Data Privacy Policy
I. Name and address of the controller
The controller as contemplated by the General Data Protection Regulation, other national data-protection legislation of the Member States and other legal data-protection provisions is:
Kittelberger media solutions GmbH
Bayernstraße 8
72768 Reutlingen
Germany
Tel.: +49.7121.6289-0
E-mail: info@kittelberger.de
Website: www.kittelberger.de
II. Data protection officer
The controller's data protection officer can be contacted at:
Kittelberger media solutions GmbH
Haiko Hödl
Bayernstraße 8
72768 Reutlingen
Germany
E-mail: datenschutz@kittelberger.de
Website: www.kittelberger.de
Inhaltsverzeichnis
III. General information on data processing
- Scope of the processing of personal data
- Legal basis for the processing of personal data
- Data erasure and storage period
IV. Provision of the website and generation of log files
- Description and scope of data processing
- Rechtsgrundlage für die Datenverarbeitung
- Purpose of data processing
- Duration of storage
- Option of objection and cancellation
- Description and scope of data processing
- Legal basis for data processing
- Purpose of data processing
- Duration of storage, option of objection and cancellation
- Usage of Google Analytics, Google Remarketing and Google Ads Conversion Tracking
- Usage of Matomo
- Facebook Marketing services
- LinkedIn InsightTag
- Google reCAPTCHA
- Microsoft Clarity
- Analysis by WiredMinds
- CookieFirst
VI. Contact form and e-mail contact
- Description and scope of data processing
- Legal basis for data processing
- Purpose of data processing
- Duration of storage
- Option of objection and cancellation
VII. Rights of the data subject
- Right to access
- Right to rectification
- Right to restriction of processing
- Right to erasure
- Right to notification
- Right to data portability
- Right of objection
- Right to withdraw the declaration of consent under data protection law
- Automated individual decision-making, including profiling
- Right to lodge a complaint with a supervisory authority
III. General information on data processing
1. Scope of the processing of personal data
We essentially process personal data of our users only insofar as this is required to provide an operational website and to deliver our contents and services. Personal data of our users are processed regularly only after the user's consent has been obtained. An exception applies in such cases where the prior obtaining of consent is not possible for actual reasons and the processing of the data is permitted by legal regulations.
2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 Para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.
With regard to the processing of personal data which is required to perform a contract the contracting party of which is the data subject, Art. 6 Para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations which are required to carry out precontractual measures.
Insofar as a processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 Para. 1 lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or of another natural person render the processing of personal data necessary, Art. 6 Para. 1 lit. d GDPR serves as the legal basis.
If processing is required to protect a legitimate interest of our company or of a third party and the interests, fundamental rights and fundamental freedoms of the data subject do not override the first-mentioned interest, Art. 6 Para. 1 lit. f GDPR serves as the legal basis for processing.
3. Data erasure and storage period
The personal data of the data subject are erased or blocked as soon as the purpose of storage ceases to apply. Data can furthermore be stored if this was envisaged by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Data are also blocked or erased when a storage period prescribed by the aforementioned standards expires unless a necessity exists to continue to store the data for the purpose of concluding or performing a contract.
IV. Provision of the website and generation of log files
1. Description and scope of data processing
Each time our website is visited, our system automatically retrieves data and information from the computer system of the calling computer.
The following data are collected here:
- Information about the browser type and the version used
- The user's operating system
- The user's internet service provider
- The user's IP address
- Date and time of the access
- Websites from which the user's system is directed to our website
- Websites which are called up by the user's system via our website
The log files contain IP addresses or other data which facilitate an assignment to a user. This could be the case for example if the link to the website from which the user is directed to our website or the link to the website to which the user switches contains personal data.
The data are also stored in our system's log files. These data are not stored together with other personal data of the user.
2. Legal basis for data processing
The legal basis for the provisional storage of data and log files is Art. 6 Para. 1 lit. f GDPR.
3. Purpose of data processing
The provisional storage of the IP address by the system is required to enable the website to be delivered to the user's computer. The user's IP address must remain stored for the duration of the session for this purpose.
Storage in log files occurs to ensure the functionality of the website. In addition, the data serve to optimise the website and to ensure the security if our IT systems. The data are not evaluated for marketing purposes in this connection.
Our legitimate interest in data processing pursuant to Art. 6 Para. 1 lit. f GDPR also rests in these purposes.
