Privacy

Privacy Policy
I. Name and address of the Controller

The Controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:

P1 Consulting GmbH

Goldstraße 16-18

33602 Bielefeld

Germany

Tel.: +49 521 54 37 39 29

 

Email: info@process-one.de

Website: www.p1-consulting.de

 

II. Name and address of the Data Protection Officer

The Data Protection Officer of the Controller is:

Kanzlei für Datenschutz

Bernd Kircher

Telegraphengasse 1

36037 Fulda

Tel.: +49 661 960 90636

Email KIRCHER@DATENSCHUTZ-KANZLEI.COM
 

III. General information on data processing

1. Scope of processing of personal data

As a matter of principle, we only process the personal data of our users to the extent that this is necessary to provide a functional website as well as to provide our content and services. The personal data of our users is generally only processed with the consent of the user. Exceptions apply in such cases where there are genuine reasons that make it impossible to obtain prior consent and the processing of the data is permitted by statutory provisions.

2. Legal basis for the processing of personal data

Where we obtain the consent of the Data Subject for the processing of personal data, the legal basis for such processing is Article 6(1) point (a) of the EU General Data Protection Regulation (GDPR).

Where the processing of personal data is necessary for the performance of a contract to which the Data Subject is a party, the legal basis shall be Article 6(1) point (b) GDPR. The same applies to such processing operations which are necessary to conduct steps prior to entering into a contract.

If our company is subject to a legal obligation that requires the processing of personal data, the legal basis for such processing shall be Article 6(1) point (c) GDPR.

In such cases where it may be necessary to process personal data to protect the vital interests of the Data Subject or of another natural person, the legal basis for such processing shall be Article 6(1) point (d) GDPR.

If processing is necessary to safeguard the legitimate interests of our company or a third-party, and the aforementioned interests override the interests or fundamental rights and freedoms of the Data Subject, the legal basis therefor shall be Article 6(1) point (f) GDPR.

3. Deletion of data and storage period

We observe the principles of privacy by design. The personal data of the Data Subject are deleted or blocked as soon as the purpose for storing such data no longer applies. Data may also be stored if this has been stipulated by European or national legislators in ordinances, laws or other regulations to which the Controller is subject. ​ After expiration of such period, the corresponding data is routinely deleted, as data is also blocked or deleted if a storage period prescribed under the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or fulfillment of a contract.

IV. Provision of the website and generation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the computer accessing our website.

In the process, the following data are collected:

  • The browser type and version used
  • The visitor’s operating system
  • The IP address of the visitor, shortened by two octets
  • The date and time of access
  • The URL accessed and the URL of the linked page

The data are also stored in the log files of our system. These data are stored separately from all personal data provided by a Data Subject.

2. Legal basis for processing

Article 6(1) point (f) GDPR serves as the legal basis for the temporary storage of the data and the log files.

3. Purpose of processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. To do so, the IP address of the user must be stored for the duration of the session.

The data are stored in log files to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. The data are not evaluated for marketing purposes.

These purposes also serve our legitimate interest in data processing in accordance with Article 6(1) point (f) GDPR.

4. Duration of storage

The data are deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case where data collection is needed to make the website available, the data are deleted when the respective session has ended.

Where data are stored in log files, the data are deleted at the latest after seven days. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or sanitized, so that it is no longer possible to identify the client accessing the site.

5. Possibilities for objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary to operate the website. Consequently, the user has no possibility to object.

V. Newsletter

1. Description and scope of data processing

It is possible to subscribe to a free newsletter on our website. During the newsletter registration process, the data entered into the registration form are transferred to us.

  • Email address
  • Gender
  • First name
  • Last name
  • Postal address
  • Requested issue of the magazine

In addition, during the registration process, the following data are collected:

  • IP address of the computer from which our site is accessed
  • Date and time of registration

Your consent is obtained for the processing of the data provided during the registration process and reference is made to this Privacy Notice.

If you purchase goods or services via our website and, in so doing, enter your email address, this may subsequently be used by us to send you a newsletter. In such a case, only direct advertising for our own goods or services will be sent via the newsletter.

