CONFIDENTIALITY GUARANTEE/DATA PROTECTION
Thank you for showing an interest in our company. Protecting personal data is extremely important to us, which is why we would like to take this opportunity to provide you with detailed information about how we process your personal data. Personal data is always processed in line with the legal requirements, in particular the General Data Protection Regulation (GDPR) and the applicable national data protection legislation. This policy contains information about the type and extent of data that we collect, use and process and the purpose for doing so. It also provides data subjects with information about their rights. As a company and data controller, we have taken extensive technical and organisational steps to ensure that the personal data we process receives the best possible protection.
I. NAME AND ADDRESS OF THE CONTROLLER
The data controller as per the General Data Protection Regulation, Member States’ additional national data protection legislation, and other data protection regulations is:
Pleidelsheimer Straße 15
Telefon: +49 (0) 7142 95 66 10
Fax: +49 (0) 7142 95 66 22
E-Mail: [email protected]
II. Name and address of the data protection officer
The controller’s data protection officer as per Article 37 GDPR is:
Frank Eckerkunst, lawyer
c/o ITWerk Giessen GmbH*
Tel.: +49 641 96993-0
E-Mail: [email protected]
* Insurance details:
Details of professional indemnity insurance:
D&O cover is provided by:
Hiscox Insurance Company Ltd.
Zweigniederlassung für die Bundesrepublik Deutschland
Territorial scope of the insurance: Europe
Insured activity: Data protection officer
Amount insured under the professional indemnity policy: €1,000,000
III. General information about data processing
‘personal data’ means all information relating to an identified or identifiable individual (hereinafter ‘data subject’); an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting its processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable individual;
‘controller’ means the individual or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means an individual or legal entity, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means an individual or legal entity, public authority, agency or other body, to which the personal data is disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of this data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means an individual or legal entity, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
2) Extent of personal data processing
It is possible to use our website without providing personal data. We only process our users’ personal data insofar as this is necessary to provide a functional website and to make our content and services available. Our users’ personal data is only processed regularly with the user’s consent. The only exception is in cases where it is not possible to obtain consent beforehand for practical reasons and legislation permits the data to be processed.
3) Lawful basis for the processing of personal data
Insofar as we obtain the data subject’s permission to process personal data, the lawful basis is Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR).
4) Registration and customer account
If you open a customer account, you agree that your inventory data such as name, address, e-mail address and bank details as well as your user data (user name, password) are stored. This enables you to place orders with us using your e-mail address or your customer number and your personal password. In doing so, we obtain the following consent.
5) Erasing data and retention period
The data subject’s personal data is erased or blocked as soon as the purpose no longer applies. Data may be stored for longer if this is permitted under European or national law as set out in regulations, acts or other provisions which apply to the controller. Data will also be blocked or erased if the retention period stipulated in the quoted standards expires, unless further storage of the data is necessary to conclude or perform a contract.
Insofar as the processing of personal data is necessary to fulfil a legal obligation which applies to our company, the lawful basis is Art. 6(1)(c) GDPR.
If vital interests of the data subject or another individual make it necessary to process personal data, Art. 6(1)(d) GDPR serves as the lawful basis.
When personal data must be processed to perform a contract to which the data subject is party, the lawful basis is Art. 6(1)(b) GDPR. This also applies to processing operations which are necessary for the performance of precontractual measures.
If processing is necessary to achieve a legitimate interest of our company or a third party and the data subject’s interests, rights and freedoms do not override the aforementioned interest, Art. 6(1)(f) GDPR serves as the lawful basis for processing.
As a responsible company, we do not use profiling or any other automated means of decision-making.
IV. Use of our website
1. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES
Description and extent of data processing, lawful basis, purpose and retention period
Each time our website is accessed, our system automatically records data and information from the system of the accessing computer.
