Online Privacy

1. Information about collecting personal data

The following provides information on the processing of personal data when using our websites www.elo.com/de-de, www.elo.com/en-dewww.elooffice.com, www.elooffice.com/blog, forum.elooffice.com, pages.elo.com and partner.elo.com (all referred to in the following as "website") and our platform services, which incorporate this Privacy Policy by reference. Personal data is all information referring to an identified or identifiable natural person (see Art. 4 No. 1 General Data Protection Regulation, "GDPR" in the following). This includes information such as your name, e-mail address, usage behavior, or postal address. Information that cannot be directly linked to your identity, such as the number of users of a website, is not considered personal information.

2. Name and address of the controller

a) The controller as per Art. 4 Sec. 7 GDPR is:
ELO Digital Office GmbH
Tuebinger Str. 43
70178 Stuttgart
Tel.: +49 711 806089 - 0
dsb[at]elo.com
www.elo.com

b) Name and address of the data protection officer
Our data protection officer has been appointed for the head office in Stuttgart (ELO Digital Office GmbH) and is the person to contact for matters relating to the collection of personal data that are processed directly by ELO Digital Office GmbH, Tübinger Str. 43, 70178 Stuttgart, Germany. ELO Digital Office GmbH head office in Stuttgart is also responsible for the www.elo.com website in German, English, Spanish, and Portuguese.


If you have any queries in this regard, please contact the data protection officer at dsb[at]elo.com. If the query relates to data that is not collected in Stuttgart, please contact the address above.

3. General information on data processing

a) Scope of processing of personal data
We process your personal data only to the extent necessary to provide a functional website and for our content and services, and only data that are needed to carry out the stated purpose (principle of data minimization). Your personal data will only be processed if it constitutes a justified interest pursuant to Art. 6 GDPR or it is expressly allowed by law.

b)Data deletion and storage periods
Your personal data will be deleted or blocked as soon as the purpose for which it was collected and saved and the reason for the storage no longer applies, or if you request us to delete or block it. For more information, refer to the section on the rights of data subjects.

4. Proper processing of personal data

a) Processing personal data when visiting our website
When using the website for information purposes only, i.e. if you do not register or otherwise provide us with information by entering data, we only collect the personal data your browser automatically transmits to our server via log files. The log files contain IP addresses or other data that enable a user to be identified. If you want to view our website, we collect the following personal data with the server log files:

  • User IP address
  • Date and time of access/request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Access status/HTTP status code
  • Website that the request originates from
  • Language and version of the browser software.

b) Legal basis for data processing
The legal basis for temporary storage of data and log files is Art. 6 Sec. 1 f GDPR.

c) Purpose of data processing
Temporary storage of the IP address by the system is necessary in order to provide the website to your computer. The IP address has to remain stored over the duration of the session. It is stored in log files in order to ensure the functionality of the website. In addition, the data helps us optimize the website and ensure the security of our IT systems. In this context, the data is not analyzed for marketing purposes.

d) Retention period
The data are stored in log files for seven days. Data can also be stored beyond this period. In this case, user IP addresses are deleted or disguised so that it is no longer possible to associate them with the respective client.

e) Right to object and right to erasure
We are required to collect and store specific data in log files for the purpose of delivering the website and to ensure it works properly. While the user does not have the right to object to this, you will find other rights of data subjects at the end of this page.

5. Use of cookies

We use cookies to store information that allows us to customize our site according to your individual interests and make our website more user-friendly. A cookie is a small piece of data that stores configuration information (e.g. language setting, logon credentials) on your end device.

The cookies used on the website may be broadly classified into strictly necessary cookies and optional cookies. The legal basis for collecting strictly necessary cookies (functional cookies) is Art. 6 (1) lit. f GDPR. We will not set optional cookies (e.g. tracking cookies) unless we have an active indication of your consent (via the cookie consent banner) in accordance with Art. 6 (1) lit. a GDPR.