When processing data to send newsletters by email, no data will be passed on to third parties. If delivery by post is desired, the necessary information will be transmitted to the respective transport service provider for the purpose of delivery. The data will be used exclusively for sending the newsletter.

2. Legal basis for processing

The legal basis for the processing of data following subscription to the newsletter by the user is Article 6 (1) point (a) GDPR, provided the user has given his or her consent thereto.

The legal basis for sending the newsletter following the sale of goods or services is Article 7 (3) German Unfair Competition Act (UWG).

3. Purpose of processing

The user’s email address is collected for the purpose of delivering the newsletter.

Other personal data are collected during the registration process for the purpose of preventing misuse of the services or the email address used.

4. Duration of storage

The data are deleted as soon as they are no longer required to achieve the purpose for which they were collected. The user’s data are therefore stored as long as the subscription to the newsletter is active. These personal data are deleted after a maximum of 2 days following unsubscription/objection; data subject to the double-opt-in procedure that are not confirmed are deleted after 7 days.

Data relating to an order by post are deleted after completion of a one-off order.

Recipients of the print edition on the basis of Article 6(1 ) f. are deleted at the latest 2 days after the receipt of revocation.

The other personal data collected during the registration process are generally deleted after a period of seven days.

5. Possibilities for objection and removal

The subscription to the newsletter can be canceled by the user at any time. To this end, a corresponding link can be found in each newsletter.

This also enables revocation of consent to the storage of personal data collected during the registration process.

VI. Contact form and email contact

1. Description and scope of data processing

Our website contains a contact form which can be used to establish contact electronically. If a user takes advantage of this option, the data entered in the input mask are transmitted to us and stored. These data are:

  • Email address
  • Name
  • Salutation
  • Company name, if applicable
  • Address, if applicable
  • Subject

The following data are also stored at the time of sending the message:

  • The IP address of the user
  • Date and time of registration

Your consent to the processing of the data is obtained during the submission process and reference is made to this Privacy Notice.

Alternatively, it is possible to contact us via the email address provided. In this case, the personal data of the user transmitted along with the email are stored.

No data are disclosed to third parties during the transmission process. The data are used solely for handling the dialog with the user.

2. Legal basis for processing

Where the user has given his or her consent, the legal basis for the processing of data is Article 6(1) point (a) GDPR.

The legal basis for the processing of data transmitted in the course of submitting an email is Article 6(1) point (f) GDPR. If the objective of the email contact is to enter into a contract, the additional legal basis for processing is Article 6(1) point (b) GDPR.

3. Purpose of processing

The personal data entered in the form is solely processed for the purpose of processing the request for contact. Where contact is established via email, this also constitutes the necessary legitimate interest for processing the data.

The other personal data processed during the submission process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data are deleted as soon as they are no longer required to achieve the purpose for which they were collected. With regard to the personal data entered in the contact form and the data sent by email, the data are deleted when the respective correspondence with the user ends. The correspondence ends when the circumstances indicate that the respective matter has been definitively resolved.

The additional personal data collected during the submission process are deleted at the latest after a period of seven days.

5. Possibilities for objection and removal

The user has the option to withdraw his or her consent to the processing of personal data at any time. If the user contacts us by email, he or she can object to the storage of his or her personal data at any time. In such a case, the correspondence cannot be continued.

Withdrawal of consent is to be directed to Process One Consulting GmbH via the contact options described in Section I. ​

Where this occurs, all personal data stored in the course of contacting us will be deleted.

Web analysis tools

1. Scope of processing of personal data

Data protection provisions of Cookiebot:

A web service of the company Cybot A/S, Havnegade 39, 1058 Copenhagen (hereinafter: cookiebot.com) is used on our website. We use these data to ensure the full functionality of our website. In the process, your browser may transmit personal data to cookiebot.com . The legal basis for processing is Article 6(1) point (f) GDPR. The legitimate interest is to ensure the error-free functionality of the website. The data are deleted as soon as the purpose for which they were collected has been fulfilled. Further information on the handling of the transmitted data can be found in the privacy policy of cookiebot.comhttps://www.cookiebot.com/en/privacy-policy/ . You can prevent  cookiebot.com from collecting and processing your data by deactivating the execution of script code in your browser or by installing a script blocker in your browser (you can find this, for example, at www.noscript.net or www.ghostery.com).
The following information is stored in our Cookiebot account:

  • The user’s IP address in an anonymous form (the last three digits are set to “0”).
  • Date and time of consent.
  • The user’s browser.
  • The URL from which the consent was sent.
  • An anonymous, random and encrypted key value.
  • The consent status of the user, which serves as proof of consent.

