Data Protection Policy

Data protection

Data protection policy

We, Annerton Rechtsanwaltsgesellschaft mbH (hereinafter referred to as “Annerton” or alternatively, “us/we”) thank you for visiting our website www.paytechlaw.com (hereinafter referred to as “website”). We are responsible for the content on this website. To find out who is responsible for the website under press law, please see the imprint.

For other websites operated by us, e.g. www.annerton.com, other data protection regulations apply. Please inform yourself there.

The following information is intended to inform you (hereinafter also referred to as “user” or alternatively “you”) about how we have implemented the requirements of the EU General Data Protection Regulation (hereinafter referred to as “GDPR”) on our website, how we protect your privacy and how personal data is processed in the context of using our website.

The GDPR provides persons affected by the processing of personal data with certain rights. You can find further information on this here, along with an explanation of the main technical terms used in this data protection policy.

If you feel the information provided below is insufficient or difficult to understand, please do not hesitate to contact us or our data protection officer. The relevant contact details can be found in section 1.

1. Who is responsible for data processing and whom can I contact?

The responsible body is:

Annerton Rechtsanwaltsgesellschaft mbH
Munich office

Wagmüllerstraße 23
DE – 80538 München

Tel.  +49 (0)89 306683-0
Fax  +49 (0)89 306683-212
www.annerton.com
hello@annerton.com

“PayTechLaw” is the name identification used by Annerton Rechtsanwaltsgesellschaft mbH for the blog published under www.paytechlaw.com.

If you have any questions regarding the data protection policy, please contact our data protection officer:

Annerton Rechtsanwaltsgesellschaft mbH
Munich office

Wagmüllerstraße 23
DE – 80538 München

Tel.  +49 (0)89 306683-0
Fax  +49 (0)89 306683-212
datenschutz@annerton.com

The competent supervisory authority for Annerton Rechtsanwaltsgesellschaft mbH, Munich office) is:

Bayerisches Landesamt für Datenschutzaufsicht
Postfach 606
91511 Ansbach
Telephone: +49 (0) 981 53 1300
Facsimile: +49 (0) 981 53 98 1300
E-mail: poststelle@lda.bayern.de.

The authority also offers a complaint form.

2. General principles and information regarding data protection

2.1 Scope of the processing of personal data

When you use our Website, we collect and use your personal data only to the extent necessary to provide a functioning website and/or to provide our web- or online-offers.

Any collection and use of personal data for other purposes only takes place

  • with your prior consent, or
  • if the processing is required to fulfil contractual obligations, or
  • if the processing is required to protect our legitimate interests, unless your interests or fundamental rights and freedoms prevail and require the protection of your personal data.

Additionally, exceptions apply in such cases where we are unable to obtain your prior consent for factual reasons or where the processing of personal data is permitted or required by law.

2.2 Legal bases

Insofar as we obtain consent for the processing of personal data, Art. 6 par. 1 sentence 1 lit. a GDPR serves as the legal basis for the processing of personal data.

The legal basis for the processing of personal data required for the performance, implementation of pre-contractual measures, or for the initiation of a contract, is Art. 6 para 1 sentence 1 lit. b GDPR.

To the extent the processing of personal data is necessary for compliance with a legal obligation to which we are subject, Art. 6 para 1 sentence 1 lit. c GDPR is the legal basis.

If the processing is required to protect our legitimate interests or the legitimate interests of a third party, and if your interests, fundamental rights and freedoms, which require the protection of your personal data, do not outweigh such legitimate interest, the legal basis is Art. 6 para 1 sentence 1 lit. f GDPR.

2.3 Obtaining consent / right of withdrawal

As a general rule, we obtain any consent under Art. 6 para 1 sentence 1 lit. a GDPR electronically. Consent is typically provided by ticking the relevant box to document your consent, or having you click on the relevant selection field.

In the case of electronic consent, the so-called double opt-in procedure is used for the purpose of identifying the user (e.g. when registering for newsletters) to ensure that it is actually you who has given the consent. The declaration of consent is recorded electronically. You can contact us at any time to request a documentation of the declaration of consent you have submitted at the relevant time.

You can withdraw your consent at any time with effect for the future – in whole or in part. The legality of any processing that was based on your consent and which took place before the withdrawal of your consent remains unaffected. Any withdrawal is best addressed electronically to the contacts provided in section 1 (responsible body or data protection officer) or sent via the other contact options specified by us.

2.4 Recipients of personal data

In order to be able to provide our web- and/or online-services, we sometimes use third parties which provide services on our behalf and in accordance with our instructions (so-called “processors”). These processors constitute “recipients” within the meaning of the GDPR and may receive or come into contact with personal data as part of providing their services.