For more information about the types of cookies, what they are used for, how long they are stored, and how you can block or delete them, click here

6. Newsletter

a) Description and scope of data processing
On our website or as part of prize draws or surveys, you have the option to subscribe to a free newsletter. When you sign up for the newsletter, the data you enter to the respective form is transmitted to us. The only information you have to provide to receive the newsletter is your e-mail address and your location. In order to process the data, we obtain your consent during the registration process and refer to the Privacy Policy. With your consent, you can subscribe to our newsletter, which informs you of our products, solutions, and events in the field of enterprise content management.

b) Legal basis for data processing
For the newsletter subscription process, we use a double opt-in method. This means that after you subscribe, we will send an e-mail to the address you have provided asking you to confirm you would like to receive the newsletter. If you do not confirm subscription within 24 hours, your information is locked and automatically deleted in one month. Within the context of newsletter subscription, the legal basis for processing data is your agreement as per Art. 6 Sec. 1 a GDPR.

c) Purpose of data processing
We require your e-mail address to deliver the newsletter. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the e-mail address used as well as to create a personalized user profile in order to better match advertising and online offerings to your personal interests. We use a third-party tool, which processes and saves this data in the EU, to send our newsletter. Using this tool, we can create analyses on opening frequency, bounces, and clicks at the personal level.The ELO branches use various tools for this purpose: ELO Digital Office GmbH, Germany: Rapidmail more at www.rapidmail.de/datensicherheit.

d) Retention period
The data you transmit are stored for as long as your newsletter subscription is active, you request deletion (this does not automatically occur when you unsubscribe), or you revoke your consent.

e) Right to object and right to erasure
You can revoke your consent to receive the newsletter at any time (by clicking on the link provided in each e-mail) and unsubscribe from the newsletter as well as make use of the other rights of data subjects (see bottom of page).

7. Event registration

a) Description and scope of data processing
On our website, we offer you the option to register for different events (webinars, trade fairs, conferences, etc.) by specifying your personal data. The personal data that you are required to provide for this purpose is entered to a form, transferred to us, and stored.
The following data are collected during this registration process:
i. Mandatory data: Company name, postal code, town or city, first and last name, e-mail address, event that you are registering for, invited by.
ii. Voluntary information: Postal address, country, telephone number, title
The following data are also stored at the time of registration: The IP address of the user, date and time of registration, website that the request originates from.
As part of the registration process, we request your consent to process this data.

b) Legal basis for data processing
Registration serves to fulfil a contract or to carry out pre-contractual duties that you are bound to by contract. The legal basis for processing data is Art. 6 Sec. 1 (b) GDPR. The legal basis for processing further voluntary data as part of the registration process is user agreement as per Art. 6 Sec. 1 (a) GDPR.

c) Purpose of data processing
Your registration is mandatory to fulfil a contract or to carry out pre-contractual duties. The data collected for these contracts is required for planning, carrying out, and following up on the respective event as well as for optimizing our event offering, and sending information in this regard.

d) Retention period
The data will be deleted as soon as the obligations of both contracting parties have been fulfilled. This includes fulfilment of pre-contractual duties as well as implementing and following up on them. After the contract is concluded, it may still be necessary to store and maintain personal data of the contractual partner in order to meet contractual or legal obligations.

e) Right to object and right to erasure
If data is required to fulfil a contract or carry out pre-contractual duties, it is only possible to delete data prematurely provided no contractual or legal obligations would disallow deletion. You will find other rights of data subjects at the bottom of the page.

f) Possible transfer to third parties
When registering for events, you can specify which ELO Business Partner has invited you to the specific event. In this case, we transfer the data you enter to the corresponding form to the specified partner. The data collected for this purpose and to be transmitted helps the ELO Business Partner to plan, carry out, and follow up on the respective event, in particular contract performance. The legal basis for processing data is Art. 6 para. 1 lit. f GDPR, i.e. the legitimate interest for the aforementioned reasons. The data is deleted once it is no longer required for the purpose it was collected for or you request its deletion in accordance with your rights as a data subject (for more details, see "Rights of data subjects" in this declaration).

Furthermore, the event offers you the opportunity to sign up for our webinars. This is done using the "GoToWebinar" service. To carry out this service, ELO sends your data to the operator LogMeIn, which ELO has commissioned to process data in line with GDPR. The legal basis for processing personal data is Art. 6 (1) lit. b GDPR (contract performance) in conjunction with Art. 6 (1) lit. f GDPR (legitimate interest). Data is collected and processed in order to plan, carry out, and follow up on the webinar. The data is deleted by ELO once it has been processed or whenever statutory requirements require it to be stored for a longer period.