The key and consent status are also stored in the user’s browser in the cookie “CookieConsent” so that the website can automatically read and respect the user’s consent in all subsequent page requests and future user sessions for up to 12 months.


 


Data protection provisions of LinkedIn:

The Controller has integrated components of the LinkedIn Corporation into this website. LinkedIn is a web-based social network that enables users with existing business contacts to connect and to make new business contacts. Over 400 million registered users in more than 200 countries use LinkedIn. Thus, LinkedIn is currently the largest platform for business contacts and one of the most visited websites in the world.

The operating company of LinkedIn is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. The responsibility for privacy matters outside of the USA is held by LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Each time individual pages of our website on which a LinkedIn component (LinkedIn plug-in) is integrated are accessed, the Internet browser on the IT system of the Data Subject is automatically prompted to download and display a corresponding LinkedIn component. Further information on the LinkedIn plugin may be found at https://developer.linkedin.com/plugins. This technical procedure enables LinkedIn to gain knowledge of what specific sub-page of our website was visited by the Data Subject.

If the Data Subject is logged in at the same time on LinkedIn, every time the Data Subject accesses our website — and for the entire duration of their visit of our Internet site — LinkedIn detects which specific sub-page of our website was visited by the Data Subject. This information is collected through the LinkedIn component and associated with the respective LinkedIn account of the Data Subject. If the Data Subject clicks on one of the LinkedIn buttons integrated on our website, LinkedIn assigns this information to the personal LinkedIn user account of the Data Subject and stores the personal data.

LinkedIn receives information via the LinkedIn component that the Data Subject has visited our website, provided that the Data Subject is logged in at LinkedIn at the time of accessing our website. This occurs regardless of whether the person clicks on the LinkedIn button or not. If the Data Subject does not want such information to be transmitted to LinkedIn, he or she may prevent this by logging off from his or her LinkedIn account before accessing our website.

At https://www.linkedin.com/psettings/guest-controls LinkedIn provides the possibility to unsubscribe from email messages, SMS messages and targeted ads, as well as the ability to manage ad settings. LinkedIn also uses affiliates such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua, and Lotame, which set cookies. The setting of such cookies may be denied by visiting https://www.linkedin.com/legal/cookie-policy. The applicable privacy policy for LinkedIn is available at https://www.linkedin.com/legal/privacy-policy. The LinkedIn Cookie Policy is available at https://www.linkedin.com/legal/cookie-policy.

Google Analytics privacy policy

This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses so-called “cookies,” text files which are saved on your computer and which enable analysis of your use of our website. The information generated by these cookies, such as time, location and frequency of your website visit (including your IP address) is transferred to Google in the USA, where it is saved. Google will use this information to evaluate your use of our site, to compile reports on website activity for us and to provide further services relating to the use of the website and use of the Internet. Google will also transfer this information to third parties, should this be required by law or where third parties process these data on behalf of Google. Google will never combine your IP address with other Google data. You can prevent the storage of cookies by changing the settings in your browser accordingly. However, we would like to point out that, should you do so, you may not be able to fully use all functions of our website. By using this website, you consent to the processing of your personal data by Google in the manner and for the purposes set out above. If you would like to deactivate Google Analytics, you will find the appropriate browser add-on at: https://tools.google.com/dlpage/gaoptout?hl=en

Further information on data protection and Google Analytics can be found at: https://support.google.com/analytics/answer/6004245?hl=en

Privacy Policy for Google AdWords Conversion Tracking:

This website uses the “Google AdWords Conversion Tracking” function of Google Inc, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). Google AdWords Conversion Tracking uses “cookies,” which are text files placed on your computer to help the website analyze how users use the site when they click on a Google ad. The cookies are valid for a maximum of 90 days. Personal data are not stored in the process. For as long as the cookie is valid, Google and we as the website operator can recognize that you have clicked on an advertisement and have reached a certain target page (e.g. order confirmation page, newsletter registration). These cookies cannot be tracked across multiple websites by different AdWords participants. The cookie creates conversion statistics in “Google AdWords.” These statistics record the number of users who have clicked on one of our ads. In addition, the number of users who have reached a target page that has been provided with a “conversion tag” is counted. However, the statistics do not contain any data which can be used to identify you.

You can prevent cookies from being stored on your hard drive by selecting “Do not accept cookies” in your browser settings (in MS Internet Explorer under “Tools > Internet Options > Privacy > Settings”; in Firefox under “Tools > Settings > Privacy > Cookies”); however, we would like to point out that, in this case, you may not be able to use all the functions of this website to their full extent. By using this website, you consent to the processing of your data by Google in the manner and for the purposes set out above. For more information on how Google uses conversion data and Google’s privacy policy, please visit: https://support.google.com/adwords/answer/93148?ctx=tltp, https://www.google.de/policies/privacy/

Data protection provisions of Google AdSense:

The Controller has integrated Google AdSense into this website. Google AdSense is an online service that enables the placement of advertisements on third-party sites. Google AdSense is based on an algorithm which selects the advertisements displayed on third-party sites in line with the content of the respective third-party site. Google AdSense allows interest-based targeting of Internet users, which is implemented by generating individual user profiles.

The operating company of Google AdSense is Alphabet Inc, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

The purpose of the Google AdSense component is to integrate advertisements on our website. Google-AdSense sets a cookie on the IT system of the Data Subject. An explanation of what cookies are has already been provided above. By setting the cookie, Alphabet Inc. is able to analyze how our website is used. Each time one of the individual pages of this website operated by the data Controller and on which a Google AdSense component has been integrated is accessed, the Internet browser on the Data Subject's IT system is automatically triggered by the respective Google AdSense component to transmit data to Alphabet Inc. for the purpose of online advertising and billing of commission fees. In the course of this technical procedure, Alphabet Inc. gains knowledge of personal data, such as the IP address of the Data Subject, which Alphabet Inc. uses, among other things, to retrace the origin of visitors and clicks and subsequently to enable commission fee billing.

The Data Subject can prevent the setting of cookies by our website, as already described above, at any time by means of an appropriate setting in his or her Internet browser and thus permanently prevent the setting of cookies. Such settings of the Internet browser used would also prevent Alphabet Inc. from storing a cookie on the IT system of the Data Subject. In addition, a cookie already set by Alphabet Inc. can be deleted at any time via the internet browser or other software programs.

Google AdSense also uses so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in Internet pages to enable log file recording and log file analysis, enabling statistical evaluation to be carried out. By means of the embedded tracking pixel, Alphabet Inc. can determine whether and when a web page was opened by a Data Subject, and which links were clicked by the Data Subject. Among other things, tracking pixels are used to evaluate the flow of visitors to a website.

Via Google AdSense, personal data and information, which also includes the IP address and which is necessary for the collection and billing of the advertisements displayed, are transmitted to Alphabet Inc. in the United States of America. These personal data are stored and processed in the United States of America. Alphabet Inc. may share these technically collected personal data with third parties.

More detailed information on Google AdSense can be found at this link: https://www.google.com/adsense/start/.

Google reCAPTCHA:

We use the Google reCAPTCHA service to determine whether a human or a computer is making a certain entry in our contact or newsletter form. Google uses the following data to check whether you are a human or a computer: IP address of the terminal device used, the page you visit on our site on which the captcha is embedded, the date and duration of the visit, the identifying data of the browser and operating system type used, Google account if you are logged in to Google, mouse movements on the reCaptcha areas and tasks that require you to identify images. The legal basis for the described data processing is Article 6(1) point (f) of the General Data Protection Regulation. We have a legitimate interest in this data processing to ensure the security of our website and to protect us from automated entries (attacks).

