Data privacy statement pursuant to GDPR
Name and address of the controller
The controller within the meaning of the General Data Protection Regulation of the EU (GDPR) and other national data protection laws of the Member States, as well as other data protection provisions:
10365 Berlin [Germany]
Manager: Vitalij Kungel
Fax: +49 (0) 30 208 478 250
Email: [email protected]
HRB 175197 B, Local Court of Berlin-Charlottenburg
VAT ID: DE305780777
Name and address of the data protection officer
The data protection officer of the controller:
External data protection officer:
Ms. Kathrin Maiwald
14542 Werder (Havel) [Germany]
Email: [email protected]
1. General information relating to data processing
1.1. Scope of personal data processing
We generally only collect and use our users’ personal data to the extent necessary for providing a functioning website and for our content and products and services. Our users’ personal data are routinely collected and used only after the user’s consent has been obtained. An exception is made in cases where it is not possible to obtain the consent beforehand for factual reasons and processing of the data is permitted by statutory provisions.
Personal data are only collected if you voluntarily communicate that to us in the context of your order. We exclusively use the data you have provided to process and complete your order unless you have given further consent. Upon complete processing of the contract and full payment of the purchase price, your data will be blocked for further use and deleted after the retention period for tax and business records has expired insofar as you have not explicitly consented to further use of your data.
1.2. Disclosure of personal data
Your data will be passed on to the shipping company engaged to carry out the shipment to the extent required to deliver the goods. We will pass your payment data on to the financial institution engaged for the payment or to the payment service selected in the ordering process in order to process payments.
1.3. Use of personal data when Klarna is selected as the payment option
If you have selected Klarna’s payment services such as Klarna invoice or Klarna instalment purchase as the payment option, you have consented to us collecting and passing on the following personal data that we need to process the purchase on account and carry out an identity check and credit check, such as first name and last name, address, date of birth, gender, email address, IP address, phone number, as well as the data required to complete the purchase on account that are associated with the order, such as the number of articles, article number, invoice amount and taxes as a percentage. Transmission of this data takes place so Klarna can issue an invoice and perform an identity check and credit check to process your purchase with the invoice processing you have selected. According to the German Federal Data Protection Law, Klarna has a justified interest in the transmission of the buyer’s personal data in this context and requires same in order to obtain information for the purpose of performing an identity check and credit check from credit reference agencies. In Germany, this may be one of the following credit reference agencies:
1. Bürgel Wirtschaftsinformationen GmbH & Co. KG, Postfach 5001 66, 22701 Hamburg
2. Creditreform Boniversum GmbH, Hellersbergstrasse 11 41460 Neuss
3. Deltavista GmbH, Freisinger Landstr. 74 80939 München
4. Arvato Infoscore Consumer Data GmbH and Infoscore Consumer Data GmbH,Rheinstrasse 99, 76532 Baden-Baden
5 SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden
In the context of the decision on the establishment, execution or termination of the contractual relationship, Klarna also collects and uses information about the buyer’s payment history, as well as probability values regarding their performance in the future, in addition to an address check. Klarna calculates these scores on the basis of a scientifically recognised statistical, mathematical procedure. To this end, Klarna will use your address data among others. In the event that this calculation shows that you are not creditworthy, Klarna will inform you immediately.
Payment by instant transfer (Sofort) (Klarna)
We also offer the option of paying by instant transfer. All you need to do this is your account number, BIC or bank sort code and the PIN and TAN numbers of your online banking account. As part of the ordering process, you will automatically be directed to the secure payment form of Sofort GmbH. You will receive a confirmation of the transaction immediately afterwards. After that, the amount will be credited directly to our account. Anyone with an activated online banking account set up for the PIN/TAN procedure may use Sofort instant transfer as a payment option. Please note that there are a few banks that still do not support payment by instant transfer.
Withdrawal of consent to the use of personal data vis-à-vis Klarna.
