16. Rights of data subjects
Provided your personal data is processed, you are considered the data subject as per GDPR and are entitled to the rights listed below with regard to the controller.
Right of access
You have the right to obtain from the controller confirmation as to whether or not personal data relating to you is being processed. Should this be the case, you can request the following information:
(1) The purposes for which the personal data is processed;
(2) The categories of the personal data processed;
(3) The recipients/categories of recipients receiving the personal data related to you;
(4) The planned duration of the retention of the personal data relating to you or, if it is not possible to provide specific information in this regard, criteria for determining the retention period;
(5) Existence of a right to rectification or erasure of the personal data related to you, a right to restrict processing by the controller, or a right to object to this processing;
(6) The existence of a right to appeal to the authorities;
(7) All available information on the origin of the data if the personal data is not collected from the associated individual;
(8) The existence of automated decision-making, including profiling, as per Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved as well as the reach and intended effects of such processing for the data subject.
You have the right to be informed of whether the personal data related to you is transmitted to a third country or an international organization. In this context, you can request to be informed of appropriate safeguards as per Art. 46 GDPR in conjunction with the transmission of your data.
Right to rectification
You have the right to rectification and/or completion provided the processed personal data related to you is incorrect or incomplete. The controller must promptly rectify the issue.
Right to restrict processing
You can exercise your right to restrict processing of the personal data related to you provided the following conditions are met:
(1) If you dispute the accuracy of the personal data related to you for a period that enables the controller to verify the accuracy of the data;
(2) Processing is wrongful and you reject the deletion of your personal data, instead exercising your right to restrict the use of your personal data;
(3) The controller no longer requires the personal data for processing, but you need it to assert, exercise, or defend legal claims.
(4) If you have exercised your right to object to processing as per Art. 21 Sec. 1 GDPR and it has not been determined whether the legitimate interest of the controller outweighs your interest.
Where the processing of personal data related to you has been restricted, this data may only be processed (besides storage) with your express consent or to assert, exercise, or defend legal claims, or to protect the rights of other natural or legal persons, or for reasons of an important public interest of the European Union or a member state.
If restriction of processing was lifted based on the requirements above, you will be notified by the controller before this restriction is lifted.
Right to erasure
a) Obligation of erasure
You have the right to obtain from the controller the erasure of any personal data related to you and the controller is under the obligation to erase this data without undue delay provided one of the following grounds applies:
(1) The personal data related to you is no longer needed for the purpose for which it was collected or processed in any other way.
(2) You withdraw your consent for processing based on Art. 6 Sec. 1 a or Art. 9 Sec. 2 a GDPR and there is no other legal basis for processing.
(3) As per Art. 21 Sec. 1 GDPR, you object to processing and there are no overriding legitimate grounds for processing; or, you object to processing as per Art. 21 Sec. 2 GDPR.
(4) The personal data related to you was processed unlawfully.
(5) Deletion of the personal data related to you is required to fulfil an obligation by EU law or law of member states to which the controller is subject.
(6) The personal data related to you was collected as per Art. 8 Sec. 1 GDPR with regard to the services offered by the information company.
b) Information to third parties
If the controller has published your personal data and is obligated to delete this data as per Art. 17 para. 1 GDPR, the controller shall take suitable measures taking into account the available technology and implementation costs, including those of a technical nature, to inform the party responsible for processing the personal data that you as data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.
The right to erasure does not apply if processing is required
(1) to exercise the right to free expression of opinion and information;
(2) to meet a legal obligation requiring processing in accordance with the law of the European Union or a member state to which the controller is subject, or to carry out a duty in the public interest or in exercising official authority assigned to the controller;
(3) for reasons of public interest in the area of public health as per Art. 9 Sec. 2 h as well as Art. 9 Sec. 3 GDPR;
(4) for archiving purposes in the public interest, economic or historical research purposes, or for statistical purposes as per Art. 89 Sec. 1 GDPR provided that the right named in a) is not expected to render attainment of the objectives of this agreement impossible or have a serious negative effect, or
(5) to assert, exercise, or defend legal claims.
Right to be informed
If you have exercised your right to rectification, erasure, or to restrict processing vis-à-vis the controller, the controller is obligated to notify all recipients to which your personal data was disclosed of rectification or deletion of the data, or restriction to its processing, unless this proves to be impossible or requires a disproportional amount of effort. You have the right to be informed of these recipients by the controller.
Right to data portability
You have the right to receive the personal data related to you that you have provided to the controller in a structured, commonly used, machine-readable format. In addition, you have the right to pass on this data to another controller without interference of the controller to which you have provided the personal data, provided
(1) processing is based on consent as per Art. 6 Sec. 1 a GDPR or Art. 9 Sec. 2 a GDPR, or on a contract as per Art. 6 Sec. 1 b GDPR and
(2) processing is carried out by automated processes.
In exercising this right, you also have the right to demand your personal data be transferred directly from one controller to another controller, provided this is technically feasible. This must not negatively affect the freedoms and rights of other individuals.
The right to data portability does not apply to processing of personal data required or to carry out a duty in the public interest or in exercising official authority assigned to the controller.
Right to object
You have the right to object to the processing of your personal data based on Art. 6 Sec. 1 e or f GDPR for reasons resulting from your particular situation at any time; this also applies to profiling based on these provisions.
The controller no longer processes your personal data unless the controller can provide compelling legitimate reasons that outweigh your interests, rights, and freedoms, or processing serves to assert, exercise, or defend legal claims.
If the personal data related to you is processed to carry out direct advertising, you have the right to object to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling provided directly related to such direct advertising.
If you object to processing for purposes of direct advertising, your personal data will no longer be processed for this purpose.
You have the option to exercise your right to object by means of an automated process which uses technical specifications in connection with the use of services provided by the information society, directive 2002/58/EC notwithstanding.
Right to withdraw consent to use of data
You have the right to withdraw your consent to the use of your data at any time. Withdrawing your consent does not affect the lawfulness of the processing taking place based on your consent up to withdrawal.
Automated decision including profiling in individual cases
You have the right to not be subjected to a decision based solely on automated processing, including profiling, that has a legal effect on you or affects you significantly in a similar manner. This does not apply if the decision
(1) is required to conclude or fulfil a contract between you and the controller,
(2) is permissible based on provisions of the European Union or a member state to which the controller is subject and these provisions contain suitable measures to protect your rights and freedoms as well as your legitimate interests, or
(3) is carried out with your express permission.
However, these decisions shall not be based on special categories of personal data as per Art. 9 Sec. 1 GDPR provided Art. 9 Sec. 2 a GDPR applies and suitable measures have been taken to protect your rights and freedoms as well as your legitimate interests.
With regard to the cases named in (1) and (3), the controller shall take appropriate measures to ensure your rights and freedoms as well as your legitimate interests, including at least the right to request an individual on the side of the controller to intervene, to present your own position, and to contest the decision.
Right to appeal to the authorities
Notwithstanding any other administrative or judicial decision, you have the right to appeal to the authorities, especially in the member state where you are located, of your workplace, or of the location of the alleged violation if you believe that the processing of your personal data is in violation of GDPR.
The authority receiving the appeal shall inform the appealing party of the status and result of the appeal, including the option for a legal decision as per Art. 78 GDPR.
We reserve the right to change the policy at any time subject to data privacy regulations.