The following data is recorded:
- Information about the browser type and version used
- The user’s operating system
- The user’s internet service provider
- The user’s IP address
- Date and time of access
- Referring websites
- Websites accessed by the user’s system via our site
The lawful basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR. It is necessary for the system to store the IP address temporarily to enable the website to be delivered to the user’s computer. The user’s IP address must remain stored for the duration of the session for this purpose. Data is stored in log files to enable the website to function. Furthermore, the data is used to optimise the website and ensure that our IT systems are secure. Data is not evaluated for marketing purposes in connection with this. Our legitimate interest in data processing as per Art. 6(1)(f) GDPR also lies in these purposes. The data is erased or anonymised once the purpose for which it was recorded has been achieved. It is then no longer possible to identify the accessed client. Recording the data needed to provide the website and storing the data in log files is essential for operation of the website. As a consequence, the user cannot opt out of this.
a) We use strictly necessary cookies to make our website more user-friendly. For some elements of our website, it is necessary for the accessing browser to be identifiable even when the user navigates to a different page. As a rule, the following data is stored and transmitted in cookies:
- Language settings
- Log-in information
- Session ID
b) If we also use (non-essential) cookies on our website which enable the user’s browsing behaviour to be analysed, these can usually transmit the following data:
- Search terms entered
- Frequency of page impressions
- Use of website features
- IP address
- Browser data
- Applying language settings
- Remembering search terms
- Remembering general cookie settings
The data stored in our cookies is not linked to your personal data (name, address, etc.).
3. REGISTRATION FEATURE
We offer our visitors the option of registering on our site using a contact form. The personal data which is visible from the input mask is only recorded and stored to enable use of our offering. In case your data is being misused by a third party, we store the IP address and the time and date of the registration as a precaution so that the misuse can be investigated if necessary. Your data is never shared with third parties. Data collected elsewhere is not associated with this data. Registered visitors have the option of amending their personal data or deleting it completely from the database at any time.
4. CONTACTING US
You can contact us at any time to share your wishes and aspirations by using the contact form or sending an email. The user data submitted voluntarily in this way is stored in our database for processing and erased once the purpose of processing it has been achieved. It is never forwarded to third parties or associated with other data.
5. RECEIVING OUR NEWSLETTER
Our website contains the option of subscribing to our newsletter. We use this to provide regular information about offers, news, events and other important occurrences. It is only possible to receive the newsletter if you provide the data marked as compulsory on the registration page and registration is successful. An email address is sufficient. We use a double opt-in (DOI) process to ensure that the user wishes to receive the newsletter. This means that the potential recipient is only added to the distribution list temporarily at first. The potential recipient is then given the option of confirming their registration with legal effect via a confirmation email. Only once the user confirms and agrees to receive the newsletter does the address become fully active in our distribution list. When you first register, we store the following information, which is necessary to document and provide evidence of legally binding registration:
- IP address
- Date and time of the registration
The data is only used to distribute the newsletter. You can cancel your subscription at any time and withdraw your consent. There is a link allowing you to unsubscribe in each newsletter. You can also cancel your newsletter subscription on the website. Distribution may be handled by an email marketing service provider. The email marketing service provider will work for us on the basis of a processing agreement and may use the data in pseudonymised form to improve its offering or for statistical purposes. The email marketing service provider will not use the data to contact you directly or share it with third parties. You can find more information about the email marketing service providers here.
Emarsys eMarketing Systems GmbH, Willi-Schwabe-Straße 1, 12489 Berlin, Germany
6. DATA PROTECTION DURING THE APPLICATION PROCESS
Applicants’ data is electronically recorded, stored and processed for the purpose of completing an application process. This applies particularly to applications made electronically, for example by email. If you subsequently enter into an employment contract, we keep the data in your personnel file and store it for standard organisational and employment purposes, in compliance with the legal requirements. If the applicant does not enter into an employment contract, their data is automatically deleted from the database when the rejection is sent, unless special legal conditions – such as the duty to furnish evidence under the German General Act on Equal Treatment – require a longer storage period or you explicitly agreed to longer retention during the application process.
7. USE OF FACEBOOK, GOOGLE+, INSTAGRAM, LINKEDIN, PINTEREST, TWITTER, XING AND/OR YOUTUBE, TIKTOK
If our website uses social media plugins for Facebook, Google+, Instagram, LinkedIn, Pinterest, Twitter, TikTok, Xing and/or Youtube, the plugins will be identified by the respective companies’ logos. When you access our website, the relevant component of the above-mentioned social media plugin may establish a connection between your computer and the social media provider and/or associate it with you. If you are logged in to one of the above-mentioned services during your visit to our site, the provider of the relevant service may identify your user name and your real name from the information transferred and associate the data.