4. Duration of storage
The data are erased as soon as they are no longer needed to achieve the purpose of their collection. In the event that the data are acquired to provide the website, this is the case when the respective session is ended.
In the event that the data are stored in log files, this is the case after no more than thirty days. Any storage extending above and beyond this does not take place.
5. Option of objection and cancellation
The acquisition of the data to provide the website and the storage of the data in log files are absolutely necessary for the operation of the website. For this reason, no option of objection on the part of the user exists.
V. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files which are stored in or by the internet browser on the user's computer system. When a user calls up a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic character string which enables the browser to be uniquely identified when the website is called up again.
We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser also be able to be identified after a site switch.
The following data are stored and transmitted in the cookies here:
- Name of the cookie
- Name of the domain
- Path to the site
- Session ID
- Date and time of the last access
- Period of validity
We furthermore use on our website cookies which enable the surfing behaviour of the users to be analysed (see Google Analytics and Matomo).
The data of the users collected in this way are pseudonymised by technical precautions. It is therefore no long possible to assign the data to the calling user. The data are not stored together with other personal data of the users.
When our website is called up, the users are notified by an info banner that cookies are used for analytics purposes and are referred to this data privacy policy. A notice is also issued in this connection as to how the storage of cookies can be prevented in the browser settings.
2. Legal basis for data processing
The legal basis for the processing of personal data when cookies are used is Art. 6 Para. 1 lit. f GDPR.
3. Purpose of data processing
Our legitimate interest in the processing of personal data pursuant to Art. 6 Para. 1 lit. f GDPR also rests in these purposes.
4. Duration of storage, option of objection and cancellation
Cookies are stored on the user's computer and communicated by the latter to our site. You as the user therefore also have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your internet browser. Cookies that have already been stored can be erased at any time. This can also be cone automatically. If cookies for our website are deactivated, you may not be able to use all the website functions in full.
You can find out under the links below how to manage (and also among other things deactivate) the cookies in the most important browsers:
- Chrome Browser:
https://support.google.com/accounts/answer/61416?hl=de - Internet Explorer:
https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies - Mozilla Firefox:
https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen - Safari:
https://support.apple.com/de-de/guide/safari/manage-cookies-and-website-data-sfri11471/mac
5. Usage of Google Analytics, Google Remarketing and Google Ads Conversion Tracking
5.1 Usage of Google Analytics
We use on our website the web analytics service Google Analytics provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). Data processing serves the purpose of analysing this website and its visitors. Google will, on behalf of the operator of this website, use the information acquired to evaluate your use of the website, to compile reports about the website activities for the website operators and to render other services associated with website use and internet use. The IP address that is transferred from your browser as part of Google Analytics will not be combined with other Google data.
Google Analytics uses cookies that enable analysis of your use of the website. Generally, the information about your use of this website that is generated by the cookies is transferred to and stored on a Google server in the USA. IP anonymisation is activated on this website. In this way, your IP address will first be shortened by Google within the Member States of the European Union or in other countries which are contracting parties to the Agreement on the European Economic Area. The full IP address will only be transferred to a Google server in the USA and shortened there in exceptional circumstances. Your data will likewise be transmitted to the USA. A European Commission adequacy decision is in place for data transfers to the USA. Processing is performed on the basis of Art. 6 (1) lit. f GDPR from the legitimate interest in the demand-based and target-oriented design of the website. You have the right for reasons deriving from your particular situation at any time to object to the processing of the personal data concerning you based on Art. 6 (1) f GDPR.
You can prevent the cookies from being stored by selecting appropriate technical settings in your browser software. However, please note that this may result in you not being able to use all the functions of this website in full. You can also prevent the data relating to your use of the website from being collected by cookies (including your IP address) and sent to Google or processed by Google by clicking the following link and downloading and installing the available browser plug-in: https://tools.google.com/dlpage/gaoptout?hl=de. You can set an opt-out cookie so that you can prevent acquisition by Google Analytics across all your devices. Opt-out cookies prevent the future acquisition of your data when this website is visited. You must complete the opt-out on all the systems and devices used so that this works across the board. By clicking the following link, the Opt-Out-Cookie will be set: Deactivate Google Analytics
Further information about terms and conditions of use and data protection can be found at:
5.2 Usage of remarketing or "similar target groups" function of Google Inc.
We use the remarketing or "related audience" feature of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google") on our website. If you are ordinarily resident in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is the data controller. Google Ireland Limited is therefore the company affiliated with Google which is responsible for processing your data and for ensuring compliance with applicable data protection laws. The application is designed to analyse visitor behaviour and interests. Google uses cookies to carry out the analysis of website usage, which forms the basis for the creation of interest-related advertisements. Cookies are used to record visits to the website and anonymous data on the use of the website. There is no storage of personal data of the visitors of the website. If you subsequently visit another website in the Google Display Network, you will see ads that most likely include previously viewed product and information areas. Your data may be transferred to the USA. Google has been certified under the US-EU Privacy Shield Agreement and is committed to complying with the European Data Protection Directives. The data processing, in particular the setting of cookies, is carried out with your consent on the basis of Art. 6 para. 1 lit. a DSGVO. You may revoke your consent at any time without affecting the legality of the processing that has taken place on the basis of your consent until the time of revocation. Further information on Google Remarketing and the corresponding data protection declaration can be found at:
5.3 Usage of Google Ads Conversion Tracking
We use the online advertising program "Google Ads" on our website and, in this context, conversion tracking (analysis of visitor activity). Google Conversion Tracking is an analysis service of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). If you are ordinarily resident in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is the data controller. Google Ireland Limited is therefore the company affiliated with Google which is responsible for processing your data and for ensuring compliance with applicable data protection laws. When you click on an ad placed by Google, a conversion tracking cookie is placed on your computer. These cookies have a limited validity, do not contain any personal information and are therefore not personally identifiable. If you visit certain pages on our site and the cookie hasn't expired, Google and we can tell that you clicked on the ad and were redirected to that page. Each Google Ads customer receives a different cookie. As a result, there is no way that cookies can be tracked across the websites of ads customers. The information collected using the conversion cookie is used to compile conversion statistics. This tells us the total number of users who have clicked on one of our ads and been redirected to a page with a conversion tracking tag. However, we do not receive information that personally identifies users. Your information may be transferred to the USA. Google has certified itself under the US-EU Privacy Shield Agreement and is committed to complying with the European Data Protection Directives. Data processing, in particular the setting of cookies, is carried out with your consent on the basis of Art. 6 Para. 1 lit. a DSGVO. You may revoke your consent at any time without affecting the legality of the processing that has taken place on the basis of your consent until the time of revocation. You can find further information and the Google data protection declaration at:
6. Usage of Matomo
On this website data is collected and stored using the web analysis service software Matomo (www.matomo.org), a service of the provider InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, ("Matomo") on the basis of our legitimate interest in statistical analysis of user behaviour for optimisation and marketing purposes in accordance with Art. 6 para. 1 lit. f DSGVO. From this data, pseudonymised user profiles can be created and evaluated for the same purpose. Cookies may be used for this purpose. Cookies are small text files that are stored locally in the cache of the Internet browser of the page visitor. The cookies enable, among other things, the recognition of the Internet browser. The data collected using Matomo technology (including your pseudonymised IP address) is processed on our servers.
The information generated by the cookie in the pseudonymous user profile is not used to personally identify the visitor to this website and is not merged with personal data about the bearer of the pseudonym.
If you do not agree with the storage and evaluation of this data from your visit, you can object to its subsequent storage and use at any time by mouse click. In this case, a so-called opt-out cookie is stored in your browser, which means that Matomo does not collect any session data. Please note that the complete deletion of your cookies means that the opt-out cookie will also be deleted and may have to be reactivated by you.
7. Facebook Marketing services
Our Online Offer uses on the basis of our legitimate interests in the analysis, optimisation and economic operation of our Online Offer the so-called Facebook Pixel belonging to the social network Facebook, which is run by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are resident in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
Facebook is certified under the Privacy Shield Agreement, thereby guaranteeing compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
The Facebook Pixel enables Facebook to identify visitors to our Online Offer as the target group for the presentation of so-called Facebook Ads. Accordingly, we use the Facebook Pixel to present the Facebook Ads placed by us only to those Facebook users who have also expressed an interest in our Online Offer or who have certain characteristics (e.g. interests in specific topics or products determined by the web pages visited by them) that we submit to Facebook (so called “Custom Audiences”). With the assistance of the Facebook Pixel we want to also ensure that our Facebook Ads are in keeping with the Users’ possible interests, rather than being seen as a nuisance. Additionally, the Facebook Pixel allows us to understand the effectiveness of Facebook Ads for statistical and market research purposes by allowing us to see whether Users were taken to our website upon clicking on a Facebook Ad (so-called Conversion).
Facebook processes the Data in accordance with its data policy. Accordingly, general information on the presentation of Facebook Ads can be found in Facebook’s data policy:
https://www.facebook.com/policy.php
For specific information and details about the Facebook Pixel and how it works, visit the help section of Facebook:
https://www.facebook.com/business/help/651294705016616.
You may revoke your consent to the Facebook Pixel collecting data and using it to present Facebook Ads. To set which types of ads are displayed to you within Facebook you can access the page created by Facebook and follow the instructions there regarding the settings for use-based advertising:
https://www.facebook.com/settings?tab=ads
The settings are platform-independent, i.e. they are applied to all devices such as desktop computers and mobile devices.
8. LinkedIn InsightTag
We use conversion tracking technology and the retargeting feature of LinkedIn Corporation on our website.
This technology allows visitors to this website to receive personalized ads on LinkedIn. Furthermore, it is possible to create anonymous reports on the performance of the advertisements and information on website interaction. For this purpose, the LinkedIn Insight tag is embedded on this website, which establishes a connection to the LinkedIn server, if you visit this website.
Please see LinkedIn's privacy policy at
https://www.linkedin.com/legal/privacy-policy
for more information about data collection and use, and the choices and rights you have to protect your privacy.
If you are logged in to LinkedIn, you can deactivate the collection of data at any time by following this link:
https://www.linkedin.com/psettings/enhanced-advertising.
9. Google reCAPTHCA>
We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our website. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). The purpose of reCAPTCHA is to check whether the data input on our website (e.g. in the newsletter registration form) is made by a human or by an automated programme. For this purpose, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run entirely in the background. Website visitors are not informed that an analysis is taking place.
The data processing is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in protecting its web offers from abusive automated spying and from SPAM.
For more information on Google reCAPTCHA and Google's privacy policy, please see the following link:
https://policies.google.com/privacy?hl=en&gl=en
10. Microsoft Clarity
This website uses the service "Microsoft Clarity" by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA (hereinafter referred to as "Microsoft") to collect and store various user information for the purpose of statistical analysis of user behavior, as well as for optimization and marketing purposes. This information, which is always collected anonymously, includes, among other things, time zone settings, operating system and platform, the geographical origin of the page request, the source of referral if redirected to our site, the duration of visits to specific pages, as well as information about website interaction (e.g., scrolling, clicks, and mouse-overs). From this data, pseudonymized user profiles can be created and evaluated for the same purposes. Cookies are used for data collection and evaluation, which enable, among other things, the recognition of the internet browser. The data collected through Microsoft technologies will not be used to personally identify visitors to this website without the explicit consent of the person concerned, nor will it be merged with personal data about the bearer of the pseudonym.
The collected information may be transmitted to and stored on Microsoft servers in the USA. We have entered into a data processing agreement with Microsoft in which we require Microsoft to protect our customers' data and not to disclose it to third parties.
All of the processing described above, particularly the setting of cookies for reading information on the device used, will only take place if you have given us your express consent in accordance with Art. 6 (1) (a) GDPR. Without this consent, Microsoft Clarity will not be used during your visit to our site. You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service in the "Cookie Consent Tool" provided on the website.
Further information on Microsoft Clarity's data protection policies can be found at the following link: https://clarity.microsoft.com/terms.
11. Analysis by WiredMinds
Our website uses counting pixel technology provided by WiredMinds GmbH (www.wiredminds.de) to analyze visitor behavior. In connection with this, the IP address of the visitor is processed. The processing occurs only for the purpose of collecting company based information such as company name, for example. IP addresses of natural persons are excluded from any further processing by means of a whitelist. An IP address is not stored in LeadLab under any circumstances.
While processing data, it is our outmost interest to protect the rights of natural persons. Our interest in processing data is based on Article 6(1)(f) GDPR. At no time is it possible to draw conclusions from the collected data on an identifiable person.
Opt-Out:
The collection, processing and storage of data can be objected to at any time with effect for the future under the following link:
Exclude from Tracking
(A functionally necessary cookie will be set to permanently ensure no tracking
by WiredMinds LeadLab occurs on this website)
12. CookieFirst
For our website to function properly we use cookies. To obtain your valid consent for the use and storage of cookies in the browser you use to access our website and to properly document this we use a consent management platform: CookieFirst. This technology is provided by Digital Data Solutions BV, Plantage Middenlaan 42a, 1018 DH, Amsterdam, The Netherlands. Website: https://cookiefirst.com referred to as CookieFirst.
When you access our website, a connection is established with CookieFirst’s server to give us the possibility to obtain valid consent from you to the use of certain cookies. CookieFirst then stores a cookie in your browser in order to be able to activate only those cookies to which you have consented and to properly document this. The data processed is stored until the predefined storage period expires or you request to delete the data. Certain mandatory legal storage periods may apply notwithstanding the aforementioned.
CookieFirst is used to obtain the legally required consent for the use of cookies. The legal basis for this is article 6(1)(c) of the General Data Protection Regulation (GDPR).
12.1 Data processing agreement
We have concluded a data processing agreement with CookieFirst. This is a contract required by data protection law, which ensures that data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.
12.2 Server log files
Our website and CookieFirst automatically collect and store information in so-called server log files, which your browser automatically transmits to us. The following data is collected:
- Your consent status or the withdrawal of consent
- Your anonymised IP address
- Information about your Browser
- Information about your Device
- The date and time you have visited our website
- The webpage url where you saved or updated your consent preferences
- The approximate location of the user that saved their consent preference
- A universally unique identifier (UUID) of the website visitor that clicked the cookie banner
VI. Contact form and e-mail contact
1. Description and scope of data processing
Our website features a contact form which you can use to contact us electronically. If a user makes use of this opportunity, the data entered on the input screen are communicated to us and stored. These data are:
- Name
- E-mail address
- Company (if necessary)
- Message text
The user's data are forwarded as an e-mail and stored at the moment when the message is sent.
Alternatively, contact can be made by means of provided e-mail addresses. In this case, the user's personal data communicated with the e-mail are also stored.
The data are not passed on to third parties in this connection. The data are used solely to process the conversation.
2. Legal basis for data processing
The legal basis for the processing of data is, where the user's consent has been given, Art. 6 Para. 1 lit. a GDPR.
The legal basis for the processing of data which are communicated in the course of an e-mail being sent is Art. 6 Para. 1 lit. f GDPR. If the purpose of the e-mail contact is to conclude a contract, the additional legal basis for process is Art. 6 Para. 1 lit. b GDPR.
3. Purpose of data processing
We use the processing of the personal data from the input screen solely to process the contact approach. In the event of a contact approach by e-mail, the necessary legitimate interest in the processing of data rests therein.
The other personal data processed during the sending operation serve to prevent the contact form from being misused and to ensure the security of our IT systems.
4. Duration of storage
The data are erased as soon as they are no longer needed to achieve the purpose of their collection. For the personal data from the input screen of the contact form and those which were sent by e-mail this is the case when the relevant conversation with the user is ended. The conversation is ended when it can be inferred from the circumstances that the issue in question is conclusively clarified.
The personal data additionally collected during the sending operation are erased no later than after a period of thirty days.
5. Option of objection and cancellation
The user is able at any time to withdraw their consent to their personal data being processed. By contacting us by e-mail, the user can at any time cancel the storage of their personal data. In such a case, the conversation cannot be continued.
To cancel, please send an e-mail to the data protection officer.
All the personal data which were stored in the course of the contact approach are erased in this case.
VII. Rights of the data subject
If your personal data are processed, you are a data subject as contemplated by the GDPR and you enjoy the following rights in respect of the controller:
1. Right to access
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed by us.
If such processing is the case, you can demand from the controller access to the following information:
- the purposes for which the personal data are being processed;
- the categories of personal data which are being processed;
- the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
- the envisaged period for which the personal data concerning you will be stored or, if concrete details are not possible, the criteria used to determine that period;
- the existence of a right to correction or erasure of the personal data concerning you, of a right to restriction of processing by the controller or of a right of objection to such processing;
- the existence of a right to lodge a complaint with a supervisory authority.
You have the right to request information as to whether or not the personal data concerning you are transferred to a third country or to an international organisation. In this connection, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
2. Right to rectification
You have a right to have your data corrected and/or completed by the controller if the processed personal data concerning you are incorrect or incomplete. The controller must carry out the rectification without undue delay.
