The controller within the meaning of the General Data Protection Regulation (hereinafter "GDPR") and other national data protection laws of EU countries and other data protection laws is:
PALTRON
Managing Directors: Josef Günthner, Daniel Wernicke
Am Sandtorkai 48
20457 Hamburg, Germany
Email: contact@paltron.de
Tel.: +49 (0) 40 180 241 180
Data protection officer:
Dr. Christian Rauda
Board-certified specialist for copyright and media law
Board-certified specialist for information technology law
Board-certified specialist for intellectual property law
GRAEF Rechtsanwälte Digital PartGmbB
Jungfrauenthal 8
20149 Hamburg
Tel.: +49.40.80 6000 9-0
Fax: +49.40.80 6000 9-10
Email: office@graef.eu
Website: www.graef.eu
I. General information about data processing
1. Extent of processing personal data
We will generally collect and use personal data of our users only if and to the extent necessary to make available a functional website and/or to provide our content and services. Personal data of our users generally will be collected and/or used only with the prior consent of the user. An exception applies in cases where obtaining prior consent is practically impossible and where data processing is permitted by applicable law.
Insofar as we disclose data to other persons and companies (commissioned processing or third parties) within the scope of our processing, transfer them to them or grant them access to the data, this only takes place on the basis of a legal permission (e.g. if a transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract pursuant to Art. 6 para. 1 let. b GDPR), if you have consented to it, if a legal obligation provides for it or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
If we commission third parties with the processing of data on the basis of a so-called "commissioned processing agreement", this is done on the basis of Art. 28 GDPR. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or in the context of using third party services or of disclosure or transfer of data to third parties, this will only occur if it is done to fulfil our (pre)contractual obligations, on the basis of your consent, a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Art. 44 et seq. GDPR are met. This means that the processing takes place, for example, on the basis of special guarantees, such as the officially recognised determination of a data protection level corresponding to the EU (e.g. in the USA the "Privacy Shield") or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").
2. Legal basis for processing personal data
Insofar as we obtain the consent of the data subject for processing personal data, Art. 6 para. 1 let. a GDPR serves as the legal basis. Art. 6 para. 1 let. b GDPR serves as the legal basis for the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing which is necessary for the performance of pre-contractual measures. Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 let. c GDPR serves as the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh our interest, Art. 6 para. 1 let. f DSGVO serves as the legal basis for the processing.
3. Erasure of data and data storage
Personal data of a data subject will be erased or blocked as soon as they are no longer needed for the purposes for which they are stored. Data may also be blocked if provided for by EU or national regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased if recordkeeping obligations under the aforementioned norms expire, unless continued storage of such data is necessary to enter into or perform a contract.
II. Making available the website and creating log files
1. Description and extent of data processing
When our website is accessed, our system will automatically collect data and information from the computer system of the terminal device accessing the website.
In this context, the following data will be collected for a limited time period:
Such data will be stored in log files of our system. Such data are needed only to analyze any malfunctions and will be erased at the latest within seven days. The legal basis for temporarily storing data in log files is Art. 6 para. 1 let. f) GDPR. Temporary storage of the IP address for the system is necessary for making the website available to the terminal device of the user. For this purpose, the IP address of the user must be stored for the duration of the session. Data are stored in log files to ensure the functionality of our website. In addition, such data are used to optimize the website and to ensure the security of our IT systems. Data will not be analyzed for marketing purposes in this context, and we will draw no inferences as to your identity. The aforementioned purposes also provide the basis of our legitimate interest in data processing within the meaning of Art. 6 para. 1 let. f GDPR. Collecting data to make available the website and to store data in log files is necessary for operating the website. Consequently, users have no right to object to the collection or use of such data for the aforementioned purposes.