Provided you exercise your rights as a data subject (see "Rights as a data subject"), we will forward your request to our processor as well.

8. Contact via e-mail/the contact form

a) Description and scope of processing data
Our website contains a contact form that can be used to contact us. If you make use of this option, the data you enter to the form will be transmitted to us and, if applicable, sent to data processors commissioned by us and subsequently processed (for more details, see "Data processors"). The following data is collected:
i. Mandatory data: Company, first and last name, country, e-mail address, your request, and your message including the data provided with it
ii. Voluntary information: Postal address, town or city, postal code, telephone number
The following data are also stored at the time the message is sent: Your IP address, date and time of registration, website that the request originates from

During the sending process, you will be asked for your consent to process this data and reference will be made to this Privacy Policy. Alternatively, you can contact us via the e-mail address provided. In this case, the personal data transferred with your e-mail address is stored. The data is only used to process the correspondence.

b) Legal basis for data processing
The legal basis for processing data is your agreement as per Art. 6 Sec. 1 a GDPR. The legal basis for processing data collected in the context of e-mail delivery is Art. 6 Sec. 1 f GDPR. If e-mail contact is made with the objective of concluding a contract, the legal basis for processing is Art. 6 Sec. 1 b GDPR.

c) Purpose of processing data
We process personal data from the form solely to process your reason for contacting us. Other data processed during delivery serve to prevent misuse of the contact form and ensure the security of our IT systems.

d) Retention period
The personal data entered to the contact form and sent by e-mail are deleted when the correspondence with the user has ended. The correspondence is considered ended when it can be assumed from the circumstances that the relevant matter has been resolved fully. The additional personal data collected as part of the delivery process is deleted within seven days.

e) Right to object and right to erasure
The user can revoke their consent to processing of personal data at any time, as well as assert their other rights as data subjects, which can be found at the end of this declaration.

The partner contact form:

On our website, you will find a contact form that you can use to contact an ELO Partner directly. If you use this function, the data you enter in the form, including your request, is transmitted to the ELO Partner via e-mail and stored. The selected ELO Partner is contacted via this form, meaning your data is sent to this partner. ELO receives a copy of this data, which is temporarily saved in our database. The legal basis for temporary storage of data is Art. 6 para. 1 lit. f GDPR. This data is processed for technical purposes, which serves to send a relevant e-mail to the partner. The data is deleted once it is no longer necessary to achieve the purpose for which it was collected, within seven days at the latest. Data may not be stored beyond this period. You will find your rights as a data subject at the bottom of the page.

9. White-Paper

a) Description and scope of data processing
On our website, you have the option to download different white papers. The personal data that you are required to provide for this purpose is entered to a form, transferred to us, and stored. The data will not be passed on to any third party. The following data are collected during this registration process:
i. Mandatory data: First and last name, e-mail address, country
ii. Voluntary information: Company, title
The following data are also stored at the time of registration: The IP address of the user, date and time of registration, website that the request originates from, white paper that was downloaded.

During the registration process, you will be asked for your consent to process this data.

b) Legal basis for data processing
Registration serves to fulfil a contract or to carry out pre-contractual duties that you are bound to by contract. The legal basis for processing data is Art. 6 Sec. 1 (b) GDPR. The legal basis for processing further data as part of the registration process is your agreement as per Art. 6 Sec. 1 (a) GDPR.

c) Purpose of data processing
Your registration is mandatory to fulfil a contract or to carry out pre-contractual duties. The data collected for these contracts are mandatory to optimize the white paper offering.

d) Retention period
The data will be deleted as soon as the obligations of both contracting parties have been fulfilled. This includes fulfilment of pre-contractual duties as well as implementing and following up on them. After the contract is concluded, it may still be necessary to store and maintain personal data of the contractual partner in order to meet contractual or legal obligations.

