Data protection

Data Protection

I.    Preamble

cadooz GmbH, Osterbekstraße 90b, 22083 Hamburg, Germany, for short: cadooz (hereinafter also we/us) is responsible for cadooz’s online services.
In the following we would like to inform you in detail about how we protect your privacy and how your personal data is processed in the context of our websites and/or online services. Personal data is deleted as soon as possible and is never used or passed on for advertising purposes without your consent.
If the following information is insufficient or not comprehensible for you, please do not hesitate to contact our data protection officer using the details provided in section II.


II.    Responsible body / data protection officer / supervisory authority

Responsible body

cadooz GmbH
Osterbekstraße 90b
22083 Hamburg
Germany

Tel.: 040/271482-0
Fax: 040/271482-44
http://www.cadooz.com  

Data protection officer
Data protection officer
Osterbekstraße 90b
22083 Hamburg
Germany

Tel.: 040/271482-203
Email: datenschutz@cadooz.de

Competent supervisory authority
Hamburg Commissioner for Data Protection and Freedom of Information
Klosterwall 6
20095 Hamburg
Germany

 

III.    General principles / information

1.    Definitions

The definitions are based on Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Data Protection Regulation” or “GDPR”). The definitions set out in Articles 4 and 9 GDPR apply in particular. We have provided the relevant definitions for your information in section X below.

2.    Scope of processing of personal data
We collect and use the personal data of our users only to the extent that this is required to render and provide our services and to provide our websites or online services (including mobile apps).
Personal data is only regularly collected and used for other purposes
(i)    with the user’s consent,
(ii)    if the processing is for purposes of performance of a contract, or
(iii)    if it serves to safeguard legitimate interests, unless they are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data.
An exception applies in those cases where it is not possible to obtain consent in advance for practical reasons or the processing of data is permitted in accordance with statutory provisions.

3.    Legal basis
Insofar as personal data is processed based on the data subject’s consent, Article 6(1)(a) GDPR is the legal basis for the processing.
In the processing of personal data to perform a contract to which the data subject is a party, the legal basis is Article 6(1)(b) GDPR; this also applies to processing required to implement pre-contractual measures.
If personal data is processed to comply with a legal obligation to which we are subject, the legal basis is Article 6(1)(c). If the data subject's or another natural person's vital interests necessitate the processing of personal data, the legal basis is Article 6(1)(d) GDPR.
If processing is necessary to safeguard our company's or a third party's legitimate interest and if the interests, fundamental rights and freedoms of the data subject do not override the former interest, the legal basis is Article 6(1)(f) GDPR.

4.    Obtaining consent / right of withdrawal
Consent in accordance with Article 6(1)(a) GDPR is always voluntary and is usually obtained electronically. Users consent by checking the relevant field for purposes of documenting the granting of consent. Where consent is granted electronically, the double opt-in process  is used (e.g. when registering for newsletters) for purposes of identifying the user. The content of the declaration of consent is recorded electronically
Right of withdrawal: Please note that, once granted, consent can be withdrawn, in part or in whole, at any time with future effect. This does not affect the lawfulness of the processing carried out on the basis of the consent before this is withdrawn. Please use the contact details provided in section II (responsible body or data protection officer) to withdraw your consent.

5.    Recipients of personal data
We sometimes use third-party service providers to provide our websites and/or online services. These third parties act on our behalf and as instructed in the provision of services (processors). These service providers may receive personal data in the context of their service provision or come across personal data and constitute third parties or recipients as defined by the GDPR.
In such a case, we shall ensure that our service providers offer sufficient assurance that suitable technical and organizational measures are in place and processing is effected such that it complies with the requirements of the GDPR and guarantees protection of the data subject’s rights (cf. Article 28 GDPR).
Insofar as personal data is transmitted to third parties and/or recipients beyond the scope of processing, we shall ensure that this happens exclusively in compliance with the requirements of the GDPR and only if there is a relevant legal basis (e.g. Article 6(4) GDPR, see also section III.3).

