Privacy Policy

I. Name and address of data controller, general information

 

The data controller in the sense given in the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection provisions is:

Company
K 16 GmbH
Pc. Annenufer 5
20457 Hamburg
Germany

Represented by Managing Directors
Oliver Burth, Eibo Schulz-Wolfgramm
Phone: 040 41 00 44 4
Email: info@k16.de
Website: www.k16.de

II. Name and address of data protection officer, general information

 

The data protection officer for the data controller is:

Markus Gronau
Hohe Bleichen 21
20354 Hamburg
Germany
Email: gronau@praetoria.legal

 

III. General information regarding data processing

 

  1. Scope of processing of personal data
    We generally only process the personal data of our users to the extent needed to provide a functional website, our content and our services. The personal data of our users are routinely processed only with the consent of the respective users. An exception applies in cases in which prior consent cannot be obtained because of actual causes and processing of the data is permitted by law.
  2. Legal basis for processing of personal data
    If we obtain consent from a data subject for processing operations involving personal data, article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

For processing of personal data for performance of a contract which the data subject is a party to, article 6(1)(b) of the GDPR serves as the legal basis. This also applies to processing operations required for carrying out pre-contractual measures.

If processing of personal data is necessary for fulfilment of a legal obligation which our company is subject to, article 6(1)(c) of the GDPR serves as the legal basis.

For the case that vital interests of the data subject or another natural person necessitate processing of personal data, article 6(1)(d) of the GDPR serves as the legal basis.

If processing of personal data is necessary for safeguarding of a legitimate interest of our company and if the interests or fundamental rights and freedoms of the data subject do not override the aforementioned interest, article 6(1)(f) of the GDPR serves as the legal basis for processing.

  1. Data erasure and retention duration
    The data subject’s personal data are erased or blocked as soon as the purpose for storage of these personal data no longer applies. In addition retention can occur if this is provided for by the European or national legislators in EU regulations, laws or other provisions which the data controller is subject to. Blocking or erasure of the data also occurs if a retention period prescribed by the specified standards expires unless further retention of the data is necessary for conclusion or performance of a contract.

IV. Provision of the website and generation of log files

 

  1. Description and scope of data processing
    Each time our website is retrieved our system automatically collects data and information about the computer system of the retrieving computer.
    The following data are collected:

a.) information about the browser type and version used
b.) user’s operating system
c.) user’s internet service provider
d.) user’s IP address
e.) date and time of access
f.) websites from which the user’s system accessed our website
g.) websites retrieved from the user’s system via our website.

The data are also saved in our system log files. These data are not saved together with other personal data about the user.

  1. Legal basis for data processing
    The legal basis for temporary storage of the data and the log files is article 6(1)(f) of the GDPR.
  2. Purpose of data processing
    Temporary storage of the IP address by the system is necessary for enabling delivery of the website to the user’s computer. For this the user’s IP address must be retained for the duration of the session.

Saving in log files is carried out for ensuring the functionality of the website. We also use the data to optimise the website and ensure the security of our IT systems. Analysis of the data for marketing purposes does not take place in connection with this.

Our legitimate interest in data processing in accordance with article 6(1)(f) of the GDPR also lies in these purposes.

  1. Duration of retention
    The data are erased once they are no longer needed for achievement of the purpose for which they were collected. For data collected for the purpose of provision of the website this is the case when the respective session has ended.

For data saved in log files this is the case after seven days at the latest. Storage beyond this period is possible. In this case the IP addresses of the users are erased or anonymised so that association with the retrieving client is no longer possible.

  1. Right to object and right to erasure
    Collection of data for provision of the website and saving of data in log files are absolutely necessary for operation of the website. Therefore the user does not have the right to object.

V. Use of cookies

 

  1. Description and scope of data processing
    Our website uses cookies. Cookies are text files that are stored in the browser or by the browser on the user’s computer system. If a user retrieves a website a cookie can be saved on the user’s operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is retrieved again.

We use cookies to make our website more user-friendly. For some elements of our website the retrieving browser must be able to be identified even after a switch to a different page.

For this the following data are stored in and transmitted by the cookies:

a.) language settings
b.) login information

We also use cookies on our website to enable analysis of users’ browsing behaviour.
The following data can be transmitted in this way:

c.) total number of website users
d.) total number of website sessions
e.) average session duration
f.) users according to time of day
g.) user locations/country
h.) traffic sources
i.) links
j.) visited pages

When a user retrieves our website, he or she is informed of the use of cookies for analysis purposes and his or her consent to processing of the personal data used in connection with this is obtained. Reference is also made to this privacy policy in connection with this.

  1. Legal basis for data processing
    The legal basis for processing of personal data using technically required cookies is article 6(1)(f) of the GDPR.

The legal basis for processing of personal data using cookies for analysis purposes given the corresponding consent of the user is article 6(1)(a) of the GDPR.

  1. Purpose of data processing
    The purpose of using technically required cookies is to simplify the use of websites for users. Some features of our website cannot be offered without the use of cookies. For them the browser must be able to be identified even after a switch to a different page.
    We require cookies for the following applications:

a.) adoption of language settings
b.) remembering of searches

User data collected through technically required cookies are not used for generation of user profiles.

We use analytical cookies for the purpose of improving the quality of our website and its content. Through the analytical cookies we learn how the website is being used and can thereby continuously optimise our offering.

  1. Duration of retention, right to object and right to erasure
    Cookies are saved on the user’s computer and transmitted from it to our side. Therefore you as the user have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing your browser settings. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, full use of all the features of the website may not be possible.

VI. Analytical tools – Tracking tools

 

  1. Legal basis for processing of personal data
    The tracking measures listed below and used by us are implemented on the basis of article 6(1) sent.1 (f) of the GDPR.
  2. Purpose of data processing
    With the tracking measures used, we wish to ensure that our website is designed according to requirements and optimised on an ongoing basis. We also use the tracking measures to collect statistics on the use of our website and analyse them for the purpose of optimising our offering for you. These interests are to be considered as being legitimate in the sense given in the aforementioned regulation.

The respective purposes for data processing and data categories can be found in the corresponding tracking tools. You can prevent the recording of your user behaviour by refusing to consent on our website (see last sentence of III 1 above).

  1. Google Analytics
    For the purposes of needs-based design and continuous optimisation of our pages we use Google Analytics, a web analytics service provided by Google Inc. (https://www.google.de/intl/de/about/) of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as ‘Google’). In connection with this, pseudonymised usage profiles are created and cookies (see section V. above) are used. The information on your use of this website generated by the cookie, such as
  • browser type / browser version,
  • operating system used,
  • referrer URL (last visited page),
  • hostname (IP address) of accessing computer and
  • time of request to server,

is transferred to and saved on a Google server in the US. This information is used for evaluating the use of the website, compilation of reports about the website activities and provision of additional services related to use of the website and the internet for the purposes of market research and needs-based design of these web pages. In addition this information may be transmitted to third parties if this is legally prescribed or third parties process these data on a contract basis. Under no circumstances is your IP address linked to other data held by Google. The IP addresses are anonymised so that association is not possible (IP masking).

You can prevent the installation of cookies by making the appropriate setting in the browser; we point out, however, that in this case you may not be able to use the full functionality of this website.

You can also prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) as well as the processing of these data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en).

As an alternative to installing the browser add-on, in particular for browsers on mobile devices, you can prevent the collection by Google Analytics by clicking on this link. An opt-out cookie that prevents collection of your data when you visit this website in the future is set. The opt-out cookie only applies to this browser and this website and is placed on your device. If you delete the cookies in this browser, you will have to set the opt-out cookie again.

Further information about data protection in connection with Google Analytics can be found, for instance, at the Google Analytics help centre (https://support.google.com/analytics/answer/6004245?hl=en).

  1. Statify
    Likewise for the purposes of needs-based design and ongoing optimisation of our pages, we also use the statistics plug-in Statify from WordPress. Statify does not process or save any personal data such as IP addresses. Statify records
  • number of views (not visitors),
  • date,
  • source and
  • target.

Because of this way of working, Statify satisfies all requirements of the GDPR. Further information can be found at https://de.wordpress.org/plugins/statify/.

  1. Google AdWords Conversion Tracking
    To collect statistics on the use of our website and analyse them for the purpose of optimising our website for you we also use Google conversion tracking. With it Google AdWords places a cookie (see section V.) on your computer if you reached our website via a Google ad.

These cookies expire after 30 days and are not used for personal identification. If the user visits particular pages on the website of the AdWords customer and the cookie has not yet expired, Google and the customer can recognise that the user clicked on the ad and was directed to this page.

Each AdWords customer receives a different cookie. Cookies thus cannot be tracked via the websites of AdWords customers. The information gathered using the conversion cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. The AdWords customer obtains information about the total number of users who clicked on the customer’s ad and were directed to a page containing a conversion tracking tag. However, the customers do not receive any information allowing them to identify users personally.

