Data protection

I. Controller

Responsible in the meaning of the General Data Protection Regulation (GDPR) and of the Federal Data Protection Act (BDSG):

Ciret GmbH
Platz der Republik 6-8
42107 Wuppertal

Telephone: +49 (0) 202 49 20 - 0
Fax: +49 (0) 202 49 20 – 111
E-mail: info@ciret.eu

Represented by: Jörg Heinemann, Michael Oppermann, Roland Skibbe, Markus Winnen

Register court, register number
Wuppertal District Court, HRB 9912

VAT ID pursuant to Section 27a of the German Value-Added Tax Act (UStG)

DE812806940

Data Protection Officer pursuant to GDPR and BDSG:

Storch-Ciret Business Services GmbH
Data Protection Officer
Erwin Fisch
Platz der Republik 6–8
D-42107 Wuppertal
Germany

Telephone: +49 (0) 2024920–0
E-mail: datenschutzbeauftragter@storch-ciret.com

II.    General Information on the Processing of Data

(1)    As a matter of principle, personal data are processed only where this is necessary for providing an operable website including content and services. Usually, the processing only takes place after the data subject has given his or her consent. By way of exception, the processing may take place without the data subject's consent if this is not possible for actual reasons and the processing of the data is permitted by statutory regulations.
(2)    Point (a) of Art. 6 (1) GDPR serves as the legal basis for the processing of personal data where the data subject's consent has been obtained for personal data processing operations.
Point (b) of Art. 6 (1) GDPR serves as the legal basis for the processing of personal data where this is necessary for the performance of a contract to which the data subject is party. This also applies to processing operations required for steps prior to entering into a contract.
Point (c) of Art. 6 (1) GDPR serves as the legal basis for the processing of personal data where the processing of personal data is necessary for compliance with a legal obligation to which the company is subject.
Point (f) of Art. 6 (1) GDPR serves as the basis for the processing of personal data where this is necessary for the purposes of the legitimate interests pursued by the company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

(3)    The personal data of the data subject will be erased or blocked as soon as the purpose of the storage no longer applies. Moreover, personal data may be stored if this provided for by relevant national or European regulations. The data will also be blocked or erased when a storage period stipulated by the said standards ends, unless the data need to continue to be stored for the conclusion or performance of a contract.

III.    Use of the Website

(1)    Every time the website is accessed, the system automatically records data and information from the requesting computer system.In this context, the following data are collected:

1.    IP address
2.    Date and time of the request
3.    Time zone difference from GMT (Greenwich Mean Time)
4.    Content of the web page
5.    Access status (HTTP status)
6.    Amount of data transmitted
7.    Web browser
8.    Language and version of the browser
9.    Operating system
10.  Website from which you accessed the website

The data are stored in the system's log files. These data are not stored together with other personal data of the user.

(2)    The legal basis for this is point (f) of Art. 6 (1) GDPR.

(3)    It is necessary to collect and temporarily store the IP address in order to enable the presentation of the web page on your device. For this, the IP address needs to be stored for the duration of the visit to the website. These data are not analysed for marketing purposes.

(4)    The data are erased as soon as the respective session ends. Where these data are stored in log files, the erasure takes place after no more than seven days. The data may continue to be stored thereafter. In this case, the IP addresses of the users are deleted or anonymised so that they can no longer be mapped to the requesting client.

(5)    The collection of data for the provision of the website and the storage of data in log files is mandatory for the provision of the web presence. Therefore, it is not possible to object to this.

IV.    Use of Cookies

(1)    The website uses cookies. Cookies are text files that are stored in the web browser or by the web browser on the user's computer system. This cookie contains a specific character sequence that enables unique identification of the browser when the website is accessed again. Cookies cannot transfer any viruses to the device or execute programs.Cookies help making the website more user-friendly. For some elements of the website, it is necessary to be able to identify the requesting browser even after changing pages.Transient cookies are deleted automatically when the session is closed. This includes session cookies that store the so-called session ID on the basis of which various requests of the web browser can be allocated to the same session. This enables the recognition of the device the next time session is started.Persistent cookies are deleted automatically after a predefined period that may vary depending on the cookie. The associated settings can be deleted in the web browser settings at any time.The following data are stored in the cookies:

1.    Login information
2.    Language settings
3.    Search terms entered
4.    Number of website impressions
5.    Use of individual functions of the website

(2)    The legal basis for this is point (f) of Art. 6 (1) GDPR.

(3)    The purpose of the use of technically necessary cookies is to facilitate the use of websites by the users. Some functions of the website cannot be offered without using cookies. For these functions, the browser needs to be recognised even after changing pages.The user data collected by technically necessary cookies are not used to create user profiles.