e) Right to object and right to erasure
Right to object and right to erasure

10. "My ELOoffice": ELOoffice free, creating an account and product registration

a) Description and scope of data processing
On our website, we offer you the option to set up a "My ELOoffice" account and register your purchased ELOoffice license by entering personal data. The personal data that you are required to provide for this purpose is entered to a form, transferred to us, and stored. The following data are collected during this registration process:
i. Mandatory information: company name, title, first and last name, e-mail address, postal code, country, serial number (only for product registration)
ii. Voluntary information: academic title, street address, telephone, town/city
The following data is also saved when you subscribe/register: your IP address, date and time of registration, website from which the request originates

During the registration process, you will be asked for your consent to process this data and reference is made to the Privacy Policy.

b) Legal basis for data processing
Registration/subscription serves to fulfil a contract to which you are a contractual party or to carry out pre-contractual duties. The legal basis for processing data is Art. 6 Sec. 1 b GDPR. The legal basis for processing further voluntary data as part of the registration process is your agreement as per Art. 6 Sec. 1 a GDPR.

c) Purpose of data processing
Your registration/subscription is mandatory to fulfil a contract to which you are a contractual party or to carry out pre-contractual duties. The data collected for these contracts is required to set up a "My ELOoffice" account and use the information available there, for example to download the free version of ELOoffice. During product registration, the collected data is required to enable access to the protected download area and to the ELOoffice forum, as well as to grant you two free support tickets.

d) Retention period
The data collected during the registration process are deleted when you cancel or change your registration on our website. The data that the contract is based on is deleted as soon as the contract is terminated and the data no longer needs to be stored (the duration of the contract includes preparation of, execution of, and following up on the contract).

e) Right to object and right to erasure
You will find your rights as a data subject pursuant to Art. 12 et seq. GDPR at the bottom of the page.

11. ELOoffice support request

a) Description and scope of data processing
On our website/in the protected "My ELOoffice" area, we offer you the option to submit support requests related to the ELOoffice product by entering personal data. The personal data that you are required to provide for this purpose is entered to a form, transferred to us, and stored. The following data are collected during the registration process:
i. Mandatory information: customer number, company name, first and last name, e-mail address , country, serial number
ii. Voluntary information: street, postal code, town/city, telephone
The following data is also saved when you subscribe/register: your IP address, date and time of the support request, website from which the request originates

During the sending process, you will be asked for your consent to process the data and reference will be made to this Privacy Policy.

b) Legal basis for data processing
ELOoffice support requests serve to fulfil a contract to which you are a contractual party or to carry out pre-contractual duties. The legal basis for processing data is Art. 6 Sec. 1 b GDPR. The legal basis for processing further voluntary data as part of the registration process is your agreement as per Art. 6 Sec. 1 a GDPR.

c) Purpose of data processing
Your ELOoffice support request is mandatory to fulfil a contract to which you are a contractual party or to carry out pre-contractual duties. We process personal data from the form solely to process your support request.

d) Retention period
Your data will be deleted as soon as the correspondence has ended (your request has been solved) and there is no longer a reason to store your data. The correspondence is considered ended when it can be assumed from the circumstances that the relevant matter has been resolved fully. If data is required to fulfill a contract or carry out pre-contractual duties, it is only possible to delete data prematurely provided no contractual or legal obligations would disallow deletion.

e) The right to object and rectificationRight to object and right to erasure
You will find your rights as a data subject pursuant to Art. 12 et seq. GDPR at the bottom of the page.

12. Data processor/data transmission

Processor within the EU
In some cases, we employ external service providers (data processors) from the EU to process your data. These have been carefully selected by us, amongst other things to ensure that they meet the requirements for compliance with GDPR. This may be the case, for example, when you register for events, sign up for the newsletter, take part in promotions, competitions or otherwise contact us or submit support requests. To ensure that your personal data is processed correctly as per GDPR, we enter into corresponding data processing agreements with these providers, who guarantee that they implement appropriate technical organizational measures to ensure that your data is handled securely. Recipients of your data are mainly providers of e-mail, hosting, analysis tool, and platform services (http://account.elo.com) as well as the head office (technical support) and business partners.

If any of these data processors are located in another EU country, we have checked that they meet the requirements of Art. 28 and Art. 44 et seq. GDPR. In each case, we conclude a written contract with these data processors.