If you do not wish to participate in the tracking process, you can reject the placing of a cookie required for this – for example, by changing your browser setting to deactivate the automatic placing of cookies in general. You can also deactivate cookies for conversion tracking by setting your browser to block cookies from the domain www.googleadservices.com. Google’s privacy policy for conversion tracking can be found at https://services.google.com/sitestats/en.html.

 

VII. Contact form and email contact

 

  1. Description and scope of data processing
    On our website there is a contact form which can be used for electronic contact. If a user makes use of this option the data entered into the form are transmitted to us and stored. These data are:

a.) last name, first name
b.) company
c.) function
d.) email address
e.) phone number
f.) message.

At the time at which the message is sent the following data are also saved:

g.) user’s IP address
h.) date and time of registration

For the processing of the data your consent is obtained and reference is made to this privacy policy during the sending operation.
Alternatively, contact can be made via the supplied email address. In this case the user’s personal data transmitted with the email are saved.
The data are not passed on to third parties in connection with this. The data are used solely for processing of the conversation.

  1. Legal basis for data processing
    The legal basis for processing of the data given the consent of the user is article 6(1)(a) of the GDPR.

The legal basis for processing of the data transmitted in the course of sending of an email is article 6(1)(f) of the GDPR. If contact via email is made for the purpose of concluding a contract, an additional legal basis for processing is article 6(1)(b) of the GDPR.

  1. Purpose of data processing
    Processing of the personal data from the form serves only towards processing of the query by us. In the event that contact is made via email, the required legitimate interest in processing of the data also lies therein.

The other personal data processed during the sending operation are used for preventing misuse of the contact form and ensuring the safety of our IT systems.

  1. Duration of retention
    The data are erased once they are no longer needed for achievement of the purpose for which they were collected. For the personal data from the contact form and the personal data sent via email, this is the case when the respective conversation with the user has ended. The conversation has ended when the circumstances allow it to be inferred that the relevant facts have been definitively clarified.

The personal data additionally collected during the sending operation are deleted at the latest after a period of fourteen days.

  1. Right to object and right to erasure
    The user can withdraw his or her consent to processing of personal data at any time. If the user contacts us by email, he or she can object to the saving of his or her personal data at any time. In such a case the conversation cannot be continued.

If you would like to make use of your right to withdraw or object you only need to send an email to info@k16.de.
All personal data which were saved in the course of the contact are deleted in this case.

 

VIII. Social media plug-ins

 

On the basis of article 6(1) sent.1 (f) of the GDPR we use social plug-ins from the social networks Facebook, Xing, Instagram, Pinterest and Twitter on our website to make our offering better known. The advertising purpose behind this is to be viewed as a legitimate interest in the sense given in the GDPR. Responsibility for operation in compliance with data protection requirements must be guaranteed by the respective providers. We integrate these plug-ins using the so-called two-click method to protect visitors to our website in the best possible way.

  1. Facebook
    On our website plug-ins from Facebook are used for personalising the use of it. For this we use the Like or Share button. These buttons are offerings from Facebook.

If you retrieve a page of our website which contains such a plug-in, your browser establishes a direct connection to Facebook’s servers. The plug-in content is transmitted by Facebook directly to your browser and incorporated into the page by it.

Through the integration of the plug-ins, Facebook receives the information that your browser has retrieved the corresponding page of our website even if you do not have a Facebook account or are currently not logged into Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the US and saved there.

If you are logged into Facebook, Facebook can directly associate the visit to our website with your Facebook account. If you interact with the plug-ins, e.g. by clicking on the Like or Share button, the corresponding information is likewise transmitted directly to a Facebook server and saved there. Moreover the information is published on Facebook and displayed to your Facebook friends.

Facebook can use this information for the purposes of advertising, market research and needs-based design of the Facebook pages. For this Facebook creates usage, interest and relationship profiles, e.g. to analyse your use of our website in relation to the ads displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide additional services associated with the use of Facebook.

If you do not wish to have Facebook associate the data collected via our website with your Facebook account, you must log out of Facebook before visiting our website.

Purpose and scope of data collection and further processing and use of the data by Facebook as well as your rights in this regard and setting  options for the protection of your private sphere can be found in Facebook’s data policy (https://www.facebook.com/about/privacy/).

  1. XING
    The XING Share button is used on this website. When you retrieve this website a connection to servers of XING AG (‘XING’) with which the XING Share button features (in particular the calculation / display of the counter value) are provided is temporarily established via your browser. XING does not save any personal data about you via the accessing of this website. XING especially does not save any IP addresses. Your usage behaviour is also not analysed through the use of cookies in connection with the XING Share button. Current data protection information pertaining to the XING Share button and supplementary information can be found at

https://www.xing.com/app/share?op=data_protection.

  1. Instagram
    Our website also uses plug-ins from Instagram which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (‘Instagram’).

The plug-ins can be identified by an Instagram logo, for example in the form of an Instagram camera.

If you retrieve a page of our website which contains such a plug-in, your browser establishes a direct connection to Instagram’s servers. The plug-in content is transmitted by Instagram directly to your browser and incorporated into the page by it. Through this integration, Instagram receives the information that your browser has retrieved the corresponding page of our website even if you do not have an Instagram account or are currently not logged into Instagram.

This information (including your IP address) is transmitted by your browser directly to an Instagram server in the US and saved there. If you are logged into Instagram, Instagram can directly associate the visit to our website with your Instagram account. If you interact with the plug-ins, e.g. by clicking on the Instagram button, this information is likewise transmitted directly to an Instagram server and saved there.

Moreover the information is published on your Instagram account and displayed to your contacts there.

If you do not wish to have Instagram directly associate the data collected via our website with your Instagram account, you must log out of Instagram before visiting our website.

  1. Pinterest
    Our website also uses plug-ins from Pinterest which is operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (‘Pinterest’).

The plug-ins can be identified by a Pinterest logo.

If you retrieve a page of our website which contains such a plug-in, your browser establishes a direct connection to Pinterest’s servers. The plug-in content is transmitted directly to your browser and incorporated into the page by Pinterest. Through this integration, Pinterest receives the information that your browser has retrieved the corresponding page of our website even if you do not have a Pinterest profile or are currently not logged into Pinterest.

This information (including your IP address) is transmitted by your browser directly to a Pinterest server which may even be in a country outside your home country, for example in the US, and saved there. If you are logged into Pinterest, Pinterest can directly associate the visit to our website with your Pinterest account. If you interact with the plug-ins, e.g. by clicking on the Pinterest button, this information is likewise transmitted directly to a Pinterest server and saved there.

Moreover the information is published on your Pinterest account and displayed to your contacts there.

If you do not wish to have Pinterest directly associate the data collected via our website with your Pinterest account, you must log out of Pinterest before visiting our website.

Further information pertaining to Pinterest’s privacy policy can be found at https://policy.pinterest.com/en/privacy-policy.

  1. Twitter
    Plug-ins from the short message network of Twitter Inc. (‘Twitter’) are integrated into our web pages. You can recognise Twitter plug-ins (tweet button) by the Twitter logo on our page. An overview of tweet buttons can be found here (https://about.twitter.com/resources/buttons).

If you retrieve a page of our website which contains such a plug-in, your browser establishes a direct connection to the Twitter server. Through this Twitter receives the information that you have visited our page with your IP address. If you click on the Twitter tweet button when you are logged into your Twitter account, you can link the content of our pages to your Twitter profile. This allows Twitter to associate your visit to our pages with your user account. We would like to point out that we as the provider of the pages do not receive any information about the content of the transmitted data or use of them by Twitter.

If you do not want Twitter to be able to associate your visit to our pages, please log out of your Twitter account.

Further information pertaining to this can be found in Twitter’s privacy policy (https://twitter.com/privacy).

IX. Applicant data

 

  1. Description and scope of data processing
    On our website you have the possibility of applying in response to job ads or speculatively. We use our form for applications to collect the necessary data which you voluntarily provide us for employee recruitment. The following data are collected:

a.) last name, first name, title
b.) country
c.) function
d.) email address
e.) phone number
f.) earliest start date
g.) highest level of education completed
h.) salary expectations
i.) application documents
j.) application photos
k.) how you found out about us

and optionally

l.) date of birth
m.) academic / professional / occupational title
n.) alternative phone number
o.) Skype name
p.) link to profile
q.) vocational training
r.) studies
s.) comment

At the time at which the message is sent the following data are also saved:

t.) user’s IP address
u.) date and time of registration

For the processing of the data your consent is obtained and reference is made to a corresponding privacy policy during the sending operation. You can manually enter the data in our application form or consent to the import of data from your XING or LinkedIn profile. Only after you have reviewed and approved the profile are the data available to our employees.

Alternatively, contact can be made via the supplied email address. In this case the user’s personal data transmitted with the email are saved.

Your application data are used solely for internal application processes and for in-house reporting purposes. In this context d.vinci HR-Systems GmbH, Nagelsweg 37–39, 20097 Hamburg, Germany, supports us as a technical service provider solely according to our instructions on the basis of a data processing agreement. Any other use or passing on of your application data to third parties does not take place. Your data are processed solely in Germany. Your data are not transferred to third countries (non-EU countries which are not secure in terms of data protection).

  1. Legal basis for data processing
    The legal basis for processing of the data given the consent of the user is article 6(1)(a) of the GDPR.

The legal basis for processing of the data transmitted in the course of sending of an email is article 6(1)(f) of the GDPR.

  1. Purpose of data processing
    Processing of the personal data from the form serves only towards processing of the query by us. In the event that contact is made via email, the required legitimate interest in processing of the data also lies therein.

The other personal data processed during the sending operation are used for preventing misuse of the contact form and ensuring the safety of our IT systems.

  1. Duration of retention
    The data are erased once they are no longer needed for achievement of the purpose for which they were collected. If your application is not successful, your data will be deleted by us six months after the application process has been completed.

For the case that we also wish to consider your application for other or future job openings, we will coordinate this with you individually.

The personal data additionally collected during the sending operation are deleted at the latest after a period of fourteen days.

  1. Right to object and right to erasure
    The user can withdraw his or her consent to processing of personal data at any time. If the user contacts us by email, he or she can object to the saving of his or her personal data at any time. In such a case the application process cannot be continued.

If you would like to make use of your right to withdraw or object you only need to send an email to info@k16.de. All personal data which were saved in the course of the contact are deleted in this case.

 X. Rights of the data subject

If your personal data are processed you are a data subject in the sense given in the GDPR and the data controller must grant you the following rights:

  1. Right to access

You can demand from the data controller confirmation as to whether your personal data are processed by us.

If such processing occurs, you can demand information about the following from the data controller:

a.) the purposes for which the personal data are processed;
b.) the categories of personal data that are processed;
c.) the recipients or categories of recipients to whom your personal data were or will be disclosed;
d.) the planned duration of retention of your personal data or, if concrete information cannot be provided regarding this, the criteria for determining the duration of retention;
e.) the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the data controller or a right to object to this processing;
f.) the existence of a right to lodge a complaint with a supervisory authority;
all available information about the origin of the data if the personal data are not collected from the data subject;
g.) the existence of automated decision-making including profiling pursuant to articles 22(1) and 22(4) of the GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and intended impact of such processing on the data subject.

You additionally have the right to demand information as to whether your personal data will be transmitted to a third country or to an international organisation. In connection with this you can demand information about the appropriate guarantees pursuant to article 46 of the GDPR in connection with the transfer.

  1. Right to rectification
    You have the right to demand rectification and/or completion from the data controller if the processed personal data concerning you are incorrect or incomplete. The data controller must carry out the rectification immediately.
  2. Right to restriction of processing
    You can demand the restriction of processing of your personal data under the following conditions:

a.) you dispute the accuracy of your personal data for a period of time that enables the data controller to verify the accuracy of the personal data;
b.) processing is unlawful and you reject the erasure of the personal data and instead demand the restriction of the use of the personal data;
c.) the data controller no longer requires the personal data for the purposes of processing, but you need them for asserting, exercising or defending legal claims; or
d.) you have objected to processing pursuant to article 21(1) of the GDPR and it is still not clear as to whether the legitimate grounds of the data controller override your grounds.

If the processing of your personal data has been restricted, these data may – apart from being saved – only be processed with your consent or for the assertion, exercising or defence of legal claims or for the protection of the rights of another natural or juridical person or for reasons of an important public interest of the Union or a Member State.

If processing has been restricted in accordance with the above-mentioned conditions, you will be informed by the data controller before the restrictions are lifted.

  1. Right to erasure

a.) Erasure obligation
You can demand from the data controller the deletion of your personal data without delay and the controller will be obligated to erase these data immediately if any of the following reasons applies:

i) Your personal data are no longer needed for the purposes for which they were collected or otherwise processed.

ii) You withdraw your consent on which processing pursuant to article 6(1)(a) or 9(2)(a) of the GDPR is based and there is no other legal basis for processing.

iii) You object to processing pursuant to article 21(1) of the GDPR and there are no overriding legitimate grounds for processing, or you object to processing pursuant to article 21(2) of the GDPR.

iv) Your personal data were processed unlawfully.

v) Erasure of your personal data is necessary for fulfilment of a legal obligation under Union law or the Member State law which the data controller is subject to.

vi) Your personal data were collected in relation to offered information society services pursuant to article 8(1) of the GDPR.

b.) Informing of third parties
If the data controller published your personal data and if he or she is obligated to delete them pursuant to article 17(1) of the GDPR, he or she shall in consideration of the available technology and the implementation costs take reasonable measures including those of a technical nature to inform the persons responsible for processing the personal data (data processors) that you as the data subject have demanded the deletion of all links to these personal data or of copies or replications of these personal data.

c.) Exceptions
The right to erasure does not apply if processing is necessary

i.) for exercising of the right to freedom of expression and information;

ii.) for fulfilment of a legal obligation requiring processing under Union law or the Member State law which the data controller is subject to or for carrying out of a task lying in the public interest or performed in the exercising of official authority vested in the controller;

iii.) for reasons of public interest in the area of public health pursuant to articles 9(2)(h) and 9(2)(i) as well as article 9(3) of the GDPR;

iv.) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to article 89(1) of the GDPR insofar as the right mentioned in section a.) is likely to render impossible or seriously impede the realisation of the goals of this processing; or

v.) for assertion, exercising or defence of legal claims.

  1. Right to be informed
    If you have asserted the right to rectification, erasure or restriction of processing by the data controller, the controller is obligated to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom your personal data were disclosed unless this proves to be impossible or requires an unreasonable amount of effort.

You have the right to be informed of these recipients by the data controller.

  1. Right to data portability
    You have the right to receive in a structured, standard and machine-readable format the personal data concerning you which you provided to the data controller. In addition you have the right to transfer these data to another data controller without hindrance by the data controller to whom the personal data were supplied provided that

a.) processing is based on consent pursuant to article 6(1)(a) of the GDPR or article 9(2)(a) of the GDPR or on a contract pursuant to article 6(1)(b) of the GDPR and

b.) processing occurs with the help of automated processes.

In the exercising of this right you further have the right to effect the transmission of your personal data directly from one data controller to another data controller as far as this is technically feasible. The freedoms and rights of other persons may not be adversely affected by this.

The right to data portability does not apply to processing of personal data which is necessary for carrying out of a task lying in the public interest or performed in the exercising of official authority vested in the controller.

  1. Right to object
    You have the right to object to processing of your personal data on the basis of article 6(1)(3) or 6(1)(f) of the GDPR at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions.

The data controller will no longer process your personal data unless he or she can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms or the processing serves towards asserting, exercising or defending of legal claims.

If your personal data are processed for direct advertising you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling if it is connected to direct advertising.

If you object to processing for direct advertising purposes, your personal data will no longer be processed for these purposes.

In connection with the use of information society services you have the option – notwithstanding directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.

  1. Right to withdraw the declaration of consent required by data protection law
    You have the right to withdraw at any time the declaration of consent you provided in compliance with data protection law. Through the withdrawal of consent the lawfulness of the processing which occurred on the basis of the consent up to the time of withdrawal is not affected.
  2. Automated individual decision-making including profiling
    You have the right to not be subject to a decision made solely based on automated processing – including profiling – which has a legal effect on you or significantly affects you in a similar way. This does not apply if the decision-making

a.) is necessary for conclusion or performance of a contract between you and the data controller;

b.) is permissible due to legal provisions of the Union or of Member States which the data controller is subject to and these legal provisions contain reasonable measures for safeguarding of your rights and freedoms as well as your legitimate interests; or

c.) takes place with your explicit consent.

However, these decisions may not be based on special categories of personal data in accordance with article 9(1) of the GDPR if article 9(2)(a) or 9(2)(g) of the GDPR does not apply and reasonable measures for safeguarding of your rights and freedoms as well as your legitimate interests have been taken.

Concerning the cases referred to in a.) and c.), the data controller shall take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests which at least include the right to obtain human intervention on the data controller side, to state your position and to contest the decision.

  1. Right to lodge a complaint with a supervisory authority
    Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which your place of residence, your place of work or the place of alleged violation is located, if you believe that the processing of your personal data violates the GDPR.

The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and the outcome of the complaint including the possibility of a judicial remedy in accordance with article 78 of the GDPR.

Menu