More details can be found in Google’s Data Protection Center:

https://policies.google.com/privacy?hl=en

YouTube privacy policy:

The Controller has integrated components of YouTube into this website. YouTube is an Internet video portal that enables video publishers and other users to upload video clips free of charge, and also enables free viewing, rating and commenting. YouTube permits the publishing of all manner of videos, enabling access to both full-length movies and TV broadcasts, as well as music videos, trailers, and videos made by users via the Internet portal.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Each time one of the individual pages of this website operated by the Controller and on which a YouTube component (YouTube video) has been integrated is accessed, the Internet browser on the IT system of the Data Subject is automatically prompted to download and display the corresponding YouTube component. Further information about YouTube may be obtained at https://www.youtube.com/yt/about/en/. Through this technical procedure, YouTube and Google gain knowledge of what specific sub-page of our website was visited by the Data Subject.

If the Data Subject is logged in to YouTube, YouTube recognizes through each access of a sub-page containing a YouTube video which specific sub-page of our website was visited by the Data Subject. This information is collected by YouTube and Google and assigned to the respective YouTube account of the Data Subject.

YouTube and Google receive information through the YouTube component that the Data Subject has visited our website, if, at the time of accessing our website, the Data Subject is logged in to YouTube; this occurs regardless of whether the person clicks on a YouTube video or not. If the Data Subject does not want such information to be transmitted to YouTube, he or she may prevent this by logging off from his or her YouTube account before accessing our website.

YouTube’s data protection provisions, available at https://www.google.com/intl/en/policies/privacy/, provide information about the collection, processing and use of personal data by YouTube and Google.

Data protection provisions of Xing:

The Controller has integrated components of Xing into this website. XING is an Internet-based social network that enables users to connect with existing business contacts and to create new business contacts. The individual users can create a personal profile of themselves at XING. Companies may, for example, create company profiles or publish jobs on XING.

The operating company of XING is XING AG, Dammtorstraße 30, 20354 Hamburg, Germany.

Each time one of the individual pages of this website operated by the Controller and on which a Xing component (Xing plugin) has been integrated is accessed, the Internet browser on the IT system of the Data Subject is automatically prompted to download and display the corresponding Xing component. ​ Further information about the XING plugin the may be accessed at https://dev.xing.com/plugins. Through this technical procedure, XING gains knowledge of what specific sub-page of our website was visited by the Data Subject.

If the Data Subject is logged in at the same time on XING, each time the Data Subject accesses our website—and for the entire duration of their stay on our website—XING detects which specific sub-page of our website was visited by the Data Subject. This information is collected through the XING component and associated with the respective XING account of the Data Subject. If the Data Subject clicks on the XING button integrated into our Internet site, e.g. the “Share” button, XING assigns this information to the personal XING user account of the Data Subject and stores the personal data.

XING receives information via the XING component that the Data Subject has visited our website, provided that the Data Subject is logged in at XING at the time of visiting our website. This occurs regardless of whether the person clicks on the XING component or not. If the Data Subject does not want such information to be transmitted to XING, he or she can prevent this by logging off from their XING account before visiting our website.

The data protection provisions published by XING, which are available under https://www.xing.com/privacy, provide information on the collection, processing and use of personal data by XING. In addition, XING has published privacy notices for the XING share button at https://www.xing.com/app/share?op=data_protection.

2. Legal basis for the processing of personal data

The legal basis for the processing of the personal data of the user is Article 6(1) point (f) GDPR.

3. Purpose of processing

The processing of the users’ personal data enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to continuously improve both our website and its user-friendliness. These purposes also reflect our legitimate interest in processing the data in accordance with Article 6(1) point (f) GDPR. Anonymization of the IP address sufficiently takes into account the users’ interests in protecting their personal data.

4. Duration of storage

The data are deleted as soon as they are no longer required for our record-keeping purposes. In our case, this occurs after a maximum of 90 days.