13. Use of our portal

(1) Provided you would like to use our PartnerPortal (reserved for ELO sales partners and customers of the ELOprofessional and ELOenterprise products), you must register by specifying your e-mail address, a custom password, and a user name of your choice. Use of a real name is mandatory; anonymous accounts are not permitted. The data named above is mandatory; you can provide all other information on a voluntary basis while using our portal.

(2) If you use our portal, we save your data required to fulfill the contract until you delete your account permanently. Furthermore, we store the data you have provided voluntarily for as long as you use the portal, unless you delete it first. You can manage and change all information in the protected customer area. The legal basis is Art. 6 para. 1 sentence 1 lit. b and Art. 6 para. 1 lit. a GDPR.

(3) Your entire profile (exception: user name, position, company) is not visible to members of the portal. If you make content available to your personal contacts without sending it in a private message, this content can also be seen by other parties. If you upload posts to public groups, these can be viewed by all portal members who are logged on.

(4) To prevent third parties from gaining unauthorized access to your personal data, the connection is encrypted by means of TLS technology.

14. Use of the ELOoffice online shop

a) Purpose
If you want to place orders in the ELOoffice online shop, you are required to provide the personal data that is needed to process your order. The mandatory information required to process contracts is marked; all other information is voluntary. The data you have provided is used to process your order. Your payment data may be passed on to a payment service provider. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR.
You can optionally create a customer account so that your data is stored for subsequent purchases. When creating an account on, the data you enter is stored and can be revoked. You can delete all other data, including your user account at any time.

b) Legal basis and scope
Provided you have given express consent (in particular based on Art. 6 para. 1 sentence 1 a GDPR), the data you have provided can also be processed in order to notify you of other relevant products from the ELO Digital Office portfolio or to send you e-mails with technical information. Your rights as a data subject, which you will find at the bottom of the page, apply.

c) Retention and deletion periods
Your address, payment and order data will be stored for a period of ten years in accordance with commercial and tax law requirements. However, after two years we restrict processing of this data, i.e. your data is only used to meet legal obligations. To prevent third parties from gaining unauthorized access to your personal data, in particular financial data, the ordering process is encrypted by means of TLS technology.

15. Third-party integration

(1) Your address, payment and order data will be stored for a period of ten years in accordance with commercial and tax law requirements. However, after two years we restrict processing of this data, i.e. your data is only used to meet legal obligations. To prevent third parties from gaining unauthorized access to your personal data, in particular financial data, the ordering process is encrypted by means of TLS technology.

(2) To this extent, we have an influence on the data collected and processing of such data by using the services of the aforementioned providers and have a responsibility in that by integrating the icon, the user is able to find the ELO website on the respective social media platform, enabling the service provider to obtain data in this way. This limits our responsibility as ultimately you make an active decision to provide your consent to transmit the data via the link. The only information available to us about the scope of data collection, the purposes and form of processing as well as the retention periods is the official information of the provider that is accessible to everyone. We inform you about this in the following.

(3) The third-party provider can store the data collected on you as user profiles, and uses these for the purposes of advertising, market research, and/or to optimize the content of its website. This type of analysis is carried out in order to deliver individual advertisements and to notify other users of the social network of your activities on our website (including for users that are not logged on). Since you are the data subject as per GDPR, you have the right to object to the creation of these user profiles or storage of data as per GDPR. To exercise these rights, you must contact the respective third-party provider, as they have direct access to these data. You can access privacy notices regarding the use of our websites and the ELO Digital Office privacy policy via the links on our websites. These do not apply to your activities on the websites of social media networks. You can read the data protection regulations of these providers on their respective websites.

(4) We have our own social media pages on the third-party sites that can be accessed via links from this website. The links take you to the respective websites of the third-party providers (e.g. Facebook, Twitter, Xing, LinkedIn), and you can also share content that we publish. No data is transferred when you access our website. As soon as you access the third-party provider's website, the privacy policy of that provider and other declarations on the use of data shall also apply. We have no influence on this, but we recommend that you log out of the respective third-party provider's website before using a link. This ensures that no data are transferred that the third-party provider could use to create user profiles. To protect your data, we have deliberately only used links and have refrained from using additional third-party plug-ins.