(4)    Cookies are stored on the user's computer, from where they are transmitted to us. You as the user have full control over the use of cookies. You can deactivate or limit the transmission of cookies by changing the settings of your web browser. Previously stored cookies can be deleted whenever you wish. This can even take place automatically. If cookies are deactivated for our website, it might no longer be possible to fully use all functions of the website.

V.    Google Analytics

(1)    The website uses Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"). Google uses cookies ‒ text files that are stored on the device and that enable an analysis of the use of the website. The information about the use of this website, which is generated by the cookie, is usually sent to a Google server in the USA and stored there. If anonymisation of the IP address to be transmitted via the cookie is activated on the website by means of the "_anonymizeIp()" extension (hereinafter referred to as "IP anonymisation"), Google will first truncate the IP address in Member States of the European Union or other Contracting States to the Agreement on the European Economic Area. The full IP address will only be transmitted to and truncated on a Google server in the USA in exceptional cases. Google uses this information to analyse the use of the website and to compile reports about the use of the website by order of the controller and to perform other services associated with the use of the website and the use of the Internet in general. Pseudonymous usage profiles may be created from the processed data. The IP address transmitted when using Google Analytics is not consolidated with other data of Google.

The website only uses Google Analytics with activated IP anonymisation as described above. This means that Google will only process your IP address in truncated form. In this way, it cannot be associated with a specific person.

(2)    The legal basis of the processing is the legitimate interest in the analysis, optimisation and economic operation of the website pursuant to point (f) of Art. 6 (1) GDPR.

(3)    The website uses Google Analytics for the purpose of analysing the use of the website and continually improving individual functions and offers as well as the user experience. By means of the statistical analysis of the user behaviour, the offering can be improved and be made more interesting for the user. This also constitutes the legitimate interest in the processing of the aforesaid data by Google.

(4)    The storage of cookies generated by Google Analytics can be prevented by configuring the web browser settings accordingly. Note: In this case, it might not be possible to use all functions of the website. To prevent the collection of the data (including your IP address) generated by the cookies with respect to the user behaviour and the processing of these data by Google, you can download and install the web browser plugin available under the following link:
http://tools.google.com/dlpage/gaoptout?hl=enTo
make sure that Google only processes transmitted data as instructed and complies with applicable data protection regulations, the controller has concluded a processing agreement with Google.For the exceptional cases in which personal data are transmitted to the USA, Google has submitted to and is certified under the Privacy Shield agreement concluded between the European Union and the USA. Under this agreement, Google undertakes to comply with the standards and regulations of European data protection law. For further information, please refer to the following page: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Further information on the use of data by Google, settings, objections and data projection is provided on the following web pages of Google:

1.    Terms of use: http://www.google.com/analytics/terms/gb.html
2.    Privacy information: https://support.google.com/analytics/answer/6004245?hl=en
3.    Privacy policy: http://www.google.com/intl/gb/policies/privacy/
4.    Use of data by Google when you use websites or apps of our partners: https://policies.google.com/technologies/partner-sites?hl=en
5.    Use of data for advertising purposes: http://www.google.com/policies/technologies/ads/
6.    Settings concerning personalised ads by Google: http://www.google.com/settings/ads

VI.    DoubleClick Ad Exchange

(1)    The website uses DoubleClick Ad Exchange, a web advertising service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"). Among other things, DoubleClick Ad Exchange uses cookies, i.e. small text files that are stored in the web browser cache on the device. The information stored in the cookies may be logged and analysed by Google or third parties. Moreover, DoubleClick Ad Exchange uses so-called web beacons to collect information. These are small, invisible images by means of which the user behaviour and the visitor traffic on the website can be recorded and analysed. The information about the use of the website, which is generated in this way, is usually sent to a Google server in the USA and stored there. Google uses this information to analyse your usage behaviour. Google may also transmit this information to third parties if this is required by law or if third parties process these data on behalf of Google. In this connection, the IP address may also be transmitted and stored. This transmission merely takes place for spam and/or fraud control purposes, e.g. in cases of ad impression spam or click spam. According to Google, these data are only accessible to the anti-abuse team. According to Google, the IP is never associated with other data stored by Google.

(2)    The legal basis of the processing is the legitimate interest in the analysis, optimisation and economic operation of the website pursuant to point (f) of Art. 6 (1) GDPR.

(3)    The website uses DoubleClick Ad Exchange for marketing and optimisation purposes, especially in order to display relevant and interesting ads, to improve the reports concerning the campaign performance or to avoid the same ads from being viewed repeatedly. This also constitutes the legitimate interest in the processing of the aforesaid data.