In this case, we ensure that our processors offer sufficient guarantees that suitable technical and organisational measures are in place, that the processing is carried out in compliance with the requirements of the GDPR, and that the protection of the rights of the affected data subject is guaranteed (cf. Art. 28 GDPR).

If personal data is transferred to third parties outside of a processing, we ensure this is only done in accordance with the requirements of the GDPR and only if there is legal basis for the transfer (see section 2.2). To the extent that such a transfer takes place, this will be expressly mentioned in the information provided below and the relevant legal basis, as well as the third party recipient or category of recipients will be named.

Please do not hesitate to contact us for further information on the processors we use. For this purpose, you are welcome to contact the bodies named in section 1 electronically (person responsible or data protection officer).

2.5 Data processing in so-called third countries

Your personal data will generally be processed within the EU or the European Economic Area.

Only in exceptional cases (e.g. in connection with the use of processors that provide web analysis services) it is possible that information is transferred to so-called “third countries”. “Third countries” are countries outside the European Union and/or the Agreement on the European Economic Area, where an adequate level of data protection comparable with EU standards cannot be readily assumed.

If the information transferred also includes personal data, we ensure that, prior to any such transfer, there are guarantees for an appropriate level of data protection in the respective third country or at the relevant recipient in the third country. This may be assumed from a so-called “adequacy decision” of the European Commission, or be ensured by using the so-called “EU standard contract terms”. Upon request, we will be happy to provide you with further information on the suitable and appropriate guarantees that we require in order to ensure an adequate level of data protection. Please refer to section 1 for the relevant contact details.

2.6 Deletion of data and period of storage

We delete personal data as soon as the purpose of the processing has expired. Thereafter, we will only retain personal data if required or provided for by the European or national legislator under EU regulations, laws or other legal provisions to which we are subject (e.g. for the fulfilment of statutory retention requirements and/or in the event of a justified interest in the storage of the data, e.g. during the course of limitation periods for the purpose of legal defence against any claims, or during an ongoing legal dispute). The data will also be deleted if a retention period stipulated by the aforementioned standards expires, unless there is a need to further retain the data for the conclusion of an agreement or for other purposes.

2.7 Rights of affected persons

As a person affected by the processing of personal data, the GDPR provides you with certain rights. If you would like to rely on one or more of these rights, you can contact one of our employees at any time. Please use the contact options provided under section 1 above. The rights of the persons affected are explained in detail here.

3. Data processing for the provision of the website / collection of log files

3.1 Description and scope of data processing

Each time you access any content on our website, our system automatically collects data and information from the computer system from which you are accessing the content. The following data is collected (hereinafter referred to as “log data”):

  • information about the browser type and the version used (so-called “user agent”);
  • the operating system of your computer system;
  • the internet service provider used by your computer system to access the internet;
  • the IP address of your computer system;
  • the date, time and duration of access;
  • the website from which you have accessed the content of our website (so-called “referrer”);
  • the website you visit after you have accessed our website.

Except for the IP address, the log data listed above cannot be used to identify you personally. A personal identification can only be established by assigning or linking the log data to data on the user of an IP address, which is generally not available to us.

3.2 Purpose of the processing

Log data, in particular, the IP address, is collected and processed for the purpose of providing the content contained on our website. This requires temporary storage of your IP address. This is required to address data traffic between your computer system and our web- and/or online-offers, or is needed to use our web- and/or online-offers.

Any further processing and storage of your IP address in log files is carried out for the purpose of ensuring the functionality of our web- and online-offers, to optimise the same, and to ensure the security of our IT systems.

In addition, this data is analysed by us for statistical purposes. This takes place in summarised form; individual users cannot be identified.

3.3 Legal bases

The legal basis for the collection and processing of the log data, to the extent they constitute personal data, is Art. 6 para 1 sentence 1 lit. b GDPR (performance and initiation of contracts).

The legal basis for storing the IP address for purposes beyond the communication process is Art. 6 para 1 sentence 1 lit. f GDPR (protection of legitimate interests).

3.4 Deletion of data and storage period

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the relevant session – i.e. the website visit – has ended. The storage of log data beyond this, including the IP address for the purpose of system security, takes place for a maximum period of 30 days after the page was accessed.

Any further processing and/or storage of log data is possible and permissible if the IP addresses of the respective users are deleted after expiry of the aforementioned storage period or if they are altered in such a way that it is no longer possible to assign the log data to an IP address.