The Xing share button, for example, does not store any personal data. Xing does not evaluate your IP address or user behaviour. However, if you are logged in to Xing when you visit our site, your account information may be used to establish a link with the visit to our site.
Please note that we do not have any control over how the providers of the above-mentioned social networks share your data.
For more information about the data protection policies, please visit the relevant sections of the social networks’ websites.
You can find more information about the individual social media services here:
Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland
Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Irland
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland
Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Irland
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 IRLAND
XING SE, Dammtorstraße 30, 20354 Hamburg
Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland
TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Irland.
8. USE OF GOOGLE ADSENSE
9. USE OF GOOGLE ANALYTICS WITH THE ANONYMISATION FEATURE
10. USE OF GOOGLE REMARKETING
11. USE OF GOOGLE ADWORDS
Keywords are the most important component of Google AdWords. With the help of these keywords, an advertiser can choose in advance for an advertisement only to be displayed in the results for a search containing the selected terms or sites with related content. This should make it possible to target advertising to visitors’ interests and minimise wastage. It is also possible to define negative keywords which prevent an ad from being displayed. This service is operated by Google Ireland Ltd, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland. AdWords makes it possible to show the user advertisements which are relevant to their search. When someone is directed to our website by a Google ad, a conversion cookie is placed on the user’s browser. This enables both us and Alphabet, Inc. to track whether these AdWords advertisements resulted in the sale of certain products or whether a sales process was aborted. Conversion cookies do not contain any information about the person in question and are automatically deleted within 30 days. The information generated by conversion cookies is used by Google to produce visitor statistics. With the aid of these statistics, it is possible to work out how many users have been directed to our website by AdWords advertisements. Conversion cookies store information about the person who visited the site. This data – including the IP address – is forwarded to Alphabet, Inc. in the USA and may be shared with third parties. You can prevent cookies from being stored by changing your settings. You can delete stored cookies yourself at any time. Further information and more detailed explanations can be found at: https://www.google.de/intl/de/policies/privacy/
12. USE OF GOOGLE FONTS
This website features Google Fonts. Google Fonts is a service provided by Google Ireland Ltd, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland. Web fonts are designed for browser-based digital texts. When a website is accessed, they are usually requested from an external Web server instead of a computer’s local font library and integrated into the browser. The use of Google Fonts is not authenticated. No cookies are sent from the website visitor to the Google Fonts API. Queries sent to the Google Fonts API are sent to the resource-specific domains fonts.googleapis.com or fonts.gstatic.com. This means that your requests for fonts are separate from any other information you send to google.com and do not contain any other information. The anonymised request information is erased after 24 hours. Further information and more detailed explanations can be found at: https://policies.google.com/privacy?hl=de
13. USE OF MICROSOFT BING ADS
On our pages, we use the conversion tracking of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. In doing so, Microsoft Bing Ads stores a cookie on your computer if you have reached our website via a Microsoft Bing ad. In this way, Microsoft Bing and we can recognize that someone has clicked on an ad, been redirected to our website and reached a previously determined target page (conversion page). We only learn the total number of users who clicked on a Bing ad and were then redirected to the conversion page. No personal information about the user's identity is disclosed.
If you do not want information about your behavior to be used by Microsoft as explained above, you can refuse the necessary setting of a cookie - for example, by using browser settings that generally disable the automatic setting of cookies. You can also prevent the collection of data generated by the cookie and related to your use of the website, as well as the processing of this data by Microsoft, by following the link below: https://account.microsoft.com/privacy/ad-settings/signedout?lang=de-DE to declare your objection. For more information on data protection and the cookies used by Microsoft and Bing Ads, please visit the Microsoft website at https://privacy.microsoft.com/de-de/privacystatement.