(4)    The storage of cookies can be prevented by deleting existing cookies and deactivating the storage of cookies in the web browser settings. Note: In this case, it might not be possible to fully use all functions of the website. The storage of cookies can also be prevented by configuring the web browser in such a way that cookies from the domain www.googleadservices.com are blocked (https://www.google.com/settings/ads). Note: If the cookies are deleted, this setting will be deleted as well. Moreover, personalised ads can be deactivated via the link

http://www.aboutads.info/choices. Note: If the cookies are deleted, this setting will be deleted as well.

Furthermore, Google has submitted to and is certified under the Privacy Shield agreement concluded between the European Union and the USA. Under this agreement, Google undertakes to comply with the standards and regulations of European data protection law. For further information, please refer to the following page:

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Further information on the use of data by Google, settings, objections and data projection is provided on the following web pages of Google:

Privacy policy: http://www.google.com/intl/gb/policies/privacy/

For further information on DoubleClick by Google, see: https://www.doubleclickbygoogle.com/solutions/digital-marketing/ad-exchange/ and https://policies.google.com/technologies/ads?hl=en

VII.    Registration

(1)    The website enables users to register by specifying personal data. In this context, the data are entered in an input screen, transmitted and stored. The data are not forwarded to any third parties. The following data are collected in the registration process:Additionally, the following data are collected during the registration:

1.    IP address of the requesting computer
2.    Date and time of the registration
3.    Contact4.    Address
5.    E-mail addressDuring the registration process, consent to the processing of these data is obtained from the user, drawing attention to the Privacy Policy.

(2)    Where the user has given his or her consent, the legal basis for this is point (a) of Art. 6 (1) GDPR. If the registration serves the performance of a contract to which the user is party or in order to take steps prior to entering into a contract, point (b) of Art. 6 (1) GDPR constitutes an additional legal basis for the processing of the data.

(3)    The user needs to be registered in order to set up a customer account. The registration serves the identification of the user and the performance of the usage contract for the service.

(4)    The data are erased as soon as they are no longer required for the achievement of the purpose for which they were collected. Where the registration serves the performance of a contract or in order to take steps prior to entering into a contract, this is the case when the data are no longer required for the performance of the contract. Even after the termination of the contract, it may be necessary to store the contracting partner's personal data in order to comply with contractual or statutory obligations.

(5)    Data subjects can always modify user data in their user profile under "Settings". If the data are required for the performance of a contract or in order to take steps prior to entering into a contract, premature erasure of the data is possible only if contractual or statutory obligations do not prejudice the erasure.

VIII.    Use of the Online Shop

(1)    For orders in the online shop, we process master data (e.g. names and addresses as well as contact details of users, user names of the authorised users), contract data (e.g. services used, names of contacts, payment information) as well as the IP address and the time of the respective user action, the user ID and the accessed URLs. These data are stored in our system's log files. Moreover, the third-party data entered by the user are processed.

(2)    Where the user has given his or her consent, the legal basis for the processing of data is point (a) of Art. 6 (1) GDPR. The consent is obtained at the conclusion of the contract.Point (b) of Art. 6 (1) GDPR constitutes an additional legal basis for the processing of the data, as the processing of the said data serves the performance of a contract to which the user is party or in order to take steps prior to entering into a contract.Moreover, the processing takes place for the analysis, optimisation and economic operation of our website in order to improve our services pursuant to point (f) of Art. 6 (1) GDPR.

(3)    Purpose of the Processing1.    Master data (e.g. names, addresses and contact details of users) and contract data (e.g. services uses, names of contact, payment information) are processed for the performance of the contract and billing purposes.2.    The user name and the input of the respective user are processed in order to ensure the access authorisation of the service.3.    The IP address, the time of the respective user action and the accessed URLs are processed for the optimisation of the services and the ongoing improvement of the user experience.4.    The third-party data entered by the user are processed for the performance of the contract and the provision of the services promised in the contract.

(4)    The data are erased as soon as they are no longer required for the achievement of the purpose for which they were collected.Where the registration serves the performance of a contract or in order to take steps prior to entering into a contract, this is the case when the collected data are no longer required for the performance of the contract. Even after the termination of the contract, it may be necessary to store the contracting partner's personal data in order to comply with contractual or statutory obligations (including but not limited to retention periods under tax law).

(5)    Data subjects can modify or erase the stored data at any time.If the data are required for the performance of a contract or in order to take steps prior to entering into a contract, premature erasure of the data is possible only if contractual or statutory obligations do not prejudice the erasure. In particular, the notice periods of existing contracts remain unaffected.

IX.    Contact Forms and Contact by E-Mail

(1)    The website uses contact forms that can be used for establishing contact electronically. If used, the data entered in the input screen will be transmitted to the website and stored there. This comprises the following data:

1.    Name
2.    Company
3.    Address
4.    E-mail address
5.    Telephone number
6.    Subject of the contact

Additionally, the following data are collected when the contact is established:

1.    IP address of the requesting computer
2.    Date and time of the contact

In this connection, the data are not forwarded to any third parties. The data are used exclusively for processing the conversation.

(2)    Where the user has given his or her consent, the legal basis for the processing of data is point (a) of Art. 6 (1) GDPR.The legal basis for the processing of the data that are transmitted when sending an e-mail is point (f) of Art. 6 (1) GDPR.If the contact by e-mail aims at the conclusion or performance of a contract, point (b) of Art. 6 (1) GDPR also constitutes the legal basis for the processing.

(3)    The processing of personal data from the input screen only serves the handling of the contact. In the case of contact by e-mail, this also constitutes the required legitimate interest in the processing of the data.The other personal data processed during the submission process serve the prevention of abuse of the contact form as well as the protection of the IT systems.

(4)    The data are erased as soon as they are no longer required for the achievement of the purpose for which they were collected. For the personal data from the input screen of the contact form and those sent by e-mail, this is the case when the respective conversation with the data subject ends. The conversation will be deemed ended if the circumstances reveal that the respective issue has been conclusively clarified.The additional personal data collected during the submission process are erased after a period of seven days, at the latest.

(5)    The data subject may at any time withdraw his or her consent to the processing of personal data. In the event of a contact by e-mail, the storage of the personal data can at any time be objected to by sending an e-mail to info@storch.de. However, the conversation cannot be continued in this case.In this case, all personal data stored in connection with the contact will be erased.

X.    Live Chat

(1)    The website offers a live chat for contacts; this function can be used to contact an employee without giving any details. The following data are collected when using the live chat:

1.    IP address of the requesting computer
2.    Date and time of the contact

In this connection, the data are not forwarded to any third parties. The data are used exclusively for processing the conversation.

(2)    Where the user has given his or her consent, the legal basis for the processing of data is point (a) of Art. 6 (1) GDPR.If the contact by e-mail aims at the conclusion or performance of a contract, point (b) of Art. 6 (1) GDPR also constitutes the legal basis for the processing.

(3)    The personal data processed during the submission process serve the prevention of abuse of the contact window as well as the protection of the IT systems.

(4)    The data are erased as soon as they are no longer required for the achievement of the purpose for which they were collected. This is the case when the respective conversation with the data subject ends. The conversation will be deemed ended if the circumstances reveal that the respective issue has been conclusively clarified.

XI.    Newsletter

(1)    You can subscribe to a free newsletter. The e-mail address you enter in the input screen when subscribing to the newsletter will be transmitted.Additionally, the following data are collected during the subscription:

(1)    IP address of the requesting computer

(2)    Date and time of the subscription

In the course of the subscription process, consent to the processing of the data is obtained, and reference is made to this Privacy Policy.

(2)    The legal basis for the processing of data after the user's subscription to the newsletter with the user's consent is point (a) of Art. 6 (1) GDPR.

(3)    The collection of the user's e-mail address serves the delivery of the newsletter.The collection of other personal data during the subscription process serves the prevention of abuse of the services or of the e-mail address used.

(4)    The data are erased as soon as they are no longer required for the achievement of the purpose for which they were collected. Accordingly, the user's e-mail address is stored as long as the newsletter subscription is active.The other personal data collected during the subscription process is usually erased after a period of seven days.

(5)    The data subject may terminate the newsletter subscription at any time. For this purpose, every newsletter contains a special link.This also enables the withdrawal of the consent to the storage of the personal data collection during the subscription procedure.

XII.    Encrypted Transmission of Data

Within the scope of a login or contact, all data are transmitted over an SSL/TLS-encrypted connection. The SSL certificate required for this, which is installed on the servers, has been issued by an independent organisation.An encrypted connection can be recognised from the "https://" that appears in the address bar of the browser instead of "http://".As soon as the encrypted SSL/TLS connection has been established, your input that you submit to the shop can no longer be intercepted by any third parties.

XIII.    Shipping Data

(1)    The data required for the delivery are forwarded to the shipping service providers. In this case, the data need to be forwarded for the performance of the contract.

(2)    Therefore, the legal basis is point (b) of Art. 6 (1) sentence 1 GDPR.