1. You may withdraw your consent to the use of personal data vis-à-vis Klarna any time. However, Klarna may perhaps continue to be authorised to process, use and transmit the personal data to the extent required for contractual payment processing by Klarna’s services, by law or by a court or an authority.
2. Of course, you can obtain information any time about the personal data stored by Klarna. This right is guaranteed by the German Federal Data Protection Law. In the event that you as the buyer wish to obtain this information or inform Klarna about changes relating to the stored data, you can contact Klarna at [email protected].
1.4. Payment processing using PayPal
1.5. Legal basis for the processing of personal data
To the extent that we obtain the consent for the processing procedures of personal data from the data subject, Art. 6 (1) (a) of the General Data Protection Regulation of the EU (GDPR) serves as the legal basis. During the processing of personal data, which is necessary for the performance of a contract, the contracting party of which the data subject is, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing procedures needed to carry out pre-contractual measures. To the extent that personal data need to be processed to comply with a legal obligation that is binding on our company, Art. 6 (1) (c) GDPR serves as the legal basis. In the event that vital interests of the data subject or of another natural person make it necessary to process personal data, Art. 6 (1) (d) GDPR serves as the legal basis. If the processing is needed to protect a legitimate interest of our company or of a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not override the first-mentioned interests, Art. 6 (1) (f) GDPR shall serve as the legal basis for the processing.
1.6. Deletion of data and duration of storage
The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage ceases. The data may be stored beyond the foregoing if provided for by the European or national legislator in legal Union regulations, laws or other regulations which the controller is subject to. Blocking or deletion of the data shall also take place if a storage period prescribed by the aforementioned standards expires, unless there is a necessity to continue to store the data in order to enter into a contract or perform a contract.
2. Provision of the website and creation of log files
2.1. Description and scope of data processing
Each time our website is viewed, our system automatically collects data and information about the computer system of the accessing computer.
The following data are collected in this process:
1. Information about the type of browser and the version used
2. The user’s operating system
3. The user’s Internet service provider
4. The user’s IP address
5. Date and time of the access
6. Websites from which the user’s system has accessed our website
7. Websites that are accessed from our website by the user’s system
The log files contain IP addresses or other data permitting association with a user. This may be the case, for example, if the link to the website from which the user accesses the website or the link to the website from which the user transfers contains personal data.
The data are also stored in the log files of our system. The user’s IP addresses or other data permitting an association of the data with a user are not affected by the foregoing. Storage of this data together with other personal data of the user does not take place.
2.2. Legal basis for the data processing
Article 6 (1) (f) GDPR serves as the legal basis for the temporary storage of the data and the log files.
2.3. Purpose of the data processing
The temporary storage of the IP address by the system is needed to permit delivery of the website to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.
Storage in log files takes place in order to ensure the website’s ability to function. In addition, the data helps us optimize the website and ensure the security of our information technology systems. An analysis of the data for marketing purposes does not take place in this process.
Our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.
2.4. Duration of storage
The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. In the event of collection of the data to provide the website, this is the case when the respective session is ended.
In the event that the data are stored in log files, this will be the case after not later than seven days. Storage extending beyond that limit is possible. In this case, the user’s IP address will be erased or masked, so that it can no longer be associated with the viewing client.
2.5. Option of objection and removal
Collection of the data for provision of the website and storage of the data in log files is essential for the operation of the website. Therefore, the user has no option of objection.
3.1.1. Description and scope of data processing (analysis of surfing behaviour)
1. Search terms entered
2. Frequency of page views
3. Use of website functions
The data collected in this way are pseudonymised by technical precautions. Therefore, it is no longer possible to associate the data with the user viewing the website. The data are not stored together with other personal data of the users.
3.1.2. Description and scope of the data processing (shopping cart function)
Some cookies are persistently stored on your computer to enable us to recognize your computer on your next visit (persistent cookies). Our partners are not permitted to collect, process or use personal data by means of cookies through our website. Most browsers accept cookies by default. You can allow or disallow temporary and persistent cookies independently of each other in the security settings. If you deactivate cookies, certain functions on our website may not be available to you and some websites may not be displayed correctly. Temporary cookies must be allowed in order to use our shopping cart! The data stored in our cookies are not linked to your personal data (name, address, etc.). We will not link the data stored in our cookies with your personal data (name, address, etc.) without your explicit consent.