III. Use of cookies
1. Description and extent of data processing
Our website uses so-called session or flash cookies. Cookies are text files that are stored in or by the Internet browser on the user's computer system. When a user visits a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is accessed again. The legal basis for the processing of personal data using cookies is Art. 6 para. 1 let. f DSGVO. The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these it is necessary that the browser is recognized also after a page change. In addition, we also use - if you do not object - so-called persistent cookies, which are used beyond the session. In particular, these cookies serve to make the website user-friendly, more effective and safer. The user data collected by technically necessary cookies are not used to determine your identity.
The processing of personal data is necessary to safeguard our legitimate interests pursuant to Art. 6 para. 1 let. f GDPR. Cookies are stored on the user's computer and transmitted to our site by the user. Therefore, you as a user have full control over the use of cookies and they are deleted when you close your browser. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated, not all functions of the website may be available anymore.
IV. Web analysis and other Google-services, as well as lead generation
1. Google Analytics
We use Google Analytics, a web analysis service of Google Ireland Limited ("Google"), on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services within the meaning of Art. 6 para. 1 let. f GDPR). Google uses cookies. The information generated by the cookie about the use of our online services is usually transferred to a Google server in the USA and stored there.
Google is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Google will use this information as a commissioner to evaluate the use of our online services, to compile reports on activities within this online service and to provide us with other services related to the use of this online service and the Internet. Pseudonymous user profiles of the users can be created from the processed data.
We use Google Analytics only with activated IP anonymisation. This means that the IP address of the user is shortened by Google in the territory of EU member states or other contracting states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transmitted to a Google server in the U.S.A. and shortened there.
The IP-address collected by the user’s browser will not be linked with other data from Google. Users can prevent the collection of information by the cookie in their browser settings; furthermore, users can inhibit the collection of the data concerning their usage of the online-services and Google’s processing of this data by installing a browser-plugin which is available here: http://tools.google.com/dlpage/gaoptout?hl=de.
Further information about Google’s usage of data, settings and the right to object can be found on Google’s websites: https://www.google.com/intl/de/policies/privacy/partners (“how google uses information from sites or apps that use our services”), http://www.google.com/policies/technologies/ads (“Data usage for advertising purposes”), https://www.google.de/settings/ads (“Manage information which Google uses to show ads”). Google’s privacy policy is available here: https://www.google.com/policies/privacy. If you want to object to interest-based advertising from Google marketing-services, you can use Google’s provided settings and opt-out possibilities: http://www.google.com/ads/preferences.
Further information on the use of data by Google, setting and objection options can be found on the websites of Google: https://www.google.com/intl/de/policies/privacy/partners ("Use of data by Google for your use of websites or apps of our partners"), http://www.google.com/policies/technologies/ads ("Use of data for advertising purposes"), http://www.google.de/settings/ads ("Manage information that Google uses to show you advertising").
2. Google re/marketing services
We use marketing and remarketing services (in short "Google Marketing Services") from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (“Google”) on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services within the meaning of Art. 6 para. 1 let. f. GDPR).
Google is certified under the Privacy Shield Agreement and thereby offers a guarantee of compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google's marketing services allow us to display ads for and on our website in a more targeted manner to show users only ads that potentially match their interests. If, for example, a user is shown ads for products in which he or she is interested on other websites, this is referred to as "remarketing". For these purposes, when you visit our and other websites on which Google marketing services are active, Google executes a code directly from Google and (re)marketing tags (invisible graphics or code, also known as "web beacons") are incorporated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). Cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com and googleadservices.com. In this file it is noted which websites the user visits, which content he is interested in and which ads he has clicked on, furthermore technical information about the browser and operating system, referring websites, visiting time as well as further information about the use of our online services. The IP address of the user is also recorded. We inform you that within the scope of Google Analytics the IP address is shortened within the territory of EU member states or other contracting states of the Agreement on the European Economic Area and only in exceptional cases transferred completely to a Google server in the USA and shortened there. The IP address is not linked with other data from Google. Google may also combine the above-mentioned information with comparable information from other sources. If the user visits other websites, ads tailored to the user's interests can be shown.