Addresses of the respective plug-in providers and URLs to their privacy policies:

Integration of Google Maps

(1) Our website uses the services of Google Maps. This enables us to display interactive maps directly on the website and enables you to use the map function.

(2) By visiting the website, Google receives information that you have accessed the corresponding subpage of our website. In addition, the data specified under No. 4 (Proper processing of personal data) of this declaration will be transmitted. This occurs regardless of whether or not you are logged in with a Google user account. If you are logged in with Google, the data we collect can be associated directly with your account. If you do not want your profile to be associated with Google, you must log out before activating the button. Google stores the data collected about you as user profiles, and uses these for the purposes of advertising, market research, and/or to optimize the content of its website. This type of analysis is carried out primarily to deliver targeted advertisements and to notify other users of the social network of your activities on our website (including for users that are not logged on). You have the right to object to the creation of these user profiles, although you must contact Google in order to exercise this right.

(3) For further information on the purpose and scope of data collection and processing, refer to the link provided next to the icon in Google's privacy policy. This page provides more information on the rights and options available to protect your privacy: https://policies.google.com/privacy?hl=en. Google also processes your personal data in the USA and is also subject to the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework. Requests relating to data protection should be addressed to Google's European headquarters: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

Data that we receive as a result of visits to our fan page on Facebook ("Page Insights Addendum")


a) Subject
Facebook provides ELO with Page Insights for the company website (referred to as "fan page"). Page Insights are aggregated data that can help ELO understand how users are engaging with the fan page.
Page Insights may be based on personal data collected in connection with a visit or interaction of users with the fan page and its content. The Court of Justice of the European Union (CJEU) has ruled that in such a case Facebook Ireland Limited ("Facebook Ireland") and the fan page operator (ELO) are jointly responsible (pursuant to Art. 26 GDPR) for the Insights Data
This Page Insights Addendum sets out the main elements of the agreement on shared responsibility and related data processing. For more information, refer towww.facebook.com/legal/terms/information_about_page_insights_data.

b) Responsibilities
Facebook Ireland takes primary responsibility pursuant to GDPR for processing Insights Data and agrees to comply with all obligations under GDPR with respect to processing Insights Data (including Art. 12 and 13, Art. 15 to 22, and Art. 32 to 34 GDPR). In addition, Facebook Ireland shall make the main elements of this Page Insights Addendum available to data subjects (you as a user) (see link above).
Responsibility for processing the data from the fan page itself lies with the controller named at the beginning of this declaration.

c) Legal basis
The legal basis for processing Insights data pursuant to GDPR is Art. 6 (1) lit. a GDPR. You can opt-out at any time in the settings for your ad preferences. To do so, use the following links: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen and http://www.youronlinechoices.com.
As a data subject within the meaning of GDPR, you also have other rights, which you will find at the bottom of this declaration. You can exercise these rights by contacting Facebook Ireland or ELO.

d) Processing activity and supervision
Facebook Ireland is solely responsible for taking and implementing decisions about processing Insights Data. Facebook Ireland decides in its sole discretion how to comply with its obligations under this Page Insights Addendum. ELO must agree that Facebook Ireland is the main establishment in the EU for processing Insights Data for all data controllers and acknowledges that the lead supervisory authority for this processing is the Irish Data Protection Commission.
Furthermore, Facebook Ireland remains solely responsible for processing personal data in connection with Page Insights other than that covered by the scope of this Page Insights Addendum. This Page Insights Addendum does not grant ELO any right to request the disclosure of personal data of Facebook users that is processed in connection with Facebook Products, including for Page Insights that are provided to ELO.

e) Contract
If ELO is contacted by data subjects or a supervisory authority under the GDPR with regard to processing Insights Data and the obligations assumed by Facebook Ireland under this Page Insights Addendum (“Requests”), ELO is required to forward all relevant information to Facebook Ireland. Facebook Ireland will answer Requests in accordance with its obligations. ELO is not authorized to act or answer on Facebook Ireland’s behalf.
Any claim, cause of action or dispute ELO has against Facebook Ireland that arises out of or relates to this Page Insights Addendum must be resolved exclusively in the courts of Ireland. This Page Insights Addendum, which was drawn up by Facebook Ireland, is also governed by Irish law.