3.2. Data collection by the use of Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable an analysis of your use of the website. The information collected may include information about the operating system, the browser, your IP address, the website you viewed previously (the referrer URL) and the date and time of your visit to our website. The information on the use of our website created by this text file is transmitted to a Google server in the USA and stored there. Google will use this information to analyse your use of our website, to compile reports on the website activity for the website operator and to provide other services associated with the use of the website and use of the Internet. If required by law or to the extent that third parties process data on Google’s behalf, Google will also pass this information on to such third parties. This use will take place in an anonymized or pseudonymised form. You can obtain more detailed information concerning this directly from Google. Please click here.
3.3. Legal basis for the data processing
3.4. Purpose of the data processing
Analysis cookies are used for the purpose of improving the quality of our website and its content. Through the use of the analysis cookies, we learn about how the website is used, so that we can constantly optimise our products and services. Our legitimate interest in processing personal data pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.
3.5. Duration of storage, option of objection and removal
4.1. Description and scope of data processing
You can subscribe to a free newsletter on our website. When you register for the newsletter, the data from the input mask are transmitted to us. In addition, the following data are collected during the registration:
1. The IP address of the accessing computer
2. Date and time of the registration
As part of the registration process, your consent is obtained and reference is made to this data privacy statement for the purpose of processing the data. No data are passed on to third parties in connection with the data processing for delivery of the newsletter. The data are exclusively used to deliver the newsletter.
We use the MailChimp mailing list provider to send our newsletter. MailChimp is a service provided by The Rocket Science Group, LLC, 512 Means Street, Suite 404, Atlanta, GA 30318, USA (“Rocket”). Rocket signed the so-called “Safe Harbour Agreement” on 22 JUL 2008, which is a data privacy agreement between the European Union and the United States.
The data stored during registration is transmitted to Rocket and stored by Rocket. The data entered during registration is not transmitted to other third parties. After you have registered, MailChimp will send you an email confirming your registration. Furthermore, MailChimp provides diverse analysis options relating to how the delivered newsletter is opened and used, such as the number of users an email was sent to, whether emails were rejected and whether users unsubscribed from the list after receiving an email. However, these analyses are only group related and are not used by us for any individual analysis. MailChimp also uses the Google Analytics analysis tool by Google, Inc. and incorporates it in the newsletter in some circumstances. You can find more details on Google Analytics in this data privacy statement under “Data collection by the use of Google Analytics.” You can find more information on data privacy at MailChimp under: http://mailchimp.com/legal/privacy/.
4.2. Legal basis for the data processing
If the user has given his or her consent, Art. 6 (1) (a) GDPR forms the legal basis for the data processing after registration for the newsletter by the user.
4.3. Purpose of the data processing
The user’s email address is collected for delivery of the newsletter.
The collection of other personal data as part of the registration process serves to prevent abuse of the services or of the email address used.
4.4. Duration of storage
The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. Accordingly, the user’s email address shall be stored as long as the subscription to the newsletter is active.
4.5. Option of objection and removal
The subscription to the newsletter can be cancelled any time by the user concerned. There is a corresponding button on the website under Newsletter for this purpose.
5.1. Description and scope of data processing
On our website, we offer users the opportunity to register by providing personal data. In the process, the data are entered in an encrypted input mask, transmitted to a service provider and stored. The following data are collected as part of the registration process:
3. Form of address, first name, last name
The following data are stored at the time of registration:
1. The user’s IP address
2. Date and time of the registration
As part of the registration process, the user’s consent to processing of this data is obtained.
