We process your data always in accordance with the legal regulations, in particular with the German Telemedia Act, the Regulation (EU) 2016/679 General Data Regulation (GDPR) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, and on the free movement of such data and repealing Commission Directive 95/46/EG (Basic Regulation on data protection) and in accordance with the German Federal Data Protection Act, as far as this still applies.
(1) This data privacy statement gives an overview, which information is collected or stored when you visit our website and how it is used. This statement also explains how to verify the accuracy of the personal information we hold about you and how to delete, block or update such personal information in our database.
(2) Basically, we process personal data of our users only insofar as this is necessary for a functioning website and for our content and services. Further uses are listed in the following regulations. The processing of personal data of our users takes place only with the consent of the use regularly. An exception applies, if it is not possible to obtain prior consent for factual reasons and data processing is permitted by law.
(3) Legal basis for processing of personal data
Insofar as we obtain the consent of the data subject for processing of his or her personal data, Art. 6 (1) (a) GDPR is the legal basis.
In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR is the legal basis. This also applies to processing operations, which are necessary for the implementation of pre-contractual measures.
Insofar as data processing is necessary for compliance with a legal obligation, Art. 6 (1) (c) GDPR is legal the basis.
In case data processing is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 6 (1) (d) GDPR is the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or a third party and interests or fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) (f) GDPR is the legal basis for the data processing.
(4) Erasure of personal data and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage is omitted. In addition, such storage may be provided because the European or national legislator set such in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the regulations mentioned expires, unless there is a need for further data storage for conclusion of a contract or performance of the contract.
(5) Transfer of personal data
If your data is transferred to other companies or subcontractors, this will only be done in compliance with the present data protection regulations and the statutory provisions as well as to fulfil the contractual obligations, e.g. the provider can see corresponding statistical data, if necessary.
Your personal data will not be transferred to third parties outside the company without your explicit consent. External service providers, who process data on our behalf, are contractually obliged. These service providers are especially prohibited from using your data for other than the original underlying purposes.
We will provide third parties with further data than provided by you, in particular to such data you have made available to us just for handling of the contract for internal purposes, only in case of a corresponding statutory obligation or to safeguard legitimate interests.
Due to legal requirements, especially for tax purposes, we may be obliged to store your data beyond the period of your use of our website. However, we will only store the data to the extent required, taking into account the statutory provisions.
(6) Data storage location
Your data will be processed on servers located in Germany and thus within the scope of the EU level of data protection. We must point out any exemptions according to no. 3 of these regulations.
2. Collection of personal data
a. Collecting general data when visiting the website or using the app
(1) If you just visit our website, we only save access data within so-called server log files. This is data your browser makes transmits without any personal connection.
- Browser type and browser version
- Operating system used
- Referrer-URL (previously visited website)
- Websites accessed by the user's system through our website
- the user’s internet service provider
- Host name of the accessing computer (IP address)
- Date and time of the server access
We are not able to assign these data to specific persons. A collection of this data with other data sources is not done, the data also is deleted after a statistical evaluation. For this purpose, the user's access to our websites, including the IP address, is stored in the server log files. These log files are prepared monthly for statistical evaluations with an analysis software and then deleted. It is not possible for us to draw conclusions concerning a certain person when using the data.
(2) While using our online offerings, the user’s IP address as well as the access time may be stored due to our particular interest. It also safeguards the interests of the respective users by documenting improper and other unauthorized use. These data are not transferred to external natural persons or legal entities, unless this is required within the contractual relationship (Art. 6 (1) (f) GDPR) or provided by law (Art. 6 (1) (c) GDPR). The data will be deleted immediately, if the data is no longer required for the fulfilment of contractual and legal obligations or dealing with warranty and other obligations. As part of the legal retention period, a necessity test is done every three years.
(3) The legal basis for this data processing is Art. 6 (1)(f) GDPR. On the one hand, legitimate interests arise from the need to present and optimize the content of the website in a technically correct manner. Furthermore, the data collection is necessary to ensure the functionality of the website in case of attacks by third parties and to allow prosecution of such attacks.
(4) The temporary storage of the IP address by the system is necessary to enable the delivery of the website to the user’s computer. Therefore, the user's IP address must be stored for the duration of the session. In these purposes, our legitimate interest of data processing is justified in the sense of Art. 6 (1) (f) GDPR.
(5) The data will be deleted as soon as it is no longer necessary for the purpose it was collected for. In case of data collection for providing the website, this is the case when the respective session is completed.
(6) The date collection for the providing the website and the storage of the data in log files is essential for the operation of the website. As a result, the user has no possibility to object.
(7) App and website are able to capture the exact location (GPS- and network-based) of use and to link it to the time. The location only is transferred if the corresponding feature is used or confirmed. The user is free in using this feature. The publication and following storage of the location for the duration of the session or for location-based features (localization) is thus based on Art. 6 para. 1 a) GDPR with your consent.
b. Collection of personal data on a contractual basis
(1) Some of our website features ask the user to enter personal data, such as name, e-mail or postal address. Entering names and details is voluntary here. The data processing is preceded by the consent of the user, Art. 6 (1) (a) GDPR, or a voluntary basis.
(2) The processing of the above-mentioned data takes place on the basis of Art. 6 (1) (b) GDPR for that matter. The data processing is necessary for contact for contracting, the fulfilment of a possible contract, or of other pre-contractual measures given. If there should be a legal obligation requiring the personal data processing, such as the exercise of tax obligations, the basis for the processing is Art. 6 (1) (c). GDPR.
(3) In general, no special categories of personal data are processed, unless they are expressly part of the commissioned or contractual processing. The processing is limited to the data needed to establish and fulfil the contractual relationship; the necessity of providing this data is expressly indicated, if the contracting party is not yet aware of this. This particular personal data will basically not be transferred to any external natural or legal persons, unless this is required within the contractual relationship. While data processing, we comply with the relevant instructions of our clients and the legal requirements.
c. External payment service providers
(1) It is possible to process payment transactions between us and the respective user via platforms of external payment service providers. These payment service providers are in particular:
American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html),
Google Play (https://policies.google.com/privacy?hl=de), and
Apple App Store (https://www.apple.com/de/privacy/)
(2) We use the services of the respective platform providers to fulfil our contractual and pre-contractual obligations, in particular with regard to amounts of money. Legal basis for processing is Art. 6 (1) (b) GDPR, in case of our legitimate interest in an effective and safe payment option it is Art. 6 (1) (f) GDPR.
(3) The payment service provider processes data of different categories. This includes the user's master and inventory data (name, address, etc.), payment details (account number, credit card number, passwords, TAN entries, check digits, uses and recipients of the money amounts). Apart from payment confirmations or information about a missed payment, none of this processed data will be transferred on to us. For identity and credit check purposes as well as other economic information, the data may be forwarded to the appropriate places. Moreover, reference is made to the terms and conditions and privacy policies of the respective platform operator, especially regarding information and exercise of rights of withdrawal, access and other rights.
d. Administration, accounting, office and contact management
(1) We process data in the context for administrative tasks and business organisation, for financial accounting and fulfilment of legal obligations, such as archiving. Here, we process the same data as in the context of performing our contractual services. Legal bases for processing are Art. 6 (1) (c) GDPR, Art. 6 (1) (f) GDPR. The processing affects customers, prospects, business partners and website visitors. The purpose and interest in processing lies in administration, accounting, office management, data archiving, i. e. tasks that serve to maintain our business, perform our duties and provide our services. Deletion of the data regarding contractual services and contractual communication corresponds to the data provided within these processing activities.
(2) We reveal or transfer data to the financial management, consultants such as tax consultants or auditors, and other fee agents and payment service providers.
(3) Furthermore, we store information about suppliers, promoters and other business partners, based on our business interests e.g. for later contact. We principally store this mostly company-related data permanently.
e. Access rights of the app
To provide our services via the app, we require the access rights listed below, which allow us to access certain features of your device.
● location data
● device number of your smartphone
● photos, videos
● push notification
Access to these device functions is necessary to ensure the functionality of the app. Legal basis for this data processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR, your consent according to Art. 6 (1) (a) GDPR or - if a contract has been concluded - the fulfilment of our contractual obligations (Art. 6 (1) (b) GDPR).
The storage period for the acquired data is regulated as follows:
Data is stored while using the app and also deleted with deletion of the app.
f. Personal data collection while using the app
We collect following personal data from you, while you are using our app:
● name and surname
● email address
● usage data
● IP address
● device identification
Processing of this personal data is necessary to ensure the functionality of the app. Legal basis for this data processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR, your consent according to Art. 6 (1) (a) GDPR or - if a contract has been concluded - the fulfilment of our contractual obligations (Art. 6 (1) (b) GDPR).
If you contact us (e. g. via contact form within the app, by e-mail, telephone or fax), your request including all resulting personal data (e. g. name, request) will be stored and processed by us for handling this request. Data processing is pursuant to Art. 6 (1) (b) GDPR, if your request is related to the performance of a contract or needed to take pre-contractual measures. In any other cases, processing is based on your consent (Article 6 (1) (a) GDPR) and / or on our legitimate interests (Article 6 (1) (f) GDPR), because we have a legitimate interest in the effective handling of requests. Data you sent to us by contact form remains with us until you ask for deletion, you revoke your consent to the storage or the purpose for data storage is omitted (for example, after completion of your request). Mandatory statutory provisions - in particular legal retention periods - remain unaffected. We will not transfer any of your data without your consent.
3. Third Party Plug-Ins
(1) Legitimate Interest
The use of the third-party plug-ins mentioned below has been checked in terms of data protection law and is based on Art. 6 (f) GDPR in order to safeguard legitimate interests and to improve our website.
This website uses Google Analytics, a web analytics service. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called "cookies". These are text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.
We have enabled the function IP anonymization on this website. As a result, your IP address will be shortened by Google within member states of the European Union or other parties to the Agreement on the European Economic Area prior to transfer to the United States. Only in exceptional cases, the full IP address is transmitted to a server of Google in the USA and shortened there.
On behalf of this website owner, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website owner with other services relating to website and Internet use.
The IP address transmitted by your browser in the context of Google Analytics will not be merged with other Google data.
You can prevent these cookies being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of this website. You can also prevent the data generated by cookies about your use of the website (incl. your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Objecting to the collection of data
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this site: Click here to disable Google Analytics
Contract data processing
We have entered into a contract for data processing with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Demographics in Google Analytics
This website uses the feature “demographics” of Google Analytics. Therefore, reports can be created that contain statements on the age, gender and interests of the website visitors. This data has been obtained from interest-based advertising by Google and third-party visitor data. This data cannot be associated to identify a certain person. You can disable this feature at any time via the ad settings in your Google Account, or generally prohibit the collection of your data by Google Analytics as described in the section "Opposition to Data Collection".
Forming target groups via Google Analytics
The purpose of our use of Google Analytics is to display advertisements according to the respective user behaviour only. In doing so, this advertisement will be displayed, in particular, if the user was interested in our online offer. This statement is made on the basis of the websites already visited, as well as on the characteristics transmitted to us by Google.
(3) Google ReCaptcha
(4) Google Maps
To display maps, we use the service “Google Maps” of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland. To display these maps, the IP address and location of the user are usually requested. Basis of this processing is the explicit consent of the user in accordance with Art. 6 (1) (a) GDPR, e.g. by enabling mobile location sharing and allow Google Maps to use the location when using the app. The data may be processed in the USA.
Our website uses an API of maxmind.com operated by MaxMind Inc. Operator of the website is MaxMind Inc., 14 Spring Street, 3rd Floor, Waltham, MA 02451, USA
Our website uses plugins from YouTube, which is operated by Google. The operator of the pages is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.
If you visit one of our pages featuring a YouTube plugin, a connection to the YouTube servers is established. Here the YouTube server is informed about which of our pages you have visited.
If you're logged in to your YouTube account, YouTube allows you to associate your browsing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.
YouTube is used to help make our website appealing. This constitutes a justified interest pursuant to Art. 6 (1) (f) GDPR.
Further information about handling user data, can be found in the data protection declaration of YouTube under https://www.google.de/intl/de/policies/privacy.
On our website we inter alia offer the possibility of contacting us or accessing Frequently Asked Questions (FAQ). Provider of this service is Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066 (hereinafter “Freshdesk”).
(9) Dispatch of newsletters and recommendation emails via SendGrid
(10) Facebook Connect
Legal basis for the use of the service is Art. 6 (1) (f) GDPR - legitimate interest. Our legitimate interest in using this service is to allow users to easily share content on Facebook. For further information, please see: https://www.facebook.com/about/privacy/your-info-on-other
(2) There are cookies which will be deleted after the end of the browser session (so-called session ID cookies). The cookies are used for the purpose of authorization, identification and obtaining specific information such as information on whether you wish to remain logged in. After one hour the cookies will be automatically deleted.
(3) The user data collected in this way will be pseudonymised by means of technical precautions. Therefore, an assignment of the data to the calling user is no longer possible. The data will not be stored together with other personal data of the user.
(5) If cookies are stored on your PC additionally, you have control over whether and when these cookies are deleted. Please use the corresponding function in your browser.
(6) With most Internet browsers, you can delete cookies from your hard disk, lock them, or receive a warning before a cookie is deposited. You can set your browser so that you are informed about the setting of cookies, you can decide on a case-by-case basis, or you can preclude the general acceptance of cookies. The non-acceptance of cookies may limit the functionality of our website. Please refer to the user manual of your browser or the manufacturer of the browser for information regarding how to set the programs accordingly.
(7) Only with your prior consent we will associate such automatically stored information with the personal data that you have provided to us previously (for example, during the registration) on our websites.
(8) The utilization of data from set cookies is done on the basis of Art. 6 f) GDPR for the protection of legitimate interests, whereas we assume that your interests, fundamental rights and freedoms are not restricted by this, as personal data is neither gained by us nor by third parties. Additionally, it is basically statistical data adjusted to your user behaviour and, if necessary, other factors like pricing, but not data that may lead to an individual identification.
5. Data security
(1) We secure our websites and the connected systems against loss, destruction, access, modification or dissemination of your data by unauthorized persons by technical and organizational measures.
(2) You should always keep your access information confidential and close the browser window, when you have stopped using it, to prevent misuse of your account, especially if you share the computer with others.
(3) We are not liable for the content of other providers, which can be reached via the hyperlinks on our websites. Links on our website refer to content that is not stored on our own servers. External content was checked for links for illegality and criminal liability. Nevertheless, it can’t be ruled out that content will be changed by vendors afterwards.
6. Contact form / E-Mail
(2) Alternatively, contact via the provided e-mail address is possible. In this case, the user's personal data transmitted by e-mail will be stored.
(3) In this context, there will be no disclosure of the data to third parties. The data is used exclusively for processing the conversation.
(4) Legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR in case of consent of the user.
(5) The legal basis for the processing of the data transmitted in the course of sending an e-mail is article 6 (1) lit. f GDPR. If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
(6) The processing of the personal data from the input mask serves us only for processing the contact. In the case of contact via e-mail, this also includes the required legitimate interest in the processing of the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems
(7) The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the input form of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the relevant facts have been finally clarified.
(8) Additional personal data collected during the sending process will be deleted at the latest after a time period of seven days.
(9) The user has the possibility to give his consent to the processing of the personal data by means of communication by e-mail or post to the responsible office (see below) at any time. If the user contacts us by e-mail, he may object to the storage of his personal data at any time. If the user contacts us by e-mail, he may object to the storage of personal data at any time. All personal data stored for contacting will be deleted in this case.
7. Newsletter data / Performance measurement
(1) If you wish to receive the newsletter offered on the website, we require an e-mail address from you, as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agreed to receive the e-mail newsletters. Further data is not collected. We use this data exclusively for the delivery of the requested information and do not pass it on to third parties.
(2) You may revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter.