f) Changes and validity of the version
Facebook Ireland may need to update the Page Insights Addendum from time to time. ELO has no influence on this and is accordingly required to comply with updates to the Page Insights Addendum.
If ELO finds any part of this Page Insights Addendum to be unenforceable, the remaining part will remain in full force and effect. If Facebook Ireland fails to enforce any part of this Page Insights Addendum, it will not be considered a waiver. Any amendment to the Page Insights Addendum or waiver must be submitted in writing by ELO and will not be effective until signed by Facebook Ireland in accordance with its Terms.

16. Rights of data subjects

Provided your personal data is processed, you are considered the data subject as per GDPR and are entitled to the rights listed below with regard to the controller.

Right of access
You have the right to obtain from the controller confirmation as to whether or not personal data relating to you is being processed. Should this be the case, you can request the following information:
(1) The purposes for which the personal data is processed;
(2) The categories of the personal data processed;
(3) The recipients/categories of recipients receiving the personal data related to you;
(4) The planned duration of the retention of the personal data relating to you or, if it is not possible to provide specific information in this regard, criteria for determining the retention period;
(5) Existence of a right to rectification or erasure of the personal data related to you, a right to restrict processing by the controller, or a right to object to this processing;
(6) The existence of a right to appeal to the authorities;
(7) All available information on the origin of the data if the personal data is not collected from the associated individual;
(8) The existence of automated decision-making, including profiling, as per Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved as well as the reach and intended effects of such processing for the data subject.

You have the right to be informed of whether the personal data related to you is transmitted to a third country or an international organization. In this context, you can request to be informed of appropriate safeguards as per Art. 46 GDPR in conjunction with the transmission of your data.

Right to rectification
You have the right to rectification and/or completion provided the processed personal data related to you is incorrect or incomplete. The controller must promptly rectify the issue.

Right to restrict processing
You can exercise your right to restrict processing of the personal data related to you provided the following conditions are met:
(1) If you dispute the accuracy of the personal data related to you for a period that enables the controller to verify the accuracy of the data;
(2) Processing is wrongful and you reject the deletion of your personal data, instead exercising your right to restrict the use of your personal data;
(3) The controller no longer requires the personal data for processing, but you need it to assert, exercise, or defend legal claims.
(4) If you have exercised your right to object to processing as per Art. 21 Sec. 1 GDPR and it has not been determined whether the legitimate interest of the controller outweighs your interest.

Where the processing of personal data related to you has been restricted, this data may only be processed (besides storage) with your express consent or to assert, exercise, or defend legal claims, or to protect the rights of other natural or legal persons, or for reasons of an important public interest of the European Union or a member state.

If restriction of processing was lifted based on the requirements above, you will be notified by the controller before this restriction is lifted.

Right to erasure

a) Obligation of erasure
You have the right to obtain from the controller the erasure of any personal data related to you and the controller is under the obligation to erase this data without undue delay provided one of the following grounds applies:
(1) The personal data related to you is no longer needed for the purpose for which it was collected or processed in any other way.
(2) You withdraw your consent for processing based on Art. 6 Sec. 1 a or Art. 9 Sec. 2 a GDPR and there is no other legal basis for processing.
(3) As per Art. 21 Sec. 1 GDPR, you object to processing and there are no overriding legitimate grounds for processing; or, you object to processing as per Art. 21 Sec. 2 GDPR.
(4) The personal data related to you was processed unlawfully.
(5) Deletion of the personal data related to you is required to fulfil an obligation by EU law or law of member states to which the controller is subject.
(6) The personal data related to you was collected as per Art. 8 Sec. 1 GDPR with regard to the services offered by the information company.

b) Information to third parties
If the controller has published your personal data and is obligated to delete this data as per Art. 17 para. 1 GDPR, the controller shall take suitable measures taking into account the available technology and implementation costs, including those of a technical nature, to inform the party responsible for processing the personal data that you as data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.

