Right of access
The data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed; if this is the case, he or she has a right of access to such personal data and to the following information:
- the purposes of processing;
- the categories of personal data processed;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
- the existence of a right to obtain the rectification or erasure of personal data concerning him or her or to obtain the restriction of processing by the controller, or of a
- Right to object to such processing;
- The existence of a right of appeal to a supervisory authority;
- if the personal data are not collected from the data subject, any available information on the origin of the data;
- the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) and, at least in such cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 in connection with the transfer.
The controller shall provide a copy of the personal data that are the subject of the processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. If the data subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless otherwise specified by the data subject.
The right to receive a copy under paragraph 3 shall not affect the rights and freedoms of other persons.
Right to rectification
The data subject has the right to obtain from the controller the rectification without undue delay of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to request that incomplete personal data be completed, including by means of a supplementary declaration.
Right to erasure ("right to be forgotten").
Every data subject has the right to demand from the controller that personal data concerning him or her be erased without undue delay. The controller is obliged to erase personal data without undue delay if one of the following reasons applies:
The personal data were collected or otherwise processed for purposes for which they are no longer necessary. The data subject withdraws his or her consent on which the processing was based pursuant to Art. 6(1)(a) DSGVO or Art. 9(2)(a) DSGVO and there is no other legal basis for the processing. The data subject objects to the processing pursuant to Article 21(1) DSGVO and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) DSGVO. The personal data have been processed unlawfully. The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject. The personal data has been collected in relation to information society services offered pursuant to Article 8(1) of the GDPR. If the controller has made the personal data public and is obliged to erase it pursuant to paragraph 1, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that a data subject has requested that they erase all links to or copies or replications of that personal data.
Right to restriction of processing
The data subject shall have the right to obtain from the controller the restriction of processing where one of the following conditions is met:
- the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data,
- the processing is unlawful and the data subject objects to the erasure of the personal data and instead requests the restriction of the use of the personal data;
- the controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the establishment, exercise or defense of legal claims; or
- the data subject has objected to the processing pursuant to Article 21(1) of the GDPR, as long as it has not yet been determined whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format, and shall have the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR and that the processing is carried out using automated means.
When exercising his or her right to data portability pursuant to paragraph 1 of the GDPR, the data subject shall have the right to obtain that the personal data be transferred directly from one controller to another controller where technically feasible.
The exercise of the right is without prejudice to Article 17 of the GDPR. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right to data portability shall not affect the rights and freedoms of other persons.
Right to object
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her carried out on the basis of Article 6(1)(e) or (f) of the DSGVO, including to any profiling based on those provisions.
The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
If the data subject objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes. The data subject must be expressly informed of the right referred to in Article 21(1) and (2) of the GDPR at the latest at the time of the first communication with him or her; this information must be provided in a comprehensible form that is separate from other information.
In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by means of automated procedures using technical specifications.
The data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.
Automated decisions in individual cases (including profiling).
The data subject shall have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning him or her or similarly significantly affects him or her. This does not apply if the decision
(a) is necessary for the conclusion or performance of a contract between the data subject and the controller,
(b) is permitted by Union or Member State law to which the data controller is subject and that law contains suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or
(c) is carried out with the express consent of the data subject.
In cases (a) and (c), the controller shall take reasonable steps to safeguard the data subject's rights and freedoms and legitimate interests, which include at least the right to obtain the data subject's involvement on the part of the controller, to express his or her point of view and to contest the decision. Decisions shall not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as the legitimate interests of the data subject.
Right of withdrawal for consent under data protection law
The data subject has the right to withdraw consent to the processing of personal data at any time. If the data subject wishes to exercise his or her right to withdraw consent, he or she may do so by contacting the controller. The lawfulness of the data processing carried out until the revocation remains unaffected by the revocation.
Right of appeal to the competent supervisory authority
In the event of violations of data protection law, the person concerned has a right of appeal to the competent supervisory authority. The competent supervisory authority in matters of data protection law is the state data protection commissioner of the federal state in which our company is based. A list of data protection officers and their contact details can be found here.
Legal basis of processing
Art. 6 I lit. a DS-GVO serves our company as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for a delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b DS-GVO. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services. If our company is subject to a legal obligation by which a processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c DS-GVO. In rare cases, the processing of personal data might become necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to be injured on our premises and as a result his or her name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 I lit. d DS-GVO. Finally, processing operations could be based on Art. 6 I lit. f DS-GVO. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47, Sentence 2 DS-GVO).
Legitimate interests in the processing pursued by the controller or a third party.
If the processing of personal data is based on Article 6 I lit. f DS-GVO, our legitimate interest is the performance of our business activities for the benefit of the well-being of all our employees and our shareholders.
Duration for which the personal data are stored
The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data is routinely deleted, provided that it is no longer required for the performance of the contract or the initiation of the contract.
Legal or contractual requirements for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision.
We inform you that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner). Sometimes, in order to conclude a contract, it may be necessary for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded. Before providing personal data by the data subject, the data subject must contact one of our employees. Our employee will explain to the data subject on a case-by-case basis whether the provision of the personal data is required by law or by contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.
Objection to advertising mails
The use of contact data published within the framework of the imprint obligation for the transmission of advertising and information material not expressly requested is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.