hereby, we are informing you about the processing of your personal data according to Article 13 General Data Protection Regulation (GDPR) and § 13 Telemediengesetz (TMG; a German law about tele-media). The protection of your data is important for us.

Controller and Data Protection Officer

Responsible for your data is

Wohnungsreferat Stuttgart e.V.
Allmandring 3C
70569 Stuttgart

phone: +49 711 683 183

You may contact the data protection officer about everything concerning your data, e.g., the below mentioned right of access. The officer will keep your inquiry in confidence. The contact information of the data protection officer is

Wohnungsreferat Stuttgart e.V.
z. Hd. Datenschutzbeauftragter
Allmandring 3C
70569 Stuttgart


Categories of Data

In this section, we inform you which data will be saved and processed, its purpose, on which laws this is based on, whether and to whom it will be disclosed, and when it will be deleted or restricted from future processing.

Visit of Our Website

During the visit of our website, only data is saved which is needed for technical reasons to fully display the website. Legal basis for this is § 15 Abs. 1 TMG. This data will not be disclosed and is not attributable to your person since it is made anonymous. Additionally, neither are we creating any user profiles nor are we publishing advertisement, especially not personalized advertisement.

Only when you try to log on as a user on our website, your IP address will be saved in order to block the access after a certain amount of unsuccessful login attempts for security reasons. This is a legitimate interest (Article 6 Section 1 Letter f GDPR), see also down below. 12 hours after the last failed login attempt, the IP address will be deleted from the database.

Server Logs

In order to display our website, your browser needs to send certain information to our web server. Depending on this information, the content of the website will be delivered to your browser. This data includes

  • browser type and browser version,
  • IP address of your computer,
  • date and time of access,
  • URL which you want to access (e.g., a specific subpage),
  • installed browser plugins (e.g., flash player) in order to deliver the appropriate version matching the abilities of your browser,
  • referrer URL, i.e., the address of the website on which you have clicked a link to our website (if this is the case).

This data, which is automatically sent by your browser, is written to a log on our web server. This is needed to find and fix technical problems. This data is not attributable to your person since the last byte (IPv4) or last 8 bytes (IPv6) of IP address will be cut, respectively, in order to make it anonymous. Additionally, the data will not be aggregated with other data.


Our website (like most of the websites on the internet) is using so-called cookies. These are text files which are created by request of our web server on your computer. During each visit, your browser sends these cookies to our web sever in order to allow, e.g., to recover your settings. Some cookies will be deleted after each visit since they are only needed during the visit. Since cookies are only raw text files, they cannot harm your computer.

The cookies of our web server are only used to increase usability and allow a more effective use of the website. As an example, one cookie saves the setting if you want to display the English or German version of our website. If it were not for the cookie, you would have to make that choice after each visit. We are not deploying web analytics, i.e., tracking of your traces on the internet to analyze your behavior. But it may happen that other websites which are not taking data protection as seriously as we do will analyze the cookies saved by our web server.

You can disallow the creation of cookies in your browser. Applying this setting may result in limited functionality of our website.

Pre-registration, Waiting List, and Application as a Member

There are forms on our website which allow you to sublet your room, register on the waiting list as a potential subtenant, or apply as a member of our organization. The data entered into the form is needed later for an authority to sublet your room, a sublease agreement, or an entering agreement into our organization, respectively. If this does not happen, then your data will not be processed any further. Therefore, the legal basis is Article 6 Section 1 Letter b GDPR. if you applied for a place on the waiting list, you will be informed (as wished, obviously) of room offers. You can contact us any time to be removed from the waiting list.

Additional to the data entered into the form, the data described in the subsection Server Logs is sent to us via e-mail once you submit the form. The only exception is the IP address, which is sent in full this time. This is needed to call the law enforcement agency or court in case of a legal or criminal charge due to providing a false identity. This is a legitimate interest (Article 6 Section 1 Letter f GDPR, see also the court ruling VI ZR 135/13 of the German Federal Court of Justice as of 16.05.2017). We alone are not able to identify your person with the IP address. Since an e-mail is sent after you submit the form and at least one field of the form allows to enter arbitrary text, the period for safekeeping for business letters according to German law is decisive for the deletion of the data. Your entry on the waiting list (if any) will be removed at latest once it is clear from the information which you have provided that you will not be interest any more in room offers, which will be the latest at the end of your wished sublease period.

We are using your data only for the purpose for which you have filled the form, e.g., for sending you room offers for the wished period. Your data will not be used for any market or opinion research, advertisement, or database marketing, nor will it be disclosed to third parties.

The data transfer is encrypted. You will notice the encrypted connection at an URL beginning in https:// instead of http:// or a green lock for some browsers.


Beginning with the creation of a so-called main tenant contract in order to sublet your room or a sublease agreement, your data written on the contract is needed to fulfill it. Therefore, the legal basis is Article 6 Section 1 Letter b GDPR. Either you are giving us the data during the creation of the contract or we are taking it from the pre-registration or waiting list, respectively. In the latter case, the privacy policy on our website has more information for you. At this stage, you will have of course the opportunity to check and correct your data again.

Your name, the house number, room number, and the period of the contract will be disclosed to

Studierendenwerk Stuttgart
Rosenbergstraße 18
70174 Stuttgart

as so-called main landlord of the student dormitories. Since the main landlord needs to agree to any subletting (§ 540 Abs. 1 BGB, German civil code), the disclosure is both needed to create the contract in the first place and constitutes a legitimate interest of the Studierendenwerk Stuttgart. Therefore, the legal basis is Article 6 Section 1 Letter b and f GDPR.

Since we are only acting as a representative and with authority of the main tenant, the data is disclosed to the respective other party of the sublease agreement since every party has the right to know the other party. Since the other party is a private individual, you will need to know that strict data protection laws will not apply to this individual to the same extend as they would apply to us. Hence, we will disclose your data (expect your name) to the other party only in the case of a legitimate interest. This guarantees higher data protection compared to making a sublease agreement directly with the other party.

For the data needed for the contract, the period for safekeeping for business letters according to German law is decisive for the deletion.

Data Storage

Since we do not have the infrastructure to store your data, we entrust two companies with the storage of the data:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen


Deutsche Telekom AG
T-Online-Allee 1
64295 Darmstadt

These companies store your data on our behalf. This is done only on servers in Germany, within German data protection laws, both companies are certified for their guaranteed data protection, and we have a contract with them covering the details of the data processing (Article 28 GDPR). The companies are especially not allowed to disclosure your data to third parties but only manage it for us. Backups are needed in every IT infrastructure. Because of this, it may happen that your data is still part of a backup while it should already be deleted. There is no processing of your data as part of a backup.

Your data will not be disclosed or processed by any other third party than the companies described above if not regulated by law otherwise (e.g., disclosure due to a court order).

Your Rights

The data protection laws grant you excessive rights free of charges to access your data (Article 15 GDPR), to correct it (Article 16 GDPR), to erase it (Article 17 GDPR), and to restrict the processing. If you had to consent to the processing of certain data, you can withdraw the consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Additionally, you have the right that your data will be disclosed to a third party on your request (Article 20 GDPR). You have the right to lodge a complaint with a supervisory authority (Article 77 GDPR).

Please contact our data protection officer with the contact information provided above to exercise your rights.