14. USE OF PAYPAL AS A METHOD OF PAYMENT
If you decide to pay using the online payment service provider PayPal, your contact details are sent to the payment service provider PayPal via the orders you place. PayPal acts as an intermediary and provides customer protection services. The personal data transmitted to PayPal comprises information such as your first name, surname, address, telephone number, IP address, email address and other data which helps to process your order. Please note that PayPal may share personal data with subcontractors, service providers or other associated companies if this is necessary for contractual performance in connection with your order. Further information and more detailed explanations can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
15. USE OF SOVENDUS
In order to select a voucher offer that is currently of interest to you, we transmit the hash value of your e-mail address and your IP address to Sovendus GmbH, Hermann-VeitStr. 6, 76135 Karlsruhe (Sovendus) in a pseudonymized and encrypted form (Art. 6 para.1 f DSGVO). The pseudonymized hash value of the e-mail address is used by Sovendus to take into account any objection to advertising (Art. 21 para.3, Art. 6 para.1 c DSGVO). The IP address is used by Sovendus exclusively for data security purposes and is usually anonymized after seven days (Art. 6 para.1 f DSGVO).
In addition, we transmit for billing purposes pseudonymized order number,
order value with currency, session ID, coupon code and timestamp to Sovendus (Art. 6 para.1 f DSGVO). If you are interested in a voucher offer from Sovendus, there is no advertising objection to your email address and you click on the voucher banner that is only displayed in this case, we will transmit your title, name, zip code, country and email address in encrypted form to Sovendus for the preparation of the voucher (Art. 6 para.1 b, f DSGVO).
16. USE OF EMARSYS As set out in Section 7(3) of the German Act Against Unfair Competition (UWG), we are permitted to use the email address provided when a purchase is made in our shop for direct marketing of similar products or services. If you no longer wish to receive our product recommendations, you can opt out of receiving these at any time. You will not incur any charges for this apart from the basic cost of transmission. To opt out, click on the ‘Unsubscribe’ link which can be found in the footer of any of our product recommendations or email [email protected].
Our website uses third-party cookies which enable us to improve the quality of the content that we offer you when you visit. These cookies may record your IP address and non-personal data about your visit. This data is completely anonymous and does not include your name, address, email address or any other personal information. The only data collected from visitors who have logged in is a single encrypted identifier which cannot be used to identify you. Cookies are also used to record anonymous, statistical information about your navigation behaviour on our website. These cookies expire after one year.
If you have subscribed to the newsletter, the personal data you submitted when you registered will be used to send you personalised newsletters. No data is shared with third-party companies. Our data protection policies comply with the German Federal Data Protection Act (BDSG) and the German Telemedia Act (TMG).
17. . INTEGRATION OF TRUSTED SHOPS TRUSTBADG
The Trusted Shops Trustbadge is included on this website to show our Trusted Shops seal of quality and any earned ratings as well as to offer Trusted Shops products to buyers after an order. This serves the protection of our legitimate interests in an optimal marketing of our product and prevails in the context of a balancing of interests. The Trustbadge and the services advertised with it are an offer of Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Köln/Cologne, Germany. When the Trustbadge is accessed, the web server automatically records a server log file which contains, e.g., your IP address, date and time of the access, transferred data volume and the requesting provider (access data) and documents the access. This access data is not analyzed and is automatically overwritten after a maximum of seven days after the end of your page visit. Further personal data is only transferred to Trusted Shops if you decide to use its products after completing an order or if you have already registered for use. In this case, the contractual agreements between you and Trusted Shops apply
18. USE OF AWIN
On our website, we use the performance advertising network of AWIN AG, Eichhornstraße 3, 10785 Berlin, Germany, as a partner programme. As part of its tracking services, to document transactions (e.g. leads and sales), AWIN stores cookies on the devices of users who visit or use its clients’ websites or other online offerings (e.g. to register for a newsletter or place an order in an online shop). These cookies serve the sole purpose of correctly attributing the success of an advertising material and billing it accordingly in connection with its advertising network. AWIN does not collect, process or use personal data to do this. The only information placed in a cookie is when a certain advertising material was clicked on from a device. AWIN tracking cookies contain a unique string of digits which documents an advertiser’s partner programme, the publisher (on whose site the ad was displayed) and the time when the user clicked on or viewed the advertisement. It is not possible to allocate this code to an individual user. AWIN also collects information about the device which was used to complete a transaction, e.g. the IP address, the operating system and the requesting browser. The lawful basis for storing this data is Art. 6(1)(f) GDPR. If you would like more information about data processing by AWIN, please visit: https://www.awin.com/de/rechtliches
19. USE OF CRITEO ONE TAG
Criteo is used to show you interest-based adverts within the Criteo advertising network. Your interests are determined on the basis of your previous usage behaviour. For example, Criteo records which products you have viewed, placed in your shopping basket or purchased. Further details on the data collected by Criteo can be found here: How we use your data
Your personal data and the Criteo cookies stored in your browser are stored for a maximum of 13 months from the date of collection. Criteo is used in the interest of targeted advertising measures. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.
Criteo and we are joint controllers within the meaning of Art. 26 GDPR. An agreement on joint processing has been concluded between Criteo and us, the main contents of which Criteo describes under the following link: How we use your data
20. USE OF trbo
On our website, data is collected and stored by trbo GmbH, Leopoldstr. 41, 80802 Munich, Germany (http://www.trbo.com/). This allows usage profiles to be developed with the aid of pseudonyms to show you personalised customer benefits. Cookies may be used for this purpose which enable a Web browser to be recognised. These usage profiles serve to analyse visitor behaviour and are evaluated in order to improve our site and design it in line with users’ needs. The pseudonymised usage profiles are not associated with personal data about the bearer of the pseudonym without separate, explicit consent being granted by the data subject. You can opt out of this at any time by clicking on the following links: activate trbo and disable trbo.
21. USE OF PAQATO
22. TRANSMITTING YOUR DATA FOR THE PURPOSE OF A CREDIT CHECK
We transmit your data (name, address and, if applicable, date of birth) to infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany, for the purpose of checking creditworthiness, obtaining information for assessing the risk of non-payment on the basis of mathematical-statistical methods using address data. The legal basis for these transfers is Article 6(1)(b) and Article 6(1)(f) of the DSGVO. Transfers based on these provisions may only be made insofar as this is necessary to safeguard the legitimate interests of our company or third parties and does not override the interests of the fundamental rights and freedoms of the data subjects that require the protection of personal data. Detailed information on ICD within the meaning of Art. 14 of the European Data Protection Regulation ("EU GDPR"), i.e. information on the business purpose, purposes of data storage, data recipients, right of self-disclosure, right to erasure or rectification, etc. can be found in the attachment or under the following link.
23. USE OF SCAN2FIT:
With your express consent, we process your data for the purpose of carrying out a free 3D foot scan to determine your shoe size and analyse your foot. For this purpose, we process the personal data required for the scan, in particular the shoe size, name and contact details. The purpose of the processing is to initiate and fulfil a contract. The legal basis for the processing is therefore Art. 6 para. 1 lit. a) and b) GDPR. Your data will be stored until the termination of the contract and any further retention obligations, otherwise it will be deleted immediately. To process the foot scan, your data will also be passed on to the company 3D Schuhdesign / HMK GmbH, Delaware Avenue 23-25, 66953 Pirmasens on the basis of an order processing contract.
Consent can be revoked at any time for the future. The legality of the data processing carried out on the basis of the consent until the revocation is not affected by this.
If we process your personal data, you are classed a data subject as per GDPR and you have the following rights with regard to the controller:
1.) The right to be informed
You can request confirmation from the controller as to whether we process personal data belonging to you. If we do, you can request the following information from the controller:
- the purposes for processing personal data;
- the categories of personal data which are processed;
- the recipients and/or categories of recipients to whom your personal data has been or will be disclosed;
- the planned retention period for your personal data or – if it is not possible to provide concrete details on this – criteria for setting the retention period;
- your right to rectification or erasure of your personal data and your right to restrict processing by the controller or object to this processing;
- your right to make a complaint to a supervisory authority;
- all available information about the origins of the information if the personal data was not collected from the data subject;
- the existence of automated decision-making including profiling as per Art. 22(1) and (4) GDPR and – at least in such cases – meaningful information about the logic involved along with the significance and the envisaged consequences of this processing for the data subject.
You have the right to request information about whether your personal data is transmitted to a third country or an international organisation. In this connection, you can request information about suitable guarantees as per Art. 46 GDPR pertaining to the transmission.
2.) Right to rectification
You have the right to request that the controller rectifies and/or completes the personal data they process if it is inaccurate or incomplete. The controller must rectify the data immediately.