6.    Data processing in third countries
Your personal data is generally processed within the EU or the European Economic Area (“EEA”).
Only in exceptional cases (e.g. in connection with the engagement of service providers to render web analysis services) might information be transmitted to third countries. Third countries are countries outside the European Union and/or the Agreement on the European Economic Area where it cannot readily be assumed that an adequate level of data protection is guaranteed in accordance with the EU standard.
Insofar as the transmitted information also includes personal data, we shall ensure before such transmission that an adequate level of data protection is guaranteed in the relevant third country or at the relevant recipient in the third country, you have consented to this or such transmission is permitted for another reason (e.g. Article 49 GDPR). An adequate level of data protection may result from an ‘adequacy decision’ made by the European Commission or be ensured by the use of ‘standard EU contractual clauses’. In the case of recipients in the US, compliance with the principles of the EU-US Privacy Shield may also guarantee an adequate level of data protection. We are happy to provide further information on suitable and adequate assurances of compliance with an adequate level of data protection on request; contact details can be found at the start of this Data Protection Statement. Information on the participants in the EU-US Privacy Shield can also be found here www.privacyshield.gov/list.

7.    Data deletion and storage period
The data subject's personal data is deleted or blocked once the purpose of processing no longer applies. Once the processing purpose no longer applies, the data may only be stored if the European or national legislator provides for this in Union regulations, laws or other provisions to which our company is subject (e.g. to fulfill statutory retention obligations and/or if there are legitimate interests in storage, for example during limitation periods for purposes of defending any claims). Data is also blocked or deleted if a storage period prescribed by the standards mentioned expires, unless it is necessary to continue to store the data for conclusion of a contract or for other purposes.

8.    Rights of the data subject
The GDPR grants certain rights to the data subject whose personal data is being processed (rights of the data subject, in particular Articles 12 to 22 GDPR). The individual rights of the data subject are discussed in more detail in section X. If you would like to make use of one or more of these rights, you can contact us at any time. To do so, please use the contact details provided in section II.

 

IV.    Registration / creating a user account

Registration and the creation of a personal user account are required for certain services provided via our websites and online services. We collect and store the following personal data (“mandatory information”) during registration and creation of a user account. The data is not passed on to third parties:
•    User name
•    Password   

•    User’s business email address
•    First name, last name, title
•    Company (where relevant)
•    Address
•    Country, state and town/city of the company

The (i) user’s IP address and (ii) the date and time of registration are also stored at the time of registration.
Additional information may also be provided voluntarily, including telephone number, fax number, cellphone number or information on the company, e.g. personnel number. Mandatory information that is required for registration is marked as mandatory on the input screen by an asterisk. It is not possible to register if the mandatory fields are not filled out truthfully and in full. The registration process is complete when you confirm your registration by clicking on the link in the email we send to you after the mandatory fields have been filled out. Information provided voluntarily may be used to improve our services.

1.    Purpose and legal basis
User registration takes place for purposes of restricting and/or controlling access to certain content and services that we provide exclusively to registered users on our websites and/or online services. Such registration can also take place for purposes of providing certain content and services for registered users in the context of contract performance and/or to implement pre-contractual measures.
The legal basis for processing data for purposes of registration is Article 6(1)(a) GDPR if the user grants consent. If the registration is for purposes of performing a contract to which the user is a party or implementing pre-contractual measures, the legal basis for the processing is Article 6(1)(b) GDPR. Insofar as the registration is for purposes of restricting and/or controlling access, the safeguarding of legitimate interests forms the legal basis, Article 6(1)(f) GDPR. The legitimate interest here is in restricting access to protect the content and information we develop.

2.    Data deletion and storage period
If a user registers in connection with the performance of a contract or the implementation of pre-contractual measures (Article 6(1)(b) GDPR), the registration data will be stored for the duration of the relevant contractual relationship and will be deleted or blocked after expiry of the contractual term or notice period in consideration of section III.7.
If a user registers and this is not in connection with the performance of a contract or the implementation of pre-contractual measures, the registration data will be deleted in consideration of section III.7 when the registration on our website is canceled, amended or deleted by the user.

3.    Opportunity to object and delete
As a user, you are able to cancel or delete your registration at any time. You can amend the data stored about you at any time. You can amend and/or delete your registration/user account, including the data provided by you, on our websites and/or online services using the corresponding tab that is available after logging in. If the data is (still) required to perform a contract or to implement pre-contractual measures, the data may only be deleted prematurely if contractual or statutory obligations do not preclude the deletion.