(3) In case of consent, the legal basis for the data processing after the user`s subscription to the newsletter is Art. 6 (1) (a) GDPR.
(4) The data will be deleted as soon as they are no longer necessary for the purpose of their collection. The e-mail address of the user is therefore stored as long as the subscription to the newsletter is active.
(5) The success of our newsletters is measured by a so-called "web beacon". This is a very small file, which retrieves information from our server or from the server of the shipping provider by opening the newsletter.
These are technical data, e.g. which browser and which operating system was used, but even the IP address and time of retrieval. This data processing generally is done by explicit consent according to Art. 6 (1) (a) GDPR when subscribing the corresponding newsletter; in other cases, it is done according to Art. (6) (1) (f) GDPR to protect our legitimate interests. In addition to the technical improvement of the newsletter service, this also includes statistical analysis of individual target groups, of the location of retrievals and of access times. This statistical data is used to measure success of the newsletter. It is expressly pointed out that information about opening the newsletter and clicking links may be assigned to individual user profiles. But a transfer to third parties does not take place.
For technical reasons, a revocation of the performance measurement cannot be done separately from the entire newsletter subscription. A separate revocation of the performance measurement is unfortunately not possible, in this case, the entire newsletter subscription has to be cancelled.
(1) Depending on the current design of the website and the offer, we offer our users the opportunity to register on our website by providing personal information. The data is entered into an input mask, transmitted to us and stored. A transfer of data to third parties does not take place. The registration will only collect the data necessary for the purpose of the registration.
(2) As part of the registration process, the consent of the user to process this data is obtained. Legal basis for the processing of the data is the presence of the consent of the user Art. 6 para. 1 lit. a GDPR. If the registration serves the fulfilment of a contract of which the user is a party or the implementation of pre-contractual measures, an additional legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR.
(3) The registration is required for the provision of certain contents and services as well as for the fulfilment of a contract with the user, or for the execution of pre-contractual measures.
(4) The data will be deleted as soon as the purpose of their collection is no longer necessary.
(5) As a user, you have the option of cancelling the registration at any time. You can change the data stored about you at any time.
9. Comment and evaluation function on our website
(1) For comment function on this page, your comments will also include information about the time your comment was created and, unless you post anonymously, the username you selected.
(2) Any comment features store the IP addresses of users providing comments. Since we do not check comments on our site before activation, we need this data to be able to act against the author in case of infringements such as insults or propaganda.
Without any consent within the meaning of Art. 6 (1) (a) GDPR, the data collection is therefore based on Art. 6 (1) (f) GDPR to safeguard legitimate interests.
(3) Data will be deleted as soon as it is no longer required to serve the purpose of its collection.
This website uses SSL encryption for safety matter as well as to protect the transfer of confidential data like contact inquiries you send to us. An encrypted connection can be identified by a symbolized lock in the address-bar of your browser as well as by the address being “https://” instead of “http://”. If SSL is activated, data may be transferred without third parties being able to read this data.
11. Presence in Social Media
(1) We maintain online presence within social networks and platforms to communicate with customers, prospects and users active there and to inform them about our services.
(2) We point out, that data of the users can be processed outside the area of the European Union. This may cause risks to the users, because e.g. the enforcement of user rights could be made more difficult. As for US providers certified under the Privacy Shield, we point out that they are obliged to observe the EU's data protection standards.
(3) Furthermore, the users‘ data are usually processed for market research and advertising purposes.
For example, user profiles are created on the user behaviour and the resulting interests of the users. On the other hand, usage profiles may, for example, be used to place advertisements inside and outside the platforms which comply with presumed users' interests. For these purposes, cookies are usually stored on the users’ computers, in which the user behaviour and interests are stored. Data can also be stored in the usage profiles, independently of the devices used by the users (in particular if the users are members of the respective platforms and logged in to them).
(4) The processing of personal data of users is based on our legitimate interests in an effective information of users and communication with users in accordance with Art. 6 (1) (f) GDPR. If the users are asked for a consent to the above-mentioned data processing by the respective providers of the platforms, the legal basis of processing is Art. 6 (1) (a), Art. 7 GDPR.
(5) We refer to the following linked information of the provider for a detailed description of the respective processing and the possibilities of contradiction (opt-out).
(6) Also, in case of requests for information and the assertion of user rights, we point out, that these can be claimed most effectively from the providers. Only the providers have access to the users‘ data and directly can take appropriate measures and give information. If you still need any help, you might contact us.
Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com,
Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active
We have entered into an agreement on joint processing of personal data with Facebook.
Regarding Instagram the following applies:
12. Cloud Services by Google
(1) Google's Cloud, including software services, is used to store and manage documents, manage calendars, send and store emails, create spreadsheets and presentations, and quickly share files of different content.
Here, the personal data of the users are processed, as far as they become part of the documents and contents processed within the described services or are part of communication processes. For example, master and contact data of users, data on transactions, contracts, other processes and their contents, belong to this. Google also processes usage data and metadata, used by Google for security and service optimization purposes.
(2) By using the Google Cloud for public sharing of documents, websites or other content, the user agrees that data fragments are stored on the respective device, which serve advertising purposes or retain the user settings (so-called "cookies").
(3) The use of the cloud is pursuant to Art. 6 (1) (f) GPDR. Legitimate interests of use are the optimisation and digitisation of administrative tasks as well as fast internal communication. For this purpose, we have entered into an agreement for contract data processing with Google; the terms of it can be viewed at the following link: (https://cloud.google.com/terms/data-processing-terms).
(5) Google Cloud Services are provided by Google Ireland Limited. In case a transfer to the US occurs, we refer to Google USA certification under the Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000000001L5AAI&status=Active) and standard safeguard clauses (https://cloud.google.com/terms/data-processing-terms).
13. Your rights as data subject
If your personal data is processed, you are ‘data subject’ as laid down in GDPR and you have following rights to the controller:
a. Right of access
You may ask the controller to confirm if your personal data is processed by us.
If so, you can request details about following information from the controller:
(1) the purposes of processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom your personal data have been or will be disclosed
(4) the envisaged period for which the personal data will be stored, or, if specific information is not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) any available information as to their source; where the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling, referred to in Art. 22(1) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information, if your personal have been transferred to third countries or international organisations. In this connection, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transfer.
b. Right to rectification
You have the right to obtain the rectification and/or completion of inaccurate or incomplete personal data concerning you. The controller has to make the rectification without undue delay.
c. Right to restriction of processing
Under the following conditions you have the right to obtain from the controller restriction of processing of personal data concerning you:
(1) if you contest accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
(2) if processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) if the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
(4) if you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours.
Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing pursuant to the above-mentioned conditions, you will be informed by the controller before the restriction of processing is lifted.
d. Right to erasure (‘right to be forgotten’)
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) You withdraw consent on which the processing is based according to Art. 6(1) (a) GDPR, or Art. 9(2) (a) GDPR, and where there is no other legal ground for the processing;
(3) You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
(4) Your personal data have been unlawfully processed.
(5) Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) Your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
Information to third parties
Where the controller has made the personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
There is no right to erasure, to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) GDPR as well as Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
e. Right to information
If you have asserted the right to rectification, erasure or restriction of processing to the controller, the controller has to communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed about those recipients by the controller.
f. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format.
You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(1) the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6(1) (b) GDPR and
(2) the processing is carried out by automated means.
In exercising these rights, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Rights and freedoms of others shall not be affected by that. That right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
g. Right to object
You have the right to object, on grounds relating your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR including profiling based on those provisions.
The controller no longer processes your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data are no longer processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the right to object by automated means using technical specifications.
h. Right to revocation of declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
i. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(2) is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or (3) is based on your explicit consent.
But these shall not be based on special categories of personal data referred to in Art. 9(2)1) GDPR, unless Art. 9 (2) (a) or (g) of GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller implements suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
j. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR. The competent supervisory authority is
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
14. Contact for data protection
Controller within the meaning of GDPR is
T: +49 (0) 201 7640 9624
15. Update to this Policy
Last Update: 4th of October 2019