5.2. Registration using single sign-on technology (Facebook, Google and Amazon)
We offer you the opportunity to register for our service with single sign-on technology. Additional registration is thus not possible. You are guided to the desired page of the single sign-on technology provider where you can log in with your user ID. As a result, the profile information that has been stored here for you is connected to our service. The connection enables us to automatically obtain the following information from the respective provider: first name, last name, email address, user ID and gender.
Of these data, we exclusively use your first name, last name, email address, user ID and your gender. This information is essential for the conclusion of a contract, so we can identify you.
Please refer to the information on data privacy of Amazon EU S.à r.l. for more information on Amazon Sign-On and privacy settings.
5.3. Legal basis for the data processing
If the user has given his or her consent, Art. 6 (1) (a) GDPR forms the legal basis for the data processing. If the registration is for the purpose of performing a contract, the contracting party of which is the user, or of carrying out pre-contractual measures, Art. 6 (1) (b) GDPR forms an additional legal basis for the data processing.
5.4. Purpose of the data processing
Registration by the user is necessary for the performance of a contract with the user or to carry out pre-contractual measures.
The registration data are used for the purpose of processing the order in our online shop
5.5. Duration of storage
The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. This is the case for the data collected during the registration process for the purpose of performing a contract or carrying out pre-contractual measures if and when they are no longer needed to perform the contract. Even after the contract has been completed, it may be necessary to store the contracting party’s personal data in order to comply with contractual or legal obligations.
5.6. Option of objection and removal
As the user, you have the option at any time of cancelling the registration. You may have the stored data concerning you changed at any time. Cancellation by email or post:
10365 Berlin [Germany]
Fax: +49 30 208 478 250
Email: [email protected]
If the data are needed to perform a contract or carry out pre-contractual measures, premature erasure of the data is only possible to the extent that the erasure does not violate any contractual or legal obligations.
6. Contact form and email contact
6.1. Description and scope of data processing
There is a contact form on our website that can be used to contact us electronically. If the user makes use of this opportunity, the data entered in the input mask are transmitted to us and stored. These data comprise:
1. Form of address
4. Phone number for callback
The following data are also stored at the time the message is sent:
1. The user’s IP address
2. Date and time of the registration
For the purpose of processing the data, your consent is obtained and reference is made to this data privacy statement as part of the registration process. Alternatively, you can contact us by using the email address provided. In this case, the user’s personal data transmitted with the email will be stored.
No data will be passed on to third parties in this context. The data are exclusively used to process the conversation.
Use of WhatsApp
A WhatsApp button (WhatsApp Share button) is used on our homepage. With this button, you can share contents of our homepage as a personal message using your mobile phone by means of the WhatsApp Share button. If you use the WhatsApp button, the operator of WhatsApp will find out hich contents were shared and that the Share button on our website was used. You can find more information at: https://www.whatsapp.com/legal/?lang=en.
6.2. Legal basis for the data processing
If the user has given his or her consent, Art. 6 (1) (a) GDPR forms the legal basis for the data processing.
Art. 6 (1) (f) GDPR forms the legal basis for processing the data transmitted while an email is being sent. If the email contact is aimed at concluding a contract, Art. 6 (1) (b) GDPR forms an additional legal basis for the data processing.
6.3. Purpose of the data processing
Processing of the personal data from the input mask is exclusively for the purpose of processing the contact process. If we are contacted by email, the necessary legitimate interest in processing the data also lies in this contact. The other personal data processed during the sending process serve to prevent abuse of the contact form and to ensure the security of our information technology systems.
6.4. Duration of storage
The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by email, this is the case when the respective conversation with the user is ended. The conversation is ended when the circumstances indicate that the matter concerned is finally resolved. The personal data collected additionally during the sending process will be erased after not later than a period of seven days.
6.5. Option of objection and removal
The user has the option of withdrawing his or her consent to the processing of the personal data at any time. If the user contacts us by email, he or she can object to the storage of his or her personal data at any time. In that case, the conversation cannot be continued. Cancellation by email or post:
10365 Berlin [Germany]
Fax: +49 (0) 30 208 478 250
E-mail: [email protected]
All the personal data stored in the course of the contact process will be erased in this case.