 

V.    Data processing to provide the website / collection of log files

Every time our website is accessed, our system automatically records data and information from the requesting computer's system. The following data is collected (hereinafter “log data”):
•    Information on the browser type and the version used
•    The user's operating system
•    The user’s internet service provider
•    The user’s IP address
•    Date and time of access
•    Websites from which the user’s system reaches our website
•    Websites that the user’s system accesses via our website
The specified log data – apart from the IP address – does not allow for personal reference to be made to the user; a link can only be made to a person if the log data is assigned or linked to an IP address.

1.    Purpose and legal basis
Log data, especially the IP address, is collected and processed for purposes of providing the content on our website to the user, i.e. for purposes of communication between the user and our website or online service. The IP address has to be stored temporarily for the duration of the relevant communication process. It is required to address the communication traffic between the user and our website and/or online service and to make use of our website and/or online service. The legal basis for this data processing – i.e. for the length of your website visit – is Article 6(1)(b) GDPR, Section 96 of the German Telecommunications Act (TKG) and Section 15(1) of the German Telemedia Act (TMG).
The IP address is processed and stored in log files beyond the communication process for purposes of ensuring the functionality of our websites and online services, for purposes of improving these services and to ensure the security of our IT systems. The legal basis for storage of the IP address beyond the communication process for these purposes is Article 6(1)(f) GDPR (safeguarding legitimate interests) and Section 109 TKG.

2.    Data deletion and storage period
Data is deleted once it is no longer required to achieve the purpose of its collection. Where data is recorded in order to provide the website, this is the case when the relevant session – the website visit – ends. Log data, including the IP address, can only be stored beyond this for purposes of system security for a period of no more than seven days from the end of the user's website visit. Any further processing and/or storage of log data is possible and permitted if the users’ IP addresses have been deleted after expiry of the aforementioned storage period of seven days or have been distorted such that the log data can no longer be assigned to an IP address.

3.    Opportunity to object and delete
The recording of log data to provide the website, including storage in log files for the aforementioned periods, is required to operate the website. The user therefore does not have the option to object. The user can opt out of log data processing for analytical purposes; this is governed by section VII, depending on the web analysis tool used and the type of data analysis (personal, anonymous, pseudonymous).

 

VI.    Use of cookies

Our website uses cookies. Cookies are text files that are stored on the internet browser or on the user’s computer system by the internet browser. Cookies do not contain any programs and do not place any malicious code on your computer. If a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a string that allows the browser to be identified clearly when the website is accessed again. Depending on the type of cookie and the possibility of assigning a cookie to an IP address, however, it is generally possible to establish a link to the user. We do not assign cookies to IP addresses and IP addresses are anonymized immediately in order to exclude such assignment (see section VII for details). For cookies that allow a link to be made to a person, we obtain your consent to such use by means of a cookie banner (see section VI.3 below).
We distinguish between (i) technically necessary cookies, (ii) analysis cookies and (iii) third-party cookies:

(i) We use technically necessary cookies to make our website and/or online service more user-friendly. The following data is stored in technically necessary cookies and transmitted to our systems:
•    Language settings
•    Information on the terminal/computer used and its settings
•    Items in a shopping cart
•    Log-in information

(ii) We use analysis cookies (also known as session cookies) to analyze users’ surfing habits on our websites and/or online services for advertising or market research purposes or to tailor our services to users’ needs. The following data is collected using analysis cookies and transmitted to our systems:
•    Search terms entered
•    Frequency of site visits
•    Use of website functions
Technical measures are taken to pseudonymize the data collected on users in this way. Data can no longer be assigned to the accessing user after this.

(iii) Third-party cookies are cookies that are not provided by our web servers, but by third-party providers. This includes the embedding of the ‘Like’ button, for example. When this button is clicked, Facebook will store its own cookie on the user's browser. We can never look for and/or evaluate third-party cookies.
The third-party providers alone are responsible for the use of such cookies; we have no opportunity to influence their use and processing. You can prevent the placement of third-party cookies by taking the measure described in section VI.3 and section VII.

1.    Purpose and legal basis
The purpose of using technically necessary cookies is to make it easier for users to use websites. Some functions on our website cannot be offered if cookies are not used. For these, it must be possible to recognize the browser even after the user has moved to a different page. We require technically necessary cookies for the following applications:
•    Shopping cart
•    Adoption of language settings
•    Remembering search terms
The user data collected by technically necessary cookies is not used to create user profiles. The legal basis for using technically necessary cookies is Article 6(1)(b) GDPR, insofar as it is possible to establish a link to the user and the use is necessary for purposes of providing our websites and/or online services in connection with the performance of a contract; Article 6(1)(f) is otherwise the legal basis as the cookies are also used to safeguard legitimate interests for purposes of providing websites and/or online services.
Analysis cookies are used in order to improve the quality of our website and its content. Analysis cookies show us how the website is used and we can therefore continuously improve our offering (see above). The legal basis for processing personal data while using analysis cookies is Article 6(1)(a) GDPR if the user has granted consent, insofar as it is possible to establish a link to the user. If analysis cookies are used for pseudonymous evaluations, the legal basis is Article 6(1)(f) GDPR (safeguarding legitimate interests) and Section 15(3) TMG.

2.    Data deletion and storage period
Cookies are deposited on the user's terminal (smart device/computer) and transmitted from there to our websites. A distinction is made between permanent cookies and session cookies. Session cookies are stored for the length of the browser session and are deleted when the browser is closed. Permanent cookies are not deleted when the browser session is closed, but are stored on the user’s terminal for a longer period.

3.    Opportunity to object and delete
When our website is accessed, an information banner informs users about the use of cookies and makes reference to this Data Protection Statement. The user’s consent to the processing of the personal data used in this context is also obtained via the banner.
As a user, you have full control over the use and storage of cookies. You can usually deactivate or restrict the transfer of cookies by amending the settings in your internet browser. You can delete stored cookies at any time. This can also be done automatically. If cookies are deactivated for our website, users may not be able to use all of the website’s functions in full. Further information on the use of cookies can be found at www.meine-cookies.org or youronlinechoices.com.
You can object to the use of cookies to create pseudonymous user profiles (see analysis cookies above) at any time with future effect. You can exercise your right to object using the information banner or your browser's relevant settings.

 

VII.    Web analysis

We use tools for web analysis in order to improve our websites and to adapt them to our users’ changing habits and technical requirements. Here we gauge, for example, which elements users visit, whether the information sought is easy to find, etc. This information can only be interpreted and is only meaningful when a larger group of users is looked at. The collected data is aggregated for this purpose, i.e. grouped into larger units.
We can therefore adapt the design of pages or improve content if we ascertain, for example, that a relevant proportion of visitors is using new technologies or does not find available information, or only does so with difficulty.
We perform the following analyses and use the following web analysis tools on our websites and online services.

1.    Analysis of log data
Log data is only used for analysis purposes on an anonymous basis. In particular, there is no link to the user’s personal data and/or an IP address or cookie. Such analysis of log data is therefore not subject to the data protection provisions of the GDPR.

2.    Google Analytics
We use Google Analytics, a web analysis service provided by Google (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”), to analyze website usage. Google Analytics uses cookies that allow our customers’ use of the website to be analyzed on a pseudonymous and/or anonymous basis.
The information generated by the cookie about your use of this website is transmitted to and stored on a Google server in the US. If IP anonymization is activated on this website, Google will nevertheless abbreviate your IP address before transmission within the Member States of the European Union and in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the entire IP address transmitted to a Google server in the US and abbreviated there. On our instruction, Google will use this information to analyze your use of the website, to compile reports on website activities, and to perform for the website operator other services associated with website use and internet use. The IP address transmitted from your browser for purposes of Google Analytics is not combined with other data held by Google.
You can prevent the storage of cookies using the corresponding setting on your browser software. We would also point out, however, that in this case you may not be able to completely utilize all functions of our website.
If you do not want your information to be analyzed by Google Analytics, you have the following options:
•    You may also prevent Google from collecting and processing the data generated by the Google Analytics cookie and relating to your use of the website (including your IP address) by downloading and installing the browser plug-in available at the following link: tools.google.com/dlpage/gaoptout.
We use Google Analytics to analyze data from AdWords and the DoubleClick cookie for statistical purposes. If desired, you can deactivate this using Ads Preferences Manager (http://www.google.com/settings/ads/onweb/?hl=de).

3.    Matomo (PIWIK)
We also use the web analysis tool Matomo (formerly PIWIK) to analyze use of our website. With Matomo, the usage information generated by the cookie is transferred to our server in Europe and stored for usage analysis purposes. The information generated by the cookie about your use of our website is not passed on to third parties.
If you do not want cookies to be used and/or information to be analyzed by Matomo, you have the following options:
•    You can also prevent the storage of cookies used to create profiles via the relevant setting on your browser software (see section VI.3 above).

4.    Omniture (Adobe Analytics)
We create pseudonymous user profiles using Adobe Analytics (Omniture) to tailor our website to users’ needs. Adobe Analytics (Omniture) uses cookies, which are text files placed on your computer which enable us to analyze how you use the website (see section Use of cookies above). The information generated by the cookie about your use of this website is usually transmitted to and stored on an Adobe server in the US. As we have activated IP anonymization on this website, our server setting ensures that the IP address is anonymized prior to geolocation; the last octet of the IP address is replaced by zeros. The IP address is replaced by individual, generic IP addresses before the information generated by the cookie is stored. Adobe will use this information to analyze your use of the website for us, to compile reports on website activities, and to perform for us other services associated with website use and internet use.
You can object to the creation of pseudonymous user profiles at any time. There are several ways to do this:
•    You can also prevent the storage of cookies used to create profiles via the relevant setting on your browser software (see section VI.3 above).

 

VIII.    Newsletter

We also allow users to register for our newsletter on our websites and online services.

1.    Newsletter registration
If you would like to receive the newsletter we offer, we need a valid email address from you. To check whether you own the email address provided, or whether the owner of the email address agrees to receive the newsletter, we send an automated email to the email address provided after the first registration step (double opt-in). We only include the email address provided in our list of recipients once the owner of the email address confirms the newsletter registration by clicking on a link in the confirmation email. We do not collect any data beyond the email address and the information for confirming the registration.
Your data is processed exclusively for purposes of sending the newsletter you requested. The legal basis for this processing is Article 6(1)(b) GDPR. You can unsubscribe from the newsletter at any time. The remarks on the right to withdraw consent in section III.4 also apply.

2.    Use of personal data for advertising and marketing / customer surveys
Your personal data is used for advertising and/or marketing purposes and to conduct customer satisfaction surveys only if the user consents to this or there is a different legal basis that permits advertising and/or marketing in the absence of consent.
The legal basis for advertising and/or marketing measures based on express consent is Article 6(1)(a) GDPR; the remarks on consent in section III apply accordingly. The legal basis for advertising and/or marketing measures by email for purposes of directly advertising similar own goods or services is Section 7(3) of the German Unfair Competition Act (UWG); this presupposes that (i) we have received your email address in connection with the sale of a good or service, (ii) you have not objected to the use of your email address for purposes of direct advertising and (iii) we clearly highlight on collection of your email address and on each use thereof that you can object to such use of your email address at any time (on the right to object, see section X.6).

3.    Google remarketing
We use the remarketing technology offered by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). This technology is used to reach users again who have visited our websites and/or our online services and shown interest in our offering by means of targeted advertising on Google Partner network pages. Advertising is inserted on the website based on the use of cookies. Cookies can be used to analyze user behavior on visiting the website as well as subsequently for targeted product recommendations and interest-based advertising.
If you do not want to receive interest-based advertising, you can deactivate Google’s use of cookies for this purpose on the website www.google.de/settings/ads/onweb. Alternatively, users can deactivate the use of cookies by third-party providers on the Network Advertising Initiative’s opt-out page www.networkadvertising.org/managing/opt_out.asp
By using our services, you agree to the processing of data collected about you by Google as described here and for the previously described purpose. We emphasize that Google has its own data protection guidelines that are independent of ours. We do not accept any responsibility or liability for these guidelines and procedures.

 

IX. Fraud prevention

To prevent fraud, our website utilizes the services of Risk.Ident GmbH, Am Sandtorkai 50, 20457 Hamburg, Germany. 

Risk.Ident uses cookies and other tracking technologies to collect and process data for determining the user’s device, as well as additional data regarding the use of the website. This data is not traced back to individual users. All IP addresses Risk.Ident records are encrypted immediately. 

Risk.Ident stores this information in a fraud-prevention database. This database also contains the information we have collected and provided to Risk.Ident on devices used for (attempted) fraud. This data as well is not traced back to individual users.

When an order is placed on our website, we run a risk analysis from the Risk.Ident database on the user’s device. This risk analysis on the probability of a fraud attempt considers factors including whether the device has established a connection via multiple service providers, whether the device’s georeference changes frequently, how many transactions have been made on the device, and whether a proxy server is being used.

The legal basis for this processing is Article 6(1)(f) GDPR.

 

X.    Contact form and email contact

There is a contact form on our website that the user can use to contact us electronically. If the user makes use of this option, the data entered on the input screen is transmitted to us and stored. This data includes:
•    Company name*
•    First name*
•    Last name*
•    Type of query
•    Order or serial number   
•    Telephone number
•    Email*
•    Field for messages*
•    ZIP code*
•    Country
*Mandatory information required for purposes of making contact is marked as mandatory (also on the input screen) by an asterisk.

The following data is also processed and stored when the message is sent:
•    The user’s IP address
•    Date and time of transmission
Users can also contact us using the email address provided on our website. Users’ personal data transmitted with the email is stored in such cases. Under no circumstances is the data passed on to third parties, unless we have to refer to third parties in order to process the query.

1.    Purpose and legal basis
The data is processed exclusively for purposes of processing the query or the user’s request. The other data collected in the transmission process serves to prevent abuse of the contact form and to guarantee the security of our IT systems.
Insofar as data is processed for purposes of fulfilling a customer order or query, the legal basis for data processing is Article 6(1)(b) GDPR regardless of whether contact is made via the contact form or by email. If the user grants consent, the legal basis for processing is Article 6(1)(a) GDPR. The legal basis for collecting additional data in the transmission process is Article 6(1)(f) GDPR; the legitimate interests here lie in the prevention of abuse and guarantee of system security (cf. section V.1).

2.    Data deletion and storage period
In general, data is deleted once it is no longer required to achieve the purpose of its collection. For personal data from the contact form input screen and data sent by email, this is the case when the communication with the user has ended and/or the user's query has been conclusively resolved. The communication has ended, and the query has been conclusively resolved, when it is evident from the circumstances that the relevant matter has definitively been dealt with. If it is necessary to continue to store the data for the reasons specified in section III.5, the data will be stored and blocked rather than being deleted.
The personal data additionally collected in the transmission process is deleted after no more than seven days.

3.    Opportunity to object and delete
Users are free at all times to stop communicating with us and/or to withdraw their query and object to the corresponding use of their data. Communication cannot be continued in such cases. All personal data that was stored in the course of contact is deleted in such cases, without prejudice to further storage of the data for the reasons outlined in section III.7.

 

XI.    Definitions

The definitions are based on Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Data Protection Regulation” or “GDPR”). The definitions set out in Articles 4 and 9 GDPR apply in particular. The following terms defined in Article 4 GDPR in particular may be of relevance in the context of this Data Protection Statement:
1.    ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.    ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3.    ‘Restriction of processing’ means the marking of stored personal data with the aim of limiting its processing in the future;
4.    ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
5.    ‘Pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
6.    ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
7.    ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
8.    ‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
9.    ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
10.    ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

 

XII.    Rights of the data subject

We have explained the process of revoking your consent, which you are free to do at any time, in section III.4. Provided the legal requirements are met, you are granted the following data subject rights. You can assert them via the communication channels listed in section II.

1.    Right of access (Article 15 GDPR)
You have the right to obtain information on whether we process personal data concerning you or not. If our company processes your personal data, you have a right to be informed about
•    the purposes of processing;
•    the categories of personal data (type of data) being processed;
•    the recipients or categories of recipients to which your data has been or is to be disclosed; this applies in particular if data has been or is to be disclosed to recipients in third countries where the GDPR does not apply;
•    the planned storage period, where possible; if it is not possible to indicate this, the criteria for determining the storage period (e.g. statutory retention periods) must be disclosed;
•    your right to rectification and erasure of the data concerning you, including the right to restriction of processing and/or the opportunity to object (in this respect, see also the following sections);
•    the existence of the right to lodge a complaint with a supervisory authority;
•    the origin of the data if the personal data was not collected directly from you.
You also have the right to be informed whether your personal data is subject to automated decisions within the meaning of Article 22 GDPR and, if this is the case, which decision-making criteria underlie such an automated decision (logic) and how the automated decision may affect you.
If personal data is transmitted to a third country where the GDPR does not apply, you have a right to be informed whether an adequate level of protection as defined by Articles 45, 46 GDPR is guaranteed at the data recipient in the third country and, if so, which guarantees this is based on.
You have the right to request a copy of your personal data. We usually provide copies of data in electronic form, unless you have specified otherwise. The first copy is free of charge and a reasonable fee can be charged for further copies. The data is provided without prejudice to the rights and freedoms of other persons who may be affected by the transmission of the data copy.

2.    Right to rectification (Article 16 GDPR)
You have the right to demand that we rectify your data if this is incorrect, inaccurate and/or incomplete. The right to rectification includes the right to completion by means of supplementary statements. Any rectification and/or supplementation must be effected immediately, i.e. without undue delay.

3.    Right to erasure (Article 17 GDPR)
You have the right to demand that we delete your personal data, insofar as
•    the personal data is no longer required for the purposes for which it was collected and processed;
•    the data is processed based on your granted consent and you have withdrawn this consent, provided there is no other legal basis for the processing;
•    you have objected to data processing in accordance with Article 21 GDPR and there are no overriding legitimate grounds for further processing;
•    you have objected to data processing for purposes of direct advertising in accordance with Article 21(2) GDPR;
•    your personal data has been processed unlawfully;
•    the data relates to a child and was collected in relation to information society services in accordance with Article 8(1) GDPR;
There is no right to the deletion of personal data insofar as
•    the right to freedom of expression and information precludes the deletion request;
•    the processing of personal data is required (i) to fulfill a legal obligation (e.g. statutory retention periods), (ii) to exercise public functions and interests under Union and/or Member State law (this also includes interests in the field of public health) or (iii) for archiving and/or research purposes;
•    the personal data is required to assert, exercise or defend legal claims.
The deletion must be carried out immediately, i.e. without undue delay. If we publish personal data (e.g. online), we must ensure, insofar as technically possible and reasonable, that third-party processors are also informed about the deletion request, including the deletion of links, copies and/or reproductions.

4.    Right to restriction of processing (Article 18 GDPR)
You are entitled to have the processing of your personal data restricted in the following cases:
•    If you have disputed the accuracy of your personal data, you may demand that we do not use your data for other purposes while its accuracy is being verified and restrict it in this respect.
•    If data has been processed unlawfully, in the place of data deletion pursuant to Article 17(1)(d) GDPR, you may demand that the use of such data be restricted in accordance with Article 18 GDPR;
•    If you need your personal data to assert, exercise or defend legal claims, but your personal data is otherwise not required, you may demand that we restrict processing to the aforementioned legal purposes;
•    If you have objected to data processing pursuant to Article 21(1) GDPR and it is not yet clear whether our interests in processing override your interests, you may demand that your data not be used for other purposes while this is reviewed and restricted in this respect.
Where the processing of personal data has been restricted at your request, this personal data may – without prejudice to storage – only be processed (i) with your consent, (ii) to assert, exercise or defend legal claims, (iii) to protect the rights of other natural or legal persons or (iv) for reasons of substantial public interest. If a processing restriction is lifted, we shall inform you of this in advance.

5.    Right to data portability (Article 20 GDPR)
Subject to the following regulations, you have the right to demand that the data regarding you be surrendered in a common electronic, machine-readable data format. The right to data portability includes the right to transmit data to another controller. On request, we will, insofar as technically possible, therefore transmit data directly to a controller (to be) designated by you. The right to data portability only applies to data provided by you and presumes that the processing is carried out in automated processes based on granted consent or to perform a contract. The right to data portability set out in Article 20 GDPR does not affect the right to erasure pursuant to Article 17 GDPR. The data is transferred without prejudice to the rights and freedoms of other persons whose rights may be affected by the data transfer.

6.    Right to object (Article 21 GDPR)
If personal data is processed to perform tasks carried out in the public interest (Article 6(1)(e) GDPR) or to exercise legitimate interests (Article 6(1)(f) GDPR), you can object to the processing of your personal data at any time with effect for the future. If you object, we must refrain from all further processing of your data for the aforementioned purposes unless
•    there are compelling, legitimate grounds for the processing which override your interests, rights and freedoms, or
•    the processing is required to assert, exercise or defend legal claims.
You may object to the use of your data for purposes of direct advertising at any time with effect for the future; this also applies to profiling insofar as it is associated with direct advertising. If you object, we must refrain from all further processing of your data for purposes of direct advertising.

7.    Legal remedies / right to lodge a complaint with a supervisory authority
If you wish to lodge a complaint, you can contact the competent Union or Member State supervisory authority at any time. The supervisory authority responsible for our company is specified in section II.