c) Exceptions
The right to erasure does not apply if processing is required
(1) to exercise the right to free expression of opinion and information;
(2) to meet a legal obligation requiring processing in accordance with the law of the European Union or a member state to which the controller is subject, or to carry out a duty in the public interest or in exercising official authority assigned to the controller;
(3) for reasons of public interest in the area of public health as per Art. 9 Sec. 2 h as well as Art. 9 Sec. 3 GDPR;
(4) for archiving purposes in the public interest, economic or historical research purposes, or for statistical purposes as per Art. 89 Sec. 1 GDPR provided that the right named in a) is not expected to render attainment of the objectives of this agreement impossible or have a serious negative effect, or
(5) to assert, exercise, or defend legal claims.

Right to be informed
If you have exercised your right to rectification, erasure, or to restrict processing vis-à-vis the controller, the controller is obligated to notify all recipients to which your personal data was disclosed of rectification or deletion of the data, or restriction to its processing, unless this proves to be impossible or requires a disproportional amount of effort. You have the right to be informed of these recipients by the controller.

Right to data portability
You have the right to receive the personal data related to you that you have provided to the controller in a structured, commonly used, machine-readable format. In addition, you have the right to pass on this data to another controller without interference of the controller to which you have provided the personal data, provided
(1) processing is based on consent as per Art. 6 Sec. 1 a GDPR or Art. 9 Sec. 2 a GDPR, or on a contract as per Art. 6 Sec. 1 b GDPR and
(2) processing is carried out by automated processes.

In exercising this right, you also have the right to demand your personal data be transferred directly from one controller to another controller, provided this is technically feasible. This must not negatively affect the freedoms and rights of other individuals.

The right to data portability does not apply to processing of personal data required or to carry out a duty in the public interest or in exercising official authority assigned to the controller.

Right to object
You have the right to object to the processing of your personal data based on Art. 6 Sec. 1 e or f GDPR for reasons resulting from your particular situation at any time; this also applies to profiling based on these provisions.

The controller no longer processes your personal data unless the controller can provide compelling legitimate reasons that outweigh your interests, rights, and freedoms, or processing serves to assert, exercise, or defend legal claims.

If the personal data related to you is processed to carry out direct advertising, you have the right to object to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling provided directly related to such direct advertising.

If you object to processing for purposes of direct advertising, your personal data will no longer be processed for this purpose.

You have the option to exercise your right to object by means of an automated process which uses technical specifications in connection with the use of services provided by the information society, directive 2002/58/EC notwithstanding.

Right to withdraw consent to use of data
You have the right to withdraw your consent to the use of your data at any time. Withdrawing your consent does not affect the lawfulness of the processing taking place based on your consent up to withdrawal.

Automated decision including profiling in individual cases
You have the right to not be subjected to a decision based solely on automated processing, including profiling, that has a legal effect on you or affects you significantly in a similar manner. This does not apply if the decision
(1) is required to conclude or fulfil a contract between you and the controller,
(2) is permissible based on provisions of the European Union or a member state to which the controller is subject and these provisions contain suitable measures to protect your rights and freedoms as well as your legitimate interests, or
(3) is carried out with your express permission.

However, these decisions shall not be based on special categories of personal data as per Art. 9 Sec. 1 GDPR provided Art. 9 Sec. 2 a GDPR applies and suitable measures have been taken to protect your rights and freedoms as well as your legitimate interests.

With regard to the cases named in (1) and (3), the controller shall take appropriate measures to ensure your rights and freedoms as well as your legitimate interests, including at least the right to request an individual on the side of the controller to intervene, to present your own position, and to contest the decision.

Right to appeal to the authorities
Notwithstanding any other administrative or judicial decision, you have the right to appeal to the authorities, especially in the member state where you are located, of your workplace, or of the location of the alleged violation if you believe that the processing of your personal data is in violation of GDPR.

The authority receiving the appeal shall inform the appealing party of the status and result of the appeal, including the option for a legal decision as per Art. 78 GDPR.

We reserve the right to change the policy at any time subject to data privacy regulations.

Contact

If you have any questions, requests, or complaints related to data privacy, please contact us at the address named in item 2.


Version: September 2019

Further information: