If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. Right to information
- the purposes for which the personal data are processed;
- the categories of personal data that are processed;
- the recipient or the categories of recipients to whom the personal data concerning you was disclosed or is yet to be disclosed;
- the planned duration of storage of the personal data concerning you or, if giving specific details on this is not feasible, criteria for laying down the storage duration;
- the existence of a right to correction or deletion of personal data concerning you, a right to restriction of processing by the responsible party or a right to object against this processing;
- the existence of a right of appeal to a supervisory authority;
- all available information about the origin of the data if the personal data was not collected from the concerned person;
- the existence of an automatic decision making including profiling as per Article 22 sections 1 and 4 of GDPR and – at least in these cases – meaningful information about the involved logic as well as consequence and the intended effects of such a processing for the concerned person.
You have the right to request information about whether the personal data concerning you is transferred in a third country or to an international organisation. In this context, you can request to be informed about the suitable guaranties as per Article 46 of GDPR in connection with the transfer.
2. Right to correction
You have a right to correction and/or integration towards the responsible party, if the processing of personal data that concerns you is incorrect or incomplete. The responsible party has to perform the correction promptly.
3. Right to restriction of processing
Under the following conditions, you can request the restriction of processing of personal data concerning you:
- if you dispute the accuracy of the personal data concerning you for a duration, which enables the responsible party to review the accuracy of the personal data,
- the processing is unlawful and you decline the deletion of the personal data and instead, request the restriction of use of personal data.;
- the responsible party no longer needs the personal data for the purposes of processing, but you need it for the assertion, exercise or defence of legal claims, or
- if you have appealed against the processing as per Article 21 section 1 of GDPR and it is not yet certain whether the legitimate reasons of the responsible party outweigh your reasons.
If the processing of personal data concerning you was restricted, this data may – apart from its storage – be processed only with your consent or for assertion, exercise or defence of legal claims or for protection of rights of another natural or legal person or for reasons of important public interest of the union or a member state.
If the restriction of processing was limited following the above mentioned conditions, you will be informed by the responsible party before the restriction is lifted.
4. Right to deletion
a) Obligation to deletion
You may request the data controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons appliesYou can request the responsible party to promptly delete the personal data concerning you, and the responsible party is obliged to promptly delete this data, provided one of the following factors is true:
- The personal data concerning you is no longer needed for the purposes for which it was collected or was processed in another way.
- You revoke your consent on which the processing as per Article 6 section 1 lit. a or Article 9 section 2 lit. a of GDPR was based, and there is otherwise a lack of legal basis for the processing.
- You appeal as per Article 21 section 1 of GDPR against the processing and there are no primary legitimate reasons for the processing, or you appeal as per Article 21 section 2 of GDPR against the processing.
- The personal data concerning you was unlawfully processed
- The deletion of the personal data concerning you is necessary to fulfil a legal obligation according to the Union law or the law of the member states which governs the responsible party.
- The personal data concerning you was collected in relation to offered services of information society as per Article 8 section 1 of GDPR.
b) Information to third parties
If the responsible party has made personal data concerning you public, and he is obliged to its deletion as per Article 17 section 1 of GDPR, then he takes appropriate actions, of technical nature also, considering the available technologies and the implementation costs, to inform those responsible for data processing, who process the personal data, that you as the concerned person, have requested them to delete all links to this personal data or copies or replications of this personal data.
The right to deletion does not exist provided the processing is required
- to exercise the right to free expression of opinion and information;
- to fulfil a legal obligation that requires the processing under the law of the union or the member states, which governs the responsible party, or to perform a task that is in public interest or occurs in exercising public authority that was delegated to the responsible party;
- for reasons of public interest in the field of public health as per Article 9 section 2 lit. h and i as well as Article 9 section 3 of GDPR;
- for purposes of archiving, scientific or historical research or statistics that are in public interest as per Article 89 section 1 of GDPR, provided the law mentioned under section a) presumably makes the attainment of the objectives of the processing impossible or seriously affects it, or
- for assertion, exercise or defence of legal claims.
5. Right to consultation
If you have asserted the right to correction, deletion or restriction of processing towards the responsible party, it is obliged, to communicate this correction or deletion of the data or restriction of processing to all recipients to whom the personal data concerning you was disclosed, unless this turns out to be impossible or includes a disproportionate effort. You are entitled to the right towards the responsible party to be informed about these recipients.
6. Right to data portability
You have the right to obtain the personal data concerning you, which you have provided to the responsible party in a structured, current and machine-readable format. Apart from that, you have the right to transfer this data to another responsible party without interference from the responsible party to whom the personal data was provided, if
- the processing relies on consent as per Article 6 section 1 lit. a of GDPR or Article 9 section 2 lit. a of GDPR or on a contract as per Article 6 section 1 lit. b of GDPR and
- the processing takes place by means of automatic procedures.
While exercising this right, you further have the right to the effect that the personal data concerning you is directly transferred from one responsible party to another responsible party, provided it is technically feasible. Liberties and rights of other persons must not be affected by it.
The right to data portability does not apply for processing of personal data that is necessary for the performance of a task that is in public interest or occurs in exercising public authority that was delegated to the responsible party.
7. Right of objection
You have the right, for factors that arise from their special situation, to appeal at any time against the processing of the personal data concerning you, which happens based on the Article 6 section 1 lit. e or f of GDPR; this also applies for profiling based on these provisions. The responsible party no longer processes the personal data concerning you, unless it can prove compelling and legitimate reasons that outweigh your interests, rights and liberties, or the processing helps in the assertion, exercise or defence of legal claims. If the personal data concerning you is processed to run a direct advertising, you have the right to appeal at any time against the processing of the personal data concerning you for the purposes of such promotion; this also applies for the profiling, provided it is in connection with such direct advertising. If you object the processing for the purposes of direct advertising, then the personal data concerning you will no longer be processed for these purposes. You have the option, to exercise your right to objection in the context of the use of services of the information society – irrespective of the 2002/58/EC guideline – by means of automatic procedures, where technical specifications are used.
8. Right to revocation of declaration of consent under the data privacy law
You have the right to withdraw your declaration of consent under data privacy law at any time. The revocation of the consent does not affect the legality of the processing that has happened based on the consent until the revocation.
9. Automated decision in individual cases including profiling
You have the right to not be subjected to a decision exclusively based on an automated processing – including profiling, that takes legal effect with respect to you or considerably affects you in a similar manner. This does not apply when the decision
- is necessary for the conclusion or fulfilment of a contract between you and the responsible party,
- is permissible by virtue of the legislations of the union or member states, which govern the responsible party and these legislations include appropriate measures for the protection of your rights and liberties and your legitimate interests or
- happens with your express consent.
However, these decisions may not be based on special categories of personal data under Article 9 section 1 of GDPR, provided Article 9 section 2 lit. a or g of GDPR does not apply and appropriate measures for the protection of rights and liberties as well as your legitimate interests are taken. With respect to the cases stated in (1) and (3), the responsible party takes appropriate measures to protect the rights and liberties and your legitimate interests, to which, at least the right to obtain the intervention of a person from the responsible party, to state one’s own stand point and to contest a decision pertains.
10. Right of complain to a supervisory authority
Regardless of an administrative or judicial remedy otherwise, you are entitled to the right of complaining to a supervisory authority, especially in the member state of your residence, your workplace or the location of presumed infringement, if you are of the view that the processing of personal data concerning you infringes the GDPR. The supervisory authority with which the complaint was filed, informs the plaintiff about the status and the results of the complaint including the possibility of a judicial remedy according to Article 78 of GDPR.
External data protection officer
In case of questions on data protection, please contact our external data protection officer:
Mr. Matthias Lindner
c/o intersoft consulting services AG
Beim Strohhause 17
Modifications of privacy statement
The constant technological advancement, changes to our services or the legal position as well as other reasons can necessitate adaptations of our privacy notices. We shall announce the changes in due time on this site. Therefore, we request you to regularly keep yourself informed about the latest status. This statement is in accordance with the status of May 2018.