(3)    During the order process, the data subject can give his or her consent to the forwarding of other data required for the delivery, especially of the e-mail address and telephone number, to the shipping service provider. The purpose of the collection is the announcement of the delivery and the communication of the respective shipping status to the data subject. The legal basis is the consent pursuant to point (a) of Art. 6 (1) sentence 1 GDPR.

(4)    The consent can at any time be withdrawn by means of a message to the controller, using the contact details specified in section 1. As a result of the withdrawal, the data will be erased if no further statutory permission exists about which the data subject is informed in the Privacy Policy.

XIV.    Applicant Data

1.    Erasure of Personal DataYour data are usually automatically erased three months after the application procedure is finished. Moreover, you can at any time send an e-mail to karriere@storch-ciret.com to request us to erase your data. However, please note that this also means withdrawing from all ongoing application procedures.

2.    Talent PoolBy invitation of our recruiting team, you can agree to the storage of your data in our talent pool following the completion of your application procedure. If you make use of this option, we will store your application data for 12 months. Following the end of these 12 months, your application data will be erased automatically. Of course, you can at any time send an e-mail to jobs@[…].de to request us to erase your data.

3.    Forwarding of Your Application Data to Other Companies of the Storch-Ciret GroupTechnical and organisational measures have been implemented to ensure that only the companies of the Storch-Ciret Group that you applied to or that your application has been forwarded to can view and use your data.By confirming the consent at the end of the application process, you agree to the forwarding of your application documents, application or applicant data to other companies of the Storch-Ciret Group. You can withdraw this content by sending an e-mail to jobs@[…].de whenever you wish.

XV.    Rights of the Data Subject

Where personal data are processed, the users are "data subjects" in the meaning of the GDPR and they have the following rights vis-à-vis the controller:

1.    Right of Access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.

Where that is the case, access to the personal data and the following information can be requested from the controller:

(1)    the purposes of the processing of personal data;
(2)    the categories of personal data that are processed;
(3)    the recipients or categories of recipients to whom the personal data have been or will be disclosed;
(4)    the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5)    the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(6)    the right to lodge a complaint with a supervisory authority;
(7)    where the personal data are not collected from the data subject, any available information as to their source;
(8)    the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.The data subject may request information on whether the personal data are transmitted to a third country or an international organisation. The data subject can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transmission.

2.    Right to Rectification

The data subject has the right to obtain from the controller without undue delay the rectification and/or completion of inaccurate or incomplete personal data concerning him or her. The controller shall perform the rectification without delay.

3.    Right to Restriction of ProcessingRestriction of processing can be requested where one of the following applies:

(1)    the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(2)    the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(3)    the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(4)    the data subject has objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

1.    Right to Erasure

a)    Erasure Obligation

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

(1)    the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(2)    the data subject withdraws consent on which the processing is based according to point (a) of Art. 6 (1) GDPR, or point (a) of Art. 9 (2) GDPR, and where there is no other legal ground for the processing;

(3)    the data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2) GDPR;

(4)    the personal data have been unlawfully processed;

(5)    the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(6)    the personal data have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

b)    Information to Third Parties

Where the controller has made the personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c)    Exceptions

The right to erasure does not apply to the extent that processing is necessary:

(1)    for exercising the right of freedom of expression and information;

(2)    for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3)    for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9 (2) GDPR as well as Art. 9 (3) GDPR;

(4)    for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5)    for the establishment, exercise or defence of legal claims.

5.    Right to Notification

Where the right to rectification or erasure of personal data or restriction of processing has been asserted against the controller, the controller shall communicate this rectification or erasure or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The data subject has the right vis-à-vis the controller to be informed about those recipients.

6.    Right to Data Portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. The data subject also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(1)    the processing is based on consent pursuant to point (a) of Art. 6 (1) GDPR or point (a) of Art. 9
(2) GDPR or on a contract pursuant to point (b) of Art. 6 (1) GDPR; and

(2)    the processing is carried out by automated means.

In exercising this right, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

1.    Right to Object

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Art. 6 (1) GDPR, including profiling based on those provisions.
The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If the processing for direct marketing purposes is objected to, the personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

2.    Right to Withdraw the Consent pursuant to Data Protection Law

The data subject has the right to withdraw his or her consent pursuant to data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

3.    Automated Individual Decision-Making, Including Profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This does not apply if the decision:

(1)    is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(2)    is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

(3)    is based on the data subject's explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless point (a) or (g) of Art. 9 (2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10.    Right to File a Complaint with a Supervisory AuthorityWithout prejudice to any other administrative or judicial remedy, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.The supervisory authority with which the complaint has been lodged will inform the party lodging the complaint about the status and outcome of the complaints including the possibility of judicial remedy pursuant to Art. 78 GDPR.