3. Right to restriction of processing
Under the following preconditions you can request the restriction of the processing of the personal data concerning you:
- if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use;
- the controller no longer needs the personal data for the purposes of the processing, but you require these for the advancement, exercise or defence of legal claims, or
- if you have objected to the processing pursuant to Art. 21 Para. 1 GDPR pending verification whether the legitimate grounds of the controller override your grounds.
Where the processing of the data concerning you has been restricted, these data may – with the exception of their storage – only be processed with your consent or for the advancement, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If restriction of the processing has been obtained in accordance with the aforementioned preconditions, you shall be informed by the controller before the restriction is lifted.
4. Right to erasure
4.1 Duty of erasure
You can request that the controller erase without undue delay the personal data concerning you and the controller shall be obligated to erase these data without undue delay where one of the following grounds applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was based in accordance with Art. 6 Para. 1 lit. a or Art. 9 Para. 2 lit. a GDPR and there is no other legal basis for the processing.
- You object to the processing pursuant to Art. 21 Para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 Para. 2 GDPR.
- The personal data concerning you have been unlawfully processed.
- The erasure of the personal data concerning you is required to comply with a legal obligation according to Union law or the law of the Member State to which the controller is subject.
- The personal data concerning you have been collected in relation to offered services of the information society in accordance with Art. 8 Para. 1 GDPR.
4.2 Information to third parties
Where the controller has made the personal data concerning you public and is obligated pursuant to Art. 17 Para. 1 GDPR to erase the personal data, the controller shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copies or replications of, those personal data.
4.3 Exceptions
The right to erasure does not exist insofar as the processing is required
- to exercise the right to freedom of expression and information;
- to comply with a legal obligation which requires the processing according to Union law or Member State law to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
- on grounds of public interest in the area of public health pursuant to Art. 9 Para. 2 lit. h and i and Art. 9 Para. 3 GDPR;
- for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 Para. 1 GDPR insofar as the right mentioned in Section a) is likely to render impossible or seriously impair the achievement of the objectives of this processing, or
- to advance, exercise or defend legal claims.
5. Right to notification
If you have asserted against the controller the right to rectification, erasure or restriction of processing, the latter is obligated to notify all recipients to whom the personal data concerning you were disclosed of this rectification or erasure of the data or restriction of processing unless this proves to be impossible or involves a disproportionate effort.
You have the right to be notified of these recipients by the controller.
6. Right to data portability
You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. Furthermore, you have the right to communicate these data to another controller without hindrance from the controller to which the personal data have been made available, provided that
- the processing is based on consent pursuant to Art. 6 Para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b GDPR and
- the processing is performed by automated means.
In exercising this right, you furthermore have the right to have the personal data concerning you transmitted directly from one controller to another, where this is technically feasible. Freedoms and rights of other persons must not be adversely affected by this.
The right to data portability does not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right of objection
You have the right for reasons deriving from you particular situation at any time to lodge an objection against the processing of the personal data concerning you that occurs on the basis of Art. 6 Para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless it can demonstrate compelling reasons worthy of protection for the processing which override your interests, rights and freedoms or if the processing serves to advance, exercise or defend legal claims.
If the personal data concerning you are processed for the purpose of direct advertising, you have the right at any time to lodge an objection against the processing of the personal data concerning you for such promotional purposes; this also applies to profiling where this is connected with such direct advertising.
If you object to the processing for direct-marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
You have the opportunity, in the context of the use of information-society services – and notwithstanding Directive 2002/58/EC – to exercise your right of objection by automated means using technical specifications.
8. Right to withdraw the declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawal of consent shall not affect the lawfulness of the processing conducted on the basis of the consent up to the point of withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you in a detrimental way. This does not apply if the decision
- is necessary for concluding or performing a contract between you and the controller,
- is authorised by Union or Member State legal provisions to which the controller is subject and which also lay down suitable measures to safeguard your rights, freedom and legitimate interests, or
- is made with your express consent.
However, these decisions may not be based on special categories of personal data referred to in Art. 9 Para. 1 GDPR unless Art. 9 Para. 2 lit. a or g GDPR applies and suitable measures to safeguard your rights, freedoms and legitimate interests are in place.
With regard to the cases referred to in (1) and (3) the controller shall take suitable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express their own point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or legal remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of the personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.