3.) Right to restrict processing
You can request that the processing of your personal data is restricted in the following circumstances:
- if you contest the accuracy of your personal data and request a restriction for a period of time to allow the controller to check the accuracy of the data;
- the processing is unlawful and you request that use of the personal data is restricted instead of it being deleted;
- the controller no longer needs the personal data for the processing purposes but you need it in order to establish, exercise or defend a legal claim, or
- you have objected to processing under Art. 21(1) GDPR, and it is not yet clear whether the controller’s legitimate grounds override your reasons.
If the processing of your personal data has been restricted, this data may only be processed with your consent, to establish, exercise or defend a legal claim, to protect the rights of an individual or legal entity, or for reasons of important public interest for the Union or a Member State. If processing has been restricted in the above-mentioned circumstances, you will be informed by the controller before the restriction is lifted.
4.) Right to erasure/erasure obligation
You can request that the controller erases your personal data immediately and the controller is obliged to erase this data immediately if one of the following applies:
- Your personal data is no longer needed for the purposes for which it was collected or otherwise processed.
- You withdraw your consent which served as the basis for processing as per Art. 6(1)(a) or Art. 9(2)(a) GDPR and there are no other legal grounds for processing.
- You object to processing as per Art. 21(1) GDPR and there are no legitimate reasons for processing which take precedence, or you object to processing as per Art. 21(2) GDPR.
- Your personal data was processed unlawfully.
- Your personal data must be erased to fulfil a legal obligation under Union law or the law of the Member State which applies to the controller.
- Your personal data was collected in relation to the offer of information society services as defined in Art. 8(1) GDPR.
Informing third parties
If the controller has made your personal data public and is obliged to erase it as per Art. 17(1) GDPR, they must take reasonable steps (technical or otherwise, taking account of the technology available) to inform those responsible for processing the personal data that you, the data subject, have requested that they delete all links to this personal data or copies or replications of this personal data.
The right to erasure does not apply if processing is necessary
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation which requires the data to be processed under the Union or Member State law which applies to the controller; or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for public health purposes in the public interest as per Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research, or statistical purposes as per Art. 89(1) GDPR where the right cited in (a) is likely to render impossible or seriously impair the achievement of these processing objectives, or
- for the establishment, exercise or defence of legal claims.
5.) Right to information
If you have contacted the controller to exercise your right to rectification, erasure or restriction, the controller is obliged to inform all recipients to whom your personal data has been disclosed of the rectification, erasure or restriction, unless this proves impossible or involves disproportionate effort.
You have the right to request that the controller informs you about these recipients.
6.) Right to data portability
You have the right to receive the personal data which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without being hindered by the controller to whom the personal data was provided, if
1. the processing is based on consent as defined in Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract as per Art. 6(1)(b) GDPR and
2. the processing is carried out by automated means.
In exercising this right, you also have the right to request that a controller transmits your personal data directly to another controller, if this is technically feasible. This may not adversely affect the rights and freedoms of any third parties.
The right to data portability does not apply to the processing of personal data which is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the controller.
7.) Right to object
In certain circumstances, you have the right to object at any time to your personal data being processed on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
The controller will no longer process your personal data unless they can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.
If your personal data is processed for the purpose of direct marketing, you have the right to object to your personal data being processed for the purpose of such advertising at any time; this includes any profiling of data that is related to direct marketing.
If you object to processing for the purpose of direct marketing, your personal data will no longer be processed for this purpose. In the context of the use of information society services, and irrespective of Directive 2002/58/EC, you are free to exercise your right to object by automated means using technical specifications.
8.) Right to withdraw consent under data protection law
You have the right to withdraw your consent under data protection law at any time. Withdrawing your consent does not affect the lawfulness of the processing performed based on this consent prior to the withdrawal.
9.) Right to complain to a supervisory authority
Irrespective of any other administrative or judicial remedy, you have the right to complain to a supervisory authority, especially in the Member State in which you live or work or the location of the suspected infringement if you believe that the processing of your personal data is in breach of GDPR.
The supervisory authority with whom the complaint was lodged will inform the complainant about the progress and outcome of the complaint, including the possibility of a judicial remedy as per Art. 78 GDPR.