5. Possibilities for objection and removal

Cookies are stored on the user’s computer and transmitted to our site by the user. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

We offer our users the option of opting out of analysis processes on our website. To do this, you must follow the corresponding link. In this way, another cookie is set on your system, which signals to our system not to save the user’s data. If the user subsequently deletes the cookie from his or her system, he or she must set the opt-out cookie again.

VIII. Rights of the Data Subject

Where your personal data are processed, you are a Data Subject within the meaning of the GDPR and you have the following rights in relation to the Controller:

1. Right of access to information

You have the right to obtain confirmation from the Controller as to whether or not personal data concerning you are being processed.

If data are being processed, you have the right to request the following information from the Controller:

  1. The purpose(s) for which the personal data are being processed; 
  2. The categories of personal data concerned;
  3. The recipients or categories of recipients to whom your personal data have been disclosed or are being disclosed; 
  4. The envisaged period for which your personal data will be stored, or, if it is not possible to provide concrete information in this regard, the criteria used to determine that period; 
  5. The existence of the right to request from the Controller rectification or erasure of your personal data, or restriction of processing of personal data by the Controller, or to object to such processing;
  6. The existence of the right to lodge a complaint with a supervisory authority;

  7. Where the personal data are not collected from the Data Subject, any available information as to their source; 
  8. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

You have the right to request information as to whether your personal data are transferred to a third country or to an international organization. Where this is the case, Article 46 GDPR grants you the right to be informed of the appropriate safeguards that have been put in place with regard to such transfer.

2. Right to rectification

Where data concerning you are inaccurate or incomplete, you have the right to obtain from the Controller the rectification and/or completion of such inaccurate personal data. The Controller shall perform the rectification without undue delay.

3. Right to restriction of processing

You have the right to request that the Controller restrict processing of your personal data, where one of the following applies:

  1. When you contest the accuracy of your personal data for a period enabling the Controller to verify the accuracy of the personal data; 
  2. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; 
  3. The Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims, or
  4. You have objected to processing pursuant to Article 21(1) pending verification whether the legitimate grounds of the Controller override your grounds.

Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If one of the aforementioned conditions for restriction is met, you shall be informed by the Controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase

You have the right to demand that the Controller erase your personal data without undue delay, and the Controller shall bear the obligation to erase personal data without undue delay, where one of the following grounds applies:

  1. Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  2. You withdraw consent on which the processing is based according to Article 6(1), or point (a) of Article 9(2) point (a) GDPR, and where there is no other legal ground for the processing;
  3. You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
  4. Your personal data have been unlawfully processed.
  5. Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.
  6. Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

b) Information for third-parties

Where the Controller has made your personal data public and is obliged under Article 17(1) GDPR to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that you as Data Subject have requested erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions

The right to erasure shall not apply to the extent that processing is necessary

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defense of legal claims.

5. Right to be informed

If you have exercised the right to rectification, erasure or restriction of processing against the Controller, the Controller is obliged to communicate the rectification or erasure of the data or restriction of processing to all recipients to whom your personal data have been disclosed, unless this proves to be impossible or involves a disproportionate effort.

You have the right to be informed of these recipients by the Controller.

6. Right to data portability

You have the right to receive the personal data that you have provided to a Controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to arrange for such data to be transmitted to another Controller without hindrance from the Controller to which the personal data have been provided, where

  1. the processing is based on consent pursuant to Article 6(1) point (a) GDPR or Article 9(2) point (a) GDPR or to a contract pursuant to Article 6(1) point (b) of Article 6(1) GDPR, and
  2. the processing is carried out by automated means.

In exercising your right to data portability, you have the right to have your personal data transmitted directly from one Controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others.

The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time, to processing of your personal data, which has been conducted on the basis of Article 6(1) point (e) or (f) GDPR. This also applies to profiling based on these provisions.

The Controller shall no longer process your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where your personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing

Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to withdraw the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

  1. is necessary for entering into, or the performance of, a contract between you and the Controller,
  2. is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
  3. is taken with your explicit consent.

However, such decisions shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless Article 9(2) point (a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the Controller shall put suitable measures in place to safeguard your rights and freedoms and legitimate interests, which shall include at least the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data is in violation of the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.