User data is processed pseudonymously within the framework of Google marketing services. That means that Google does not store and process, for example, the name or e-mail address of the user, but processes the relevant cookie-related data within pseudonymous user profiles. This means that, from Google's point of view, the ads are not administered and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymisation. Information collected about users by Google marketing services is transmitted to Google and stored on Google's servers in the U.S.A..
One of the Google marketing services we use is the online advertising program "Google AdWords". In the case of Google AdWords, each AdWords customer receives a different "conversion cookie". Cookies cannot therefore be traced across websites of different AdWords customers. The information collected with the help of cookies or AdWords pixels is used to generate conversion statistics for AdWords customers who have opted for this tracking. AdWords customers will know the total number of users who clicked on their ad and were directed to a website tagged with a conversion tracking tag. However, they will not receive any information that personally identifies users.
We may use Google's AdSense marketing service to include third-party advertisements. AdSense uses cookies to enable Google and its partner websites to show ads based on users' visits to this site and other sites on the Internet. We may also use Google Tag Manager and Google Phone Tracking to implement and administer Google analytics and marketing services on our website.
You can find out more about Google's use of data for marketing purposes on the overview page: https://www.google.com/policies/technologies/ads, Google's privacy policy can be found at https://www.google.com/policies/privacy.
If you wish to opt out of interest-based advertising by Google marketing services, you can use the settings and opt-out options provided by Google: http://www.google.com/ads/preferences.
3. Lead generation tools
In addition, we use the services of so-called lead generation tools. Lead generation is a term used in marketing. A lead is a qualified prospective customer who is interested in a company or a product on the one hand and who on the other hand leaves his address and similar contact data (lead = data record) to the advertiser on his own initiative for further contact and therefore is highly likely to become a customer. Generating high-quality leads is a fundamental task for winning new customers. Address data of potential interested parties can be generated online as well as offline for specific target groups and these are also our legitimate interests in data processing according to Art. 6 para. 1 let. f GDPR. We use the service “Leadfeeder”. It uses Google Analytics data to identify company visitors. Leadfeeder is integrated in our CRM System & Email Marketing Tool. Leadfeeder is a service of Liidio Oy, Mikonkatu 17 C, Helsinki 00100, Finland. Leadfeeder's privacy policy can be found at https://www.leadfeeder.com/privacy/.
Another lead generation tool we use is the service "LinkedIn Lead Generation". LinkedIn uses forms for lead generation. Features and contents of the service LinkedIn can be integrated. LinkedIn Lead Generation is offered by LinkedIn AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. If users are members of the platform LinkedIn, LinkedIn can identify who of their users accessed the content and features. LinkedIn is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law. In this context, we also use Lead Generation Tools from LinkedIn. https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active. Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. LinkedIn's privacy policy can be found at https://www.linkedin.com/legal/privacy-policy or https://business.linkedin.com/de-de/marketing-solutions/native-advertising/lead-gen-ads. The use of these tools serves marketing purposes. These purposes also include our legitimate interest in data processing pursuant to Art. 6 para. 1 let. f GDPR.
V. Contact form, data protection in application procedures
When contacting us (e.g. via contact form, e-mail, telephone or social media), the user's data are processed for the purpose of processing the contact inquiry and processing it in accordance with Art. 6 para. 1 let. b GDPR. User data may be stored in a customer relationship management system ("CRM system") or a comparable enquiry organisation.
The data controller collects and processes the personal data of applicants for the purpose of processing the application procedure. The processing can also be carried out electronically. This is particularly the case if an applicant submits the relevant application documents electronically, for example by e-mail or via a form on the website, to the data controller. If the data controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the data controller does not conclude an employment contract with the applicant, the application documents shall be automatically deleted six months after notification of the rejection decision, unless deletion conflicts with any other legitimate interests of the data controller. Any other legitimate interest in this sense is, for example, a burden of proof. When establishing contact with us (e.g. by contact form, e-mail, telephone or social media), the user's details are processed in order to process the contact enquiry and its processing in accordance with Art. 6 para. 1 let. b GDPR. We delete the inquiries if they are no longer necessary. Furthermore, the statutory archiving obligations apply.
In this context, we use the customer relationship management system of eRecruiter GmbH (eRecruiter GmbH, Am Winterhafen 4, A-4020 Linz, Universitätsring 8/Stg. II/1A, Austria). Your application will be redirected to their server. The data protection conditions of eRecruiter GmbH, which can be found at https://www.erecruiter.net/p/datenschutz, apply in this respect. If necessary, we may contact you using the data you have transmitted and this data use serves the fulfilment of the contractual purpose according to Art. 6 para. 1 let. b GDPR and that is also our legitimate interest in data processing according to Art. 6 para. 1 let. f GDPR.
VI. Online presences in social media and implementation of third party services
We maintain online presences within social networks and platforms in order to communicate with customers, interested parties and users and to inform them about our services. When visiting the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply. Unless otherwise stated in our privacy policy, we process the data of users who communicate with us within the social networks and platforms, e.g. posting on our social media site or sending us messages. Within our online services, we place links to these services of third parties on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 let. f GDPR). This always presupposes that third-party providers of this content collect the IP address of the user, since they could otherwise not transmit the content to their browser without the IP address. The IP address is therefore required for the presentation of this content. We make every effort to use only content whose respective providers use the IP address only to deliver the content. Third party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visit times and other information about the use of our online services, and be linked to such information from other sources.
1. Use of Facebook Social Plugins
We use social plugins ("plugins") on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services within the meaning of Art. 6 para. 1 let. f GDPR) from the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are recognizable by one of the Facebook logos (white "f" on a blue tile, the terms "like", "like" or a "thumbs up" sign) or are marked with the addition "Facebook Social Plugin". The list and appearance of Facebook social plugins can be found here: https://developers.facebook.com/docs/plugins/. Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
When a user uses a feature of an online service which contains such a plugin, his device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted directly from Facebook to the user's device which integrates it into the online service. User profiles can be created from the processed data. We therefore have no influence on the extent of the data that Facebook collects with the help of this plugin and therefore inform the user according to our state of knowledge.
By implementing the plugins, Facebook receives the information that a user has accessed the corresponding page of the online service. If the user is logged on to Facebook, Facebook can assign the visit to his Facebook account. When users interact with the plugins, for example, by clicking the “Like button” or posting a comment, the corresponding information is transferred directly from the user’s device to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook can find out his IP address and save it. According to Facebook, only anonymous IP addresses are stored from German users. The purpose and scope of the data collection, further processing and use of the data by Facebook as well as the relevant rights and settings to protect the privacy of users can be found in Facebook's privacy policy: https://www.facebook.com/about/privacy/.
If a user is a Facebook member and does not want Facebook to collect data about him or her by means of our online services and link it to the member data stored on Facebook, he or she must log out of Facebook and delete his or her cookies before using our online service. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers and mobile devices.
2. Use of Twitter
Within our online services, features and content of the service Twitter offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, U.S.A. can be implemented. This may include, for example, content such as images, videos or texts and buttons with which users can express their favour regarding the content, the authors of the content or can subscribe to our contributions. If users are members of the Twitter platform, Twitter can assign the visit of the above-mentioned content and features to the Twitter profiles of the users. Privacy policy of Twitter: https://twitter.com/de/privacy. Twitter is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active. Privacy Policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.
3. Use of Google Plus
Within our online services, features and content of the service Google Plus offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland ("Google") can be implemented and used. Further information on Google’s use of data for marketing purposes can be found on the overview page: https://www.google.com/policies/technologies/ads, Google's privacy policy can be found at https://www.google.com/policies/privacy.
4. Use of Xing
Within our online services, features and content of the service Xing may be integrated offered by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. This may include, for example, content such as images, videos or texts and buttons with which users can express their favour regarding the content, the authors of the content or can subscribe to our contributions. If the users are members of the platform Xing, Xing can assign the visit of the above-mentioned contents and features to the profiles of the users. Privacy policy of Xing: https://www.xing.com/app/share?op=data_protection.
5. Use of LinkedIn
Within our online services, features and content of the service LinkedIn can be integrated offered by the LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. This may include content such as images, videos or text and buttons with which users can express their interest in the content, the authors of the content or subscribe to our contributions. If the users are members of the platform LinkedIn, LinkedIn can assign the visit of the above-mentioned content and features to the profiles of the users. Privacy policy of LinkedIn: https://www.linkedin.com/legal/privacy-policy. LinkedIn is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law. In this context, we also use Lead Generation Tools from LinkedIn. https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active. Privacy Policy: https://www.linkedin.com/legal/privacy-policy. Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
6. Use of Tawk.to
Within our online services, features and content of the service Tawk.to can be integrated, offered by Tawk.to. This can include, for example, content from chats. These contents are then sent to us by e-mail and stored. The privacy policy of tawk.to can be found at: https://www.tawk.to/privacy-policy.
VII. Information pursuant to Art. 14 DSGVO
1. Name and contact details of data controller and contact details of data protection officer:
Data controllers:
Data Protection Officer for all of the companies listed above: Dr. Christian Rauda Board-certified specialist for information technology law GRAEF Rechtsanwälte Digital Partnerschaftsgesellschaft mbB Jungfrauenthal 8 20149 Hamburg Germany Phone +49.40.80 6000 9-0 Fax +49.40.80 6000 9-10
2. Purposes for which personal data will be processed and legal basis for processing
Matching suitable candidates – as single candidates or in teams – and companies for the purpose of concluding an employment contract. The processing is based on Art. 6 para. 1 let. f GDPR.
3. Categories of personal data to be processed
Name, Xing or LinkedIn link, current position, current employer, correspondence with candidate if applicable.
4. Recipients or categories of recipients of personal data
Each internal department which conducts recruiting for companies. The data will only be passed on to a potential employer with the candidate's consent.
5. Intention of the data controller to transmit the personal data to a recipient in a third country or an international organisation
Data will not be transmitted outside the EU.
6. Duration for which personal data are stored or, if that is not possible, the criteria for determining that duration
Data will be stored as long as the data subject is a potential candidate for exciting job offers.
7. If processing is based on Art. 6 para. 1 let. f GDPR, the legitimate interests pursued by the data controller or a third party
We want to address candidates as individually and personally as possible and only offer them jobs that we are convinced will fit the candidate perfectly. As part of our corporate network, we not only place individual candidates, but also put together cross-professional teams. Moreover, we have an economic interest in placing vacancies.
8. Source from which the personal data originates and, if applicable, whether it originates from publicly accessible sources;
Xing or LinkedIn (public data).
9. Rights of data subjects
You will find these for 1. under section 1 in the subsequent paragraph of this privacy policy statement (number VIII.).
as well as for the data controllers at no. 2. in section 1 under the following links:
PALTRON GmbH: https://www.paltron.com/privacy-policy
Numeris Consulting GmbH: https://www.numeris-consulting.de/datenschutz
Sinceritas GmbH: https://www.sinceritas.com/datenschutz
alphacoders GmbH: https://www.alphacoders.de/datenschutz
Foxio Consulting GmbH https://www.foxio.com/datenschutz
CAREERTEAM Schweiz GmbH: https://www.careerteam.ch/datenschutz
CAREERTEAM BV
CAREERTEAM S.A.S.: https://www.careerteam.fr/protection-des-donnees
VIII. Rights of data subjects
If we process your personal data, you will be a data subject within the meaning of the GDPR and you will have the following rights against the controller:
1. Right to information
You may demand that the controller confirm whether or not personal data about you are processed by us.
If we do process such data, you may demand the following information from the controller:
2. Right to rectification
You have a right against the controller to have incorrect personal data rectified and/or to have incomplete personal data completed if the personal data we process are incorrect or incomplete. The controller must rectify data without undue delay.
3. Right to restricted processing
Under the following conditions you may demand restricted processing of your personal data:
If processing of your personal data is restricted, such data may – except for their storage – be processed only with your consent, or to assert, exercise, or defend legal rights or claims, to protect the rights of another natural person or legal entity, or for reasons related to an important public interest of the European Union or any member state.
If processing of your personal data has been restricted under the aforementioned conditions, you will be notified by the controller before the restriction is lifted.
4. Right to erasure
a) Erasure obligation
You may demand that the controller erase your personal data without undue delay and the controller has an obligation to do so if one of the following reasons applies:
b) Information to third parties
Where the controller has made personal data public and has an obligation under Art. 17, para. 1 to erase such personal data, the controller, taking into account available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing such personal data that the data subject has requested the erasure by such controllers of any links to, or copies or duplicates of, such personal data.
c) Exceptions
There is no right to erasure if processing personal data is necessary
5. Right to notification
If you have exercised your right to rectification, erasure, or restricted processing against the controller, the controller has an obligation to notify all recipients to whom your personal data have been disclosed of such rectification, erasure, or restricted processing, unless this proves impossible or would be associated with unreasonable expense. You have a right to be informed of all such recipients by the controller.
6. Right to data portability
You have a right to receive personal data you have made available to the controller in a structured, standard, and machine-legible format. You also have the right to transfer your personal data to another controller without any interference by the controller to whom the personal data were made available, if
In exercising the right to data portability you further have the right to have your personal data transferred directly from one controller to another controller, if and to the extent that this is technically feasible. No rights or freedoms of any other persons may be infringed thereby. The right to data portability does not apply to processing of personal data that is necessary to perform a task that is in the public interest or to processing of personal data in the exercise of official authority vested in the controller.
7. Right of objection
You have the right for reasons related to your particular situation to object to processing of your personal data at any time based on Art. 6 para. 1 let. e) or f) GDPR; the same applies to any profiling based on the aforementioned provisions. If you object, the controller will no longer process your personal data, unless the controller can show that there are compelling protected reasons for processing your personal data that override your interests, rights and freedoms, or if your data are processed to assert, exercise, or defend legal rights or claims. If your personal data are processed for direct advertising purposes, you have a right to object to processing of your personal data for purposes of such advertising at any time; the same applies to any profiling associated with such direct advertising. If you object to processing of your personal data for purposes of direct advertising, your personal data will no longer be processed for such purposes. In connection with use of information society services you may exercise your right of objection – regardless of Directive 2002/58/EC – by using automated processes for which technical specifications are used. For this purpose you may send an email to our data protection officer.
8. Right to revoke consent to data processing
You have a right to revoke your consent to data processing at any time. If you exercise your right of revocation, the lawfulness of data processing that occurs before revocation based on your consent will remain unaffected.
9. Automated decision in a particular case, including profiling
You have a right not to be subjected to a decision that is made exclusively by means of automated processing – including profiling – if such a decision has legal consequences for you or otherwise substantially impairs your interests. This does not apply if the decision
However, such decisions may not be made with respect to special categories of personal data within the meaning of Art. 9 para. 1 GDPR, unless Art. 9 para. 2 let. a) or g) GDPR applies and appropriate safeguards have been implemented to protect your rights, freedoms, and legitimate interests. In cases 1) and 3) above the controller must implement appropriate safeguards to protect your rights, freedoms, and legitimate interests, which must include, at a minimum, a right to have a person acting on behalf of the controller take action, a right to present your own point of view, and a right to contest the decision.
10. Right to lodge complaint with supervisory authority
Without prejudice to any other available administrative or judicial remedies, you have a right to lodge a complaint with a supervisory authority, in particular a supervisory authority located in the member state of your habitual residence, at your workplace, or at the place of the purported infringement, if in your opinion the processing of your personal data violates the GDPR.
The supervisory authority where the complaint is lodged will then notify the complainant of the progress and outcome of the complaint, including judicial remedies available under Art. 78 GDPR.