7. Push notifications using Google Firebase
We offer cost-free push notification service on our website. You can subscribe to this service by clicking on the “Allow” button. The subscription can be cancelled at any time in your browser settings.
8. Social Media
Our sites use functions of Google +1. They are provided by Google, Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Collection and disclosure of information: With the help of the Google +1 button, you can share information worldwide. You and other users receive personalised content from Google and our partners through the Google +1 button. Google stores both the information that you have voted +1 for a piece of content and information about the site you were viewing when you clicked +1. Your +1s can be displayed as information with your profile name and photo in Google services, such as in search results or your Google profile, or in other places on websites and advertisements on the Internet. Google records information about your +1 activities to improve Google services for you and others. In order to use the Google +1 button, you need a public Google profile that is visible worldwide, which must at least contain the name that was selected for the profile. This name is used by all Google services. In some cases, this name can also replace another name that you have used when sharing content using your Google account. The identity of your Google profile can be shown to users who know your email address or have other identifying information about you available.
Plugins of the social network, Facebook, operated by Facebook, Inc., 1 Hacker Way, Menlo Park, California 94025, USA, are integrated into our website. The Facebook plugins can be recognised by the Facebook logo or the “Like” button on our page. You can find an overview of the Facebook plugins here: developers.facebook.com/docs/plugins/
When you visit our website, the plugin establishes a direct link between your browser and the Facebook server. This informs Facebook that you have visited our website with your IP address. If you click the Facebook “Like” button while you are logged into your Facebook account, you can link the content of our website to your Facebook profile. This allows Facebook to assign your visit to our website to your user account.Please note that we as the operator of the website do not receive any information about the transmitted data or the use of such data by Facebook. You can find more information about this subject in Facebook’s Data Policy at https://www.facebook.com/privacy/explanation. If you do not want Facebook to be able to assign the visit to our website to your Facebook user account, please log out of your Facebook user account.
Communication by Facebook Messenger
This website uses Facebook Messenger by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) as an additional medium of communication. The data and content of communication are processed by use of servers in the USA. Facebook also analyses the metadata of the communication, but not the content of the messages, for advertising purposes.For more details, please refer to Facebook’s Data Policy.
Use of the chatbot provider ManyChat
This website uses automations in Facebook Messenger by use of the chatbot tool by third-party provider ManyChat: [email protected], 220 Golden Oak Dr, Portola Valley, CA, 94028, USA manychat.com. The data and content of the communication are processed by use of servers in the USA and exchanged with Facebook Messenger. There is no influence on the data processing of ManyChat and Facebook.
On this website, the controller has integrated components of YouTube. YouTube is an Internet video portal that enables video publishers to set video clips and other users free of charge, which also allows free viewing, rating and commenting on them. YouTube allows you to publish all kinds of videos, so you can access both full movies and TV broadcasts, but also music videos, trailers and videos made by users through the Internet portal.
The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Each access to one of the individual pages of this website, which is operated by the controller and on which a YouTube component (YouTube video) has been integrated, causes the Internet browser on the information technology system of the data subject to be automatically prompted by the respective YouTube component to download a display of the corresponding YouTube component of YouTube. You can find more information about YouTube at https://www.youtube.com/intl/en-GB/yt/about/ . During the course of this technical procedure, YouTube and Google gain knowledge about which specific sub-page of our website was visited by the data subject.
If the data subject is logged in on YouTube, when a sub-page containing a YouTube video is accessed, YouTube will recognise which specific sub-page of our website the data subject has visited. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.
YouTube and Google will always receive information through the YouTube component that the data subject has visited our website, if the data subject is simultaneously logged in on YouTube at the time of the access to our website; this occurs regardless of whether the data subject clicks on a YouTube video or not. If the data subject does not want the transmission of such information to YouTube and Google, they can prevent the transmission by logging out of their YouTube account prior to accessing our website.
9. Rights of the data subject
The following list comprises all the rights of the data subjects pursuant to GDPR. Rights that are not relevant for one’s own website do not need to be mentioned. In that regard, the list can be shortened.If your personal data are processed, you are the data subject within the meaning of GDPR and you have the following rights vis-à-vis the controller:
9.1. Right to information
You may request confirmation from the controller about whether personal data concerning you are being processed by us. If such processing is taking place, you can request information from the controller about the following:
1. The purposes for which the personal data are being processed;
2. The categories of personal data that are being processed;
3. The recipients or the categories of recipients to whom the personal data concerning you were disclosed or are yet to be disclosed;
4. The planned duration of the storage of the personal data concerning you or, if it is not possible to obtain specific information about this, the criteria for determining the duration of storage;
5. The existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to objection to this processing;
6. The existence of a right to complain to a supervisory authority;
7. All available information about the origin of the data, if the personal data were not collected from the data subject;
8. The existence of automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
You also have the right to request information about whether the personal data concerning you are being transferred to a third country or an international organization. In this regard, you can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer
9.2. Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are incorrect or incomplete. The controller shall carry out the rectification without undue delay.
9.3. Right to restriction of processing
You may request restriction of processing of the personal data concerning you under the following conditions:
1. If you dispute the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;
2. The processing is unlawful and you reject erasure of the personal data and instead request restriction of the use of the personal data;
3. The Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
4. If you have objected to the processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where processing of the personal data concerning you has been restricted, such data shall – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of the processing was restricted in accordance with the above-mentioned conditions, you will be informed by the controller before the restriction is lifted.
9.4. Right to erasure
9.4.1. Obligation to erase
You may demand that the controller erase the relevant personal data without undue delay, and the controller is obligated to promptly erase the data if one of the following applies:
1. The personal data concerning you are no longer necessary in relation to the purpose for which they were collected or otherwise processed.
2. You withdraw your consent on which the processing is based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and there is no other legal ground for the processing.
3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
4. The personal data concerning you have been unlawfully processed.
5. The personal data concerning you have to be erased to comply with a legal obligation under Union or Member State law to which the controller is subject.
6. The personal data concerning you were collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.
9.4.2. Information to third parties
If the controller has made the personal data concerning you public and is obligated to erase them pursuant to Art. 17 (1) GDPR, the controller, taking account of available technology and the cost of implantation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject request the erasure by such controllers of any links to, or copy or replication of, those personal data.
There is no right to erasure if the processing is necessary
1. To exercise the right of freedom of expression and information;
2. To comply with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. For reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;
4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, to the extent that the right referred to in subsection (3) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. To establish, exercise or defend legal claims.
9.5. Right to notification
If you have claimed the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you were disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed of these recipients by the controller.
9.6. Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to have these data transmitted to another controller without hindrance from the controller to which the personal data were provided, if
1. The processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or a contract pursuant to Art. 6 (1) (b) GDPR and
2. The processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another if this is technically feasible. This may not adversely affect the freedoms and rights of others.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9.7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR; including profiling based on these provisions. The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for these purposes. In the context of the use of information society services, you have the opportunity – notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.
9.8. Right to withdraw the declaration of consent regarding data privacy
You have the right to withdraw your declaration of consent regarding data privacy at any time. A withdrawal of consent does not affect the lawfulness of any processing done up to the time of withdrawal.
9.9. Automated individual decision-making, including profiling
You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
1. Is necessary to enter into or perform a contract between you and the controller;
2. Is authorised by Union or Member State law to which the controller is subject, and these legal provisions also lay down suitable measures to safeguard your rights and freedoms and legitimate interests, or
3. Is based on your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR unless Art. 9 (2) (a) or (g) GDPR apply and suitable measures have been taken to protect your rights and freedoms and legitimate interests.
In the cases referred to in sections 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
9.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you are of the opinion that the processing of personal data relating to you violates the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
Last edited on: 23.05.2018 v1.0