PRIVACY POLICY

Data privacy statement pursuant to GDPR

Name and address of the controller

The controller within the meaning of the General Data Protection Regulation of the EU (GDPR) and other national data protection laws of the Member States, as well as other data protection provisions:

 

Zoobio GmbH

Josef-Orlopp-Strasse 55

10365 Berlin [Germany]

 

Manager: Vitalij Kungel

 

Fax: +49 (0) 30 208 478 250

Email: [email protected]

 

Commercial register:

HRB 175197 B, Local Court of Berlin-Charlottenburg

VAT ID: DE305780777

 

Name and address of the data protection officer

The data protection officer of the controller:

External data protection officer:

BfbA GmbH

Ms. Kathrin Maiwald

Eisenbahnstrasse 109

14542 Werder (Havel) [Germany]

 

Email: [email protected]

https://www.bfba.eu

 

1. General information relating to data processing

1.1. Scope of personal data processing

We generally only collect and use our users’ personal data to the extent necessary for providing a functioning website and for our content and products and services. Our users’ personal data are routinely collected and used only after the user’s consent has been obtained. An exception is made in cases where it is not possible to obtain the consent beforehand for factual reasons and processing of the data is permitted by statutory provisions.

Personal data are only collected if you voluntarily communicate that to us in the context of your order. We exclusively use the data you have provided to process and complete your order unless you have given further consent. Upon complete processing of the contract and full payment of the purchase price, your data will be blocked for further use and deleted after the retention period for tax and business records has expired insofar as you have not explicitly consented to further use of your data.

1.2. Disclosure of personal data

Your data will be passed on to the shipping company engaged to carry out the shipment to the extent required to deliver the goods. We will pass your payment data on to the financial institution engaged for the payment or to the payment service selected in the ordering process in order to process payments.

1.3. Use of personal data when Klarna is selected as the payment option

If you have selected Klarna’s payment services such as Klarna invoice or Klarna instalment purchase as the payment option, you have consented to us collecting and passing on the following personal data that we need to process the purchase on account and carry out an identity check and credit check, such as first name and last name, address, date of birth, gender, email address, IP address, phone number, as well as the data required to complete the purchase on account that are associated with the order, such as the number of articles, article number, invoice amount and taxes as a percentage. Transmission of this data takes place so Klarna can issue an invoice and perform an identity check and credit check to process your purchase with the invoice processing you have selected. According to the German Federal Data Protection Law, Klarna has a justified interest in the transmission of the buyer’s personal data in this context and requires same in order to obtain information for the purpose of performing an identity check and credit check from credit reference agencies. In Germany, this may be one of the following credit reference agencies:

​1. Bürgel Wirtschaftsinformationen GmbH & Co. KG, Postfach 5001 66, 22701 Hamburg

​2. Creditreform Boniversum GmbH, Hellersbergstrasse 11 41460 Neuss

3. Deltavista GmbH, Freisinger Landstr. 74 80939 München

4. Arvato Infoscore Consumer Data GmbH and Infoscore Consumer Data GmbH,Rheinstrasse 99, 76532 Baden-Baden

5 SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden

In the context of the decision on the establishment, execution or termination of the contractual relationship, Klarna also collects and uses information about the buyer’s payment history, as well as probability values regarding their performance in the future, in addition to an address check. Klarna calculates these scores on the basis of a scientifically recognised statistical, mathematical procedure. To this end, Klarna will use your address data among others. In the event that this calculation shows that you are not creditworthy, Klarna will inform you immediately.

Payment by instant transfer (Sofort) (Klarna)
We also offer the option of paying by instant transfer. All you need to do this is your account number, BIC or bank sort code and the PIN and TAN numbers of your online banking account. As part of the ordering process, you will automatically be directed to the secure payment form of Sofort GmbH. You will receive a confirmation of the transaction immediately afterwards. After that, the amount will be credited directly to our account. Anyone with an activated online banking account set up for the PIN/TAN procedure may use Sofort instant transfer as a payment option. Please note that there are a few banks that still do not support payment by instant transfer.

Withdrawal of consent to the use of personal data vis-à-vis Klarna.
1. You may withdraw your consent to the use of personal data vis-à-vis Klarna any time. However, Klarna may perhaps continue to be authorised to process, use and transmit the personal data to the extent required for contractual payment processing by Klarna’s services, by law or by a court or an authority.

2. Of course, you can obtain information any time about the personal data stored by Klarna. This right is guaranteed by the German Federal Data Protection Law. In the event that you as the buyer wish to obtain this information or inform Klarna about changes relating to the stored data, you can contact Klarna at [email protected].

1.4. Payment processing using PayPal

If you select payment using PayPal, credit card using PayPal, direct debit using PayPal or – if offered – “purchase on account” using PayPal, we will forward your payment data to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”) in the context of payment processing. PayPal reserves the right to perform a credit check for the payment options of credit card using PayPal, direct debit using PayPal or – if offered – “purchase on account” using PayPal. PayPal will use the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The information on creditworthiness may contain probability values (so-called scores). To the extent that scores are included in the result of the credit check, they are based on a scientifically recognized mathematical, statistical procedure. Among others, address data are included in the calculation of the scores. Please refer to the Privacy Policy for PayPal Services for more legal information relating to data protection, including with regard to the credit reference agencies used.

1.5. Legal basis for the processing of personal data

To the extent that we obtain the consent for the processing procedures of personal data from the data subject, Art. 6 (1) (a) of the General Data Protection Regulation of the EU (GDPR) serves as the legal basis. During the processing of personal data, which is necessary for the performance of a contract, the contracting party of which the data subject is, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing procedures needed to carry out pre-contractual measures. To the extent that personal data need to be processed to comply with a legal obligation that is binding on our company, Art. 6 (1) (c) GDPR serves as the legal basis. In the event that vital interests of the data subject or of another natural person make it necessary to process personal data, Art. 6 (1) (d) GDPR serves as the legal basis. If the processing is needed to protect a legitimate interest of our company or of a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not override the first-mentioned interests, Art. 6 (1) (f) GDPR shall serve as the legal basis for the processing.

1.6. Deletion of data and duration of storage

The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage ceases. The data may be stored beyond the foregoing if provided for by the European or national legislator in legal Union regulations, laws or other regulations which the controller is subject to. Blocking or deletion of the data shall also take place if a storage period prescribed by the aforementioned standards expires, unless there is a necessity to continue to store the data in order to enter into a contract or perform a contract.

2. Provision of the website and creation of log files

2.1. Description and scope of data processing

Each time our website is viewed, our system automatically collects data and information about the computer system of the accessing computer.

The following data are collected in this process:

1. Information about the type of browser and the version used

2. The user’s operating system

3. The user’s Internet service provider

4. The user’s IP address

5. Date and time of the access

6. Websites from which the user’s system has accessed our website

7. Websites that are accessed from our website by the user’s system

The log files contain IP addresses or other data permitting association with a user. This may be the case, for example, if the link to the website from which the user accesses the website or the link to the website from which the user transfers contains personal data.

The data are also stored in the log files of our system. The user’s IP addresses or other data permitting an association of the data with a user are not affected by the foregoing. Storage of this data together with other personal data of the user does not take place.

2.2. Legal basis for the data processing

Article 6 (1) (f) GDPR serves as the legal basis for the temporary storage of the data and the log files.

2.3. Purpose of the data processing

The temporary storage of the IP address by the system is needed to permit delivery of the website to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.

Storage in log files takes place in order to ensure the website’s ability to function. In addition, the data helps us optimize the website and ensure the security of our information technology systems. An analysis of the data for marketing purposes does not take place in this process.

Our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.

2.4. Duration of storage

The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. In the event of collection of the data to provide the website, this is the case when the respective session is ended.

In the event that the data are stored in log files, this will be the case after not later than seven days. Storage extending beyond that limit is possible. In this case, the user’s IP address will be erased or masked, so that it can no longer be associated with the viewing client.

2.5. Option of objection and removal

Collection of the data for provision of the website and storage of the data in log files is essential for the operation of the website. Therefore, the user has no option of objection.

3. Use of cookies

3.1.1. Description and scope of data processing (analysis of surfing behaviour)

We use cookies permitting an analysis of the user’s surfing behaviour on our website. The following data can be transmitted in this manner:

1. Search terms entered

2. Frequency of page views

3. Use of website functions

The data collected in this way are pseudonymised by technical precautions. Therefore, it is no longer possible to associate the data with the user viewing the website. The data are not stored together with other personal data of the users.

3.1.2. Description and scope of the data processing (shopping cart function)

Some cookies are persistently stored on your computer to enable us to recognize your computer on your next visit (persistent cookies). Our partners are not permitted to collect, process or use personal data by means of cookies through our website. Most browsers accept cookies by default. You can allow or disallow temporary and persistent cookies independently of each other in the security settings. If you deactivate cookies, certain functions on our website may not be available to you and some websites may not be displayed correctly. Temporary cookies must be allowed in order to use our shopping cart! The data stored in our cookies are not linked to your personal data (name, address, etc.). We will not link the data stored in our cookies with your personal data (name, address, etc.) without your explicit consent.

3.2. Data collection by the use of Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable an analysis of your use of the website. The information collected may include information about the operating system, the browser, your IP address, the website you viewed previously (the referrer URL) and the date and time of your visit to our website. The information on the use of our website created by this text file is transmitted to a Google server in the USA and stored there. Google will use this information to analyse your use of our website, to compile reports on the website activity for the website operator and to provide other services associated with the use of the website and use of the Internet. If required by law or to the extent that third parties process data on Google’s behalf, Google will also pass this information on to such third parties. This use will take place in an anonymized or pseudonymised form. You can obtain more detailed information concerning this directly from Google. Please click here.

3.3. Legal basis for the data processing

Art. 6 (1) (f) GDPR forms the legal basis for processing personal data involving the use of cookies.

3.4. Purpose of the data processing

Analysis cookies are used for the purpose of improving the quality of our website and its content. Through the use of the analysis cookies, we learn about how the website is used, so that we can constantly optimise our products and services. Our legitimate interest in processing personal data pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.

3.5. Duration of storage, option of objection and removal

Cookies are stored on the user’s computer and transmitted to our site from there. Therefore, you as the user have full control of the use of cookies. By changing the settings in your Internet browser, you can deactivate or limit the transmission of cookies. Cookies already stored may be erased any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that you will no longer be able to fully use all the functions of the website. The transmission of flash cookies cannot be disallowed in the settings of the browser, but this can be done by changing the settings of the flash player.

4. Newsletter

4.1. Description and scope of data processing

You can subscribe to a free newsletter on our website. When you register for the newsletter, the data from the input mask are transmitted to us. In addition, the following data are collected during the registration:

1. The IP address of the accessing computer

2. Date and time of the registration

As part of the registration process, your consent is obtained and reference is made to this data privacy statement for the purpose of processing the data. No data are passed on to third parties in connection with the data processing for delivery of the newsletter. The data are exclusively used to deliver the newsletter.

We use the MailChimp mailing list provider to send our newsletter. MailChimp is a service provided by The Rocket Science Group, LLC, 512 Means Street, Suite 404, Atlanta, GA 30318, USA (“Rocket”). Rocket signed the so-called “Safe Harbour Agreement” on 22 JUL 2008, which is a data privacy agreement between the European Union and the United States.

The data stored during registration is transmitted to Rocket and stored by Rocket. The data entered during registration is not transmitted to other third parties. After you have registered, MailChimp will send you an email confirming your registration. Furthermore, MailChimp provides diverse analysis options relating to how the delivered newsletter is opened and used, such as the number of users an email was sent to, whether emails were rejected and whether users unsubscribed from the list after receiving an email. However, these analyses are only group related and are not used by us for any individual analysis. MailChimp also uses the Google Analytics analysis tool by Google, Inc. and incorporates it in the newsletter in some circumstances. You can find more details on Google Analytics in this data privacy statement under “Data collection by the use of Google Analytics.” You can find more information on data privacy at MailChimp under: http://mailchimp.com/legal/privacy/.

4.2. Legal basis for the data processing

If the user has given his or her consent, Art. 6 (1) (a) GDPR forms the legal basis for the data processing after registration for the newsletter by the user.

4.3. Purpose of the data processing

The user’s email address is collected for delivery of the newsletter.

The collection of other personal data as part of the registration process serves to prevent abuse of the services or of the email address used.

4.4. Duration of storage

The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. Accordingly, the user’s email address shall be stored as long as the subscription to the newsletter is active.

4.5. Option of objection and removal

The subscription to the newsletter can be cancelled any time by the user concerned. There is a corresponding button on the website under Newsletter for this purpose.

5. Registration

5.1. Description and scope of data processing

On our website, we offer users the opportunity to register by providing personal data. In the process, the data are entered in an encrypted input mask, transmitted to a service provider and stored. The following data are collected as part of the registration process:

1. Email

2. Password

3. Form of address, first name, last name

4. Address

The following data are stored at the time of registration:

1. The user’s IP address

2. Date and time of the registration

As part of the registration process, the user’s consent to processing of this data is obtained.

5.2. Registration using single sign-on technology (Facebook, Google and Amazon)

We offer you the opportunity to register for our service with single sign-on technology. Additional registration is thus not possible. You are guided to the desired page of the single sign-on technology provider where you can log in with your user ID. As a result, the profile information that has been stored here for you is connected to our service. The connection enables us to automatically obtain the following information from the respective provider: first name, last name, email address, user ID and gender.

Of these data, we exclusively use your first name, last name, email address, user ID and your gender. This information is essential for the conclusion of a contract, so we can identify you.

Facebook Connect

Please refer to the information on data privacy and the terms and conditions of use of Facebook, Inc. for more information on Facebook Connect and privacy settings.

Google Sign-In

Please refer to the information on data privacy and the terms of use information on Google Sign-In and privacy settings.

Amazon Sign-On

Please refer to the information on data privacy of Amazon EU S.à r.l. for more information on Amazon Sign-On and privacy settings.

5.3. Legal basis for the data processing

If the user has given his or her consent, Art. 6 (1) (a) GDPR forms the legal basis for the data processing. If the registration is for the purpose of performing a contract, the contracting party of which is the user, or of carrying out pre-contractual measures, Art. 6 (1) (b) GDPR forms an additional legal basis for the data processing.

5.4. Purpose of the data processing

Registration by the user is necessary for the performance of a contract with the user or to carry out pre-contractual measures.

The registration data are used for the purpose of processing the order in our online shop

5.5. Duration of storage

The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. This is the case for the data collected during the registration process for the purpose of performing a contract or carrying out pre-contractual measures if and when they are no longer needed to perform the contract. Even after the contract has been completed, it may be necessary to store the contracting party’s personal data in order to comply with contractual or legal obligations.

5.6. Option of objection and removal

As the user, you have the option at any time of cancelling the registration. You may have the stored data concerning you changed at any time. Cancellation by email or post:

Zoobio GmbH

Josef-Orlopp-Strasse 55

10365 Berlin [Germany]

 

Fax: +49 30 208 478 250

Email: [email protected]

 

If the data are needed to perform a contract or carry out pre-contractual measures, premature erasure of the data is only possible to the extent that the erasure does not violate any contractual or legal obligations.

6. Contact form and email contact

6.1. Description and scope of data processing

There is a contact form on our website that can be used to contact us electronically. If the user makes use of this opportunity, the data entered in the input mask are transmitted to us and stored. These data comprise:

1. Form of address

2. Name

3. E-mail

4. Phone number for callback

5. Message

The following data are also stored at the time the message is sent:

1. The user’s IP address

2. Date and time of the registration

For the purpose of processing the data, your consent is obtained and reference is made to this data privacy statement as part of the registration process. Alternatively, you can contact us by using the email address provided. In this case, the user’s personal data transmitted with the email will be stored.

No data will be passed on to third parties in this context. The data are exclusively used to process the conversation.

Use of WhatsApp

A WhatsApp button (WhatsApp Share button) is used on our homepage. With this button, you can share contents of our homepage as a personal message using your mobile phone by means of the WhatsApp Share button. If you use the WhatsApp button, the operator of WhatsApp will find out hich contents were shared and that the Share button on our website was used. You can find more information at: https://www.whatsapp.com/legal/?lang=en.

6.2. Legal basis for the data processing

If the user has given his or her consent, Art. 6 (1) (a) GDPR forms the legal basis for the data processing.

Art. 6 (1) (f) GDPR forms the legal basis for processing the data transmitted while an email is being sent. If the email contact is aimed at concluding a contract, Art. 6 (1) (b) GDPR forms an additional legal basis for the data processing.

6.3. Purpose of the data processing

Processing of the personal data from the input mask is exclusively for the purpose of processing the contact process. If we are contacted by email, the necessary legitimate interest in processing the data also lies in this contact. The other personal data processed during the sending process serve to prevent abuse of the contact form and to ensure the security of our information technology systems.

6.4. Duration of storage

The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by email, this is the case when the respective conversation with the user is ended. The conversation is ended when the circumstances indicate that the matter concerned is finally resolved. The personal data collected additionally during the sending process will be erased after not later than a period of seven days.

6.5. Option of objection and removal

The user has the option of withdrawing his or her consent to the processing of the personal data at any time. If the user contacts us by email, he or she can object to the storage of his or her personal data at any time. In that case, the conversation cannot be continued. Cancellation by email or post:

Zoobio GmbH

Josef-Orlopp-Strasse 55

10365 Berlin [Germany]

 

Fax: +49 (0) 30 208 478 250

E-mail: [email protected]

 

All the personal data stored in the course of the contact process will be erased in this case.

7. Push notifications using Google Firebase

We offer cost-free push notification service on our website. You can subscribe to this service by clicking on the “Allow” button. The subscription can be cancelled at any time in your browser settings.

8. Social Media

8.1. Google+

Our sites use functions of Google +1. They are provided by Google, Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Collection and disclosure of information: With the help of the Google +1 button, you can share information worldwide. You and other users receive personalised content from Google and our partners through the Google +1 button. Google stores both the information that you have voted +1 for a piece of content and information about the site you were viewing when you clicked +1. Your +1s can be displayed as information with your profile name and photo in Google services, such as in search results or your Google profile, or in other places on websites and advertisements on the Internet. Google records information about your +1 activities to improve Google services for you and others. In order to use the Google +1 button, you need a public Google profile that is visible worldwide, which must at least contain the name that was selected for the profile. This name is used by all Google services. In some cases, this name can also replace another name that you have used when sharing content using your Google account. The identity of your Google profile can be shown to users who know your email address or have other identifying information about you available.

Use of the collected information: In addition to the uses explained in the above, the information you provide is used in accordance with the valid Google Privacy Policy. Google may publish aggregate statistics concerning users’ +1 activities or disclose these to users and partners, such as publishers, advertisers or linked websites.

8.2. Facebook

Plugins of the social network, Facebook, operated by Facebook, Inc., 1 Hacker Way, Menlo Park, California 94025, USA, are integrated into our website. The Facebook plugins can be recognised by the Facebook logo or the “Like” button on our page. You can find an overview of the Facebook plugins here: developers.facebook.com/docs/plugins/

When you visit our website, the plugin establishes a direct link between your browser and the Facebook server. This informs Facebook that you have visited our website with your IP address. If you click the Facebook “Like” button while you are logged into your Facebook account, you can link the content of our website to your Facebook profile. This allows Facebook to assign your visit to our website to your user account.Please note that we as the operator of the website do not receive any information about the transmitted data or the use of such data by Facebook. You can find more information about this subject in Facebook’s Data Policy at https://www.facebook.com/privacy/explanation. If you do not want Facebook to be able to assign the visit to our website to your Facebook user account, please log out of your Facebook user account.

Communication by Facebook Messenger

This website uses Facebook Messenger by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) as an additional medium of communication. The data and content of communication are processed by use of servers in the USA. Facebook also analyses the metadata of the communication, but not the content of the messages, for advertising purposes.For more details, please refer to Facebook’s Data Policy.

Use of the chatbot provider ManyChat

This website uses automations in Facebook Messenger by use of the chatbot tool by third-party provider ManyChat: [email protected], 220 Golden Oak Dr, Portola Valley, CA, 94028, USA manychat.com. The data and content of the communication are processed by use of servers in the USA and exchanged with Facebook Messenger. There is no influence on the data processing of ManyChat and Facebook.

8.3. Twitter

Functions of the Twitter service have been integrated into our website. These functions are offered by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. When you use Twitter and the “Retweet” function, the websites you visit are connected to your Twitter account and made known to other users.In this process, data will also be transferred to Twitter. We would like to point out that, as the provider of the website, we have no knowledge of the content of the data transmitted or how it is used by Twitter. You can find more information about Twitter’s privacy policy at https://twitter.com/en/privacy. You can modify your Twitter privacy settings in your account settings at https://twitter.com/settings/account.

8.4. Instagram

Functions of the Instagram service have been integrated into our website. These functions are offered by Instagram, Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can click the Instagram button to link the content of our website to your Instagram profile. This allows Instagram to assign your visit to our website to your user account. We would like to point out that, as the provider of the website, we have no knowledge of the content of the data transmitted or how it is used by Instagram.You can find more information about Instagram’s privacy policy at https://help.instagram.com/155833707900388.

8.5. YouTube

On this website, the controller has integrated components of YouTube. YouTube is an Internet video portal that enables video publishers to set video clips and other users free of charge, which also allows free viewing, rating and commenting on them. YouTube allows you to publish all kinds of videos, so you can access both full movies and TV broadcasts, but also music videos, trailers and videos made by users through the Internet portal.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Each access to one of the individual pages of this website, which is operated by the controller and on which a YouTube component (YouTube video) has been integrated, causes the Internet browser on the information technology system of the data subject to be automatically prompted by the respective YouTube component to download a display of the corresponding YouTube component of YouTube. You can find more information about YouTube at https://www.youtube.com/intl/en-GB/yt/about/ . During the course of this technical procedure, YouTube and Google gain knowledge about which specific sub-page of our website was visited by the data subject.

If the data subject is logged in on YouTube, when a sub-page containing a YouTube video is accessed, YouTube will recognise which specific sub-page of our website the data subject has visited. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.

YouTube and Google will always receive information through the YouTube component that the data subject has visited our website, if the data subject is simultaneously logged in on YouTube at the time of the access to our website; this occurs regardless of whether the data subject clicks on a YouTube video or not. If the data subject does not want the transmission of such information to YouTube and Google, they can prevent the transmission by logging out of their YouTube account prior to accessing our website.

The privacy policy published by YouTube, which is available at https://www.google.de/intl/en/policies/privacy/, provides information about the collection, processing and use of personal data by YouTube and Google.

9. Rights of the data subject

The following list comprises all the rights of the data subjects pursuant to GDPR. Rights that are not relevant for one’s own website do not need to be mentioned. In that regard, the list can be shortened.If your personal data are processed, you are the data subject within the meaning of GDPR and you have the following rights vis-à-vis the controller:

9.1. Right to information

You may request confirmation from the controller about whether personal data concerning you are being processed by us. If such processing is taking place, you can request information from the controller about the following:

1. The purposes for which the personal data are being processed;

2. The categories of personal data that are being processed;

3. The recipients or the categories of recipients to whom the personal data concerning you were disclosed or are yet to be disclosed;

4. The planned duration of the storage of the personal data concerning you or, if it is not possible to obtain specific information about this, the criteria for determining the duration of storage;

5. The existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to objection to this processing;

6. The existence of a right to complain to a supervisory authority;

7. All available information about the origin of the data, if the personal data were not collected from the data subject;

8. The existence of automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

You also have the right to request information about whether the personal data concerning you are being transferred to a third country or an international organization. In this regard, you can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer

9.2. Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are incorrect or incomplete. The controller shall carry out the rectification without undue delay.

9.3. Right to restriction of processing

You may request restriction of processing of the personal data concerning you under the following conditions:

1. If you dispute the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;

​2. The processing is unlawful and you reject erasure of the personal data ​and instead request restriction of the use of the personal data;

​​3. The Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or

4. If you have objected to the processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

Where processing of the personal data concerning you has been restricted, such data shall – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of the processing was restricted in accordance with the above-mentioned conditions, you will be informed by the controller before the restriction is lifted.

9.4. Right to erasure

9.4.1. Obligation to erase

You may demand that the controller erase the relevant personal data without undue delay, and the controller is obligated to promptly erase the data if one of the following applies:

1. The personal data concerning you are no longer necessary in relation to the purpose for which they were collected or otherwise processed.

2. You withdraw your consent on which the processing is based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and there is no other legal ground for the processing.

3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.

4. The personal data concerning you have been unlawfully processed.

​5. The personal data concerning you have to be erased to comply with a legal obligation under Union or Member State law to which the controller is subject.

​6. The personal data concerning you were collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.

9.4.2. Information to third parties

If the controller has made the personal data concerning you public and is obligated to erase them pursuant to Art. 17 (1) GDPR, the controller, taking account of available technology and the cost of implantation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject request the erasure by such controllers of any links to, or copy or replication of, those personal data.

9.4.3. Exceptions

There is no right to erasure if the processing is necessary

1. To exercise the right of freedom of expression and information;

​2. To comply with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

​3. For reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;

4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, to the extent that the right referred to in subsection (3) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

5. To establish, exercise or defend legal claims.

9.5. Right to notification

If you have claimed the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you were disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed of these recipients by the controller.

9.6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to have these data transmitted to another controller without hindrance from the controller to which the personal data were provided, if

1. The processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or a contract pursuant to Art. 6 (1) (b) GDPR and

​2. The processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another if this is technically feasible. This may not adversely affect the freedoms and rights of others.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9.7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR; including profiling based on these provisions. The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for these purposes. In the context of the use of information society services, you have the opportunity – notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.

9.8. Right to withdraw the declaration of consent regarding data privacy

You have the right to withdraw your declaration of consent regarding data privacy at any time. A withdrawal of consent does not affect the lawfulness of any processing done up to the time of withdrawal.

9.9. Automated individual decision-making, including profiling

You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

1. Is necessary to enter into or perform a contract between you and the controller;

​2. Is authorised by Union or Member State law to which the controller is subject, and these legal provisions also lay down suitable measures to safeguard your rights and freedoms and legitimate interests, or

3. Is based on your explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR unless Art. 9 (2) (a) or (g) GDPR apply and suitable measures have been taken to protect your rights and freedoms and legitimate interests.

In the cases referred to in sections 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.

9.10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you are of the opinion that the processing of personal data relating to you violates the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Last edited on: 23.05.2018 v1.0