3.5 Right to object and deletion possibilities

The collection of log data for the provision of the website, including its storage in log files within the limits mentioned above, is essential for the operation of the website. Therefore, there is no possibility to object. This does not apply to the processing of log data for analytical purposes; this depends on the web analysis tools used and the type of data analysis (personal / anonymous / pseudonymous), according to section 6.

4. Use of cookies

4.1 Description and scope of data processing

Our website uses cookies and similar technologies (hereinafter collectively referred to as “cookies”). Cookies are text files that are stored in the Internet browser or by the Internet browser on your computer system.  Cookies do not contain any programs and cannot place any malicious code on your computer. If you call up a content of our website, a cookie can be stored on your computer system. That cookie contains a characteristic string of characters that enables the browser to be uniquely identified when you visit the website again.

This site uses different types of cookies. Our own cookies do not contain any directly personal data, so that your privacy is protected. However, depending on the type of cookie and the possibility of assigning a cookie to an IP address, it is generally possible to establish a reference to a person. We do not carry out such referencing, and IP addresses are immediately anonymised in order to exclude such referencing.

Some cookies are placed by third parties who appear on our pages. We also share information about your use of our site with our social media, advertising and analytics partners. Our partners may combine this information with other information you have provided to them or that they have collected as part of your use of the services.

Most browsers automatically accept cookies.On your computer system or browser, you can delete cookies already set at any time, or set your browser to not accept cookies, which may lead to functional limitations of our offer.Please refer to the instructions of your browser or the manufacturer of your computer system for details of how this works.

4.2 What types of cookies do we use?

4.3 Consent

The law allows us to store cookies on your device if they are absolutely necessary for the operation of this site. For all other types of cookies we need your consent. You can change or withdraw your consent at any time from the cookie declaration on our website. Your consent is obtained separately for our websites by means of a tool.

4.4 Purpose of data processing

The purpose of using Necessary cookies is to simplify the use of websites. Some functions of our website cannot be offered without the use of such cookies. For these it is necessary that the browser is recognized even after a page change.

Preference cookies are used to enable you to set the language preference

The user data collected through technically necessary cookies is not used to create user profiles.

Marketing cookies and statistics cookies are used for the purpose of improving the quality of our website and its contents. In this way we learn how the website is used and can thus constantly optimise our offer. For these purposes, we also use third-party systems that set third-party cookies.

4.5 Legal bases

The legal basis for the use of technically necessary cookies is Art. 6 para 1 sentecne 1 lit. b GDPR, to the extent it is possible to identify individual users and the use is required for the purpose of providing our web and/or online offers in the sense of contract performance. Otherwise, Art. 6 para 1 sentence 1 lit. f GDPR forms the legal basis since the use is also in our legitimate interest for the purpose of providing our website.

If the user has provided their consent, the legal basis for the processing of personal data using analysis cookies is, to the extent that it is possible to identify individual users, Art. 6 para 1 sentence 1 lit. a GDPR. If analysis cookies are used to create pseudonymous analyses, the legal basis is provided by Art. 6 para 1 sentence lit. f GDPR (protection of legitimate interests).

4.6 Deletion of data and period of storage

The cookies are stored on your device and are transmitted to our web server. A distinction is made between so-called permanent cookies and session cookies. Session cookies are stored for the duration of a browser session and are deleted when the browser is closed. Permanent cookies are not deleted when the respective browser session is closed, but are stored on the user’s end device for a longer period of time.

4.7 Right to object and deletion possibilities

When visiting our website, an information banner informs you about the use of cookies and refers you to this data protection policy. The banner also requests your consent to the processing of personal data used in this context.

As a user, you have full control over the use and storage of cookies. You can generally deactivate or restrict the transmission of cookies by changing the settings in your browser. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website in full. For more information on the use of cookies, please see http://www.meine-cookies.org or www.youronlinechoices.com.

Once you have given your consent to the use of cookies to create pseudonymous user profiles (see the section on analysis cookies above), you can withdraw the consent at any time with effect for the future. You can exercise your right of objection via the information banner or via the above-mentioned setting options in your browser.

5. Newsletter

5.1 Description and scope of data processing

If you would like to receive our newsletter, you need to provide us with a valid e-mail address as well as your first and last name. In order to be able to check whether you are the owner of the e-mail address provided or whether the owner of this e-mail address would like to receive the newsletter, we will send an automated e-mail to the e-mail address provided (so-called double opt-in) after the first registration step. Only after confirmation of the newsletter registration via the link in the confirmation e-mail, will we add the e-mail address provided as well as your first and last name to our mailing list. We do not collect any other data other than your e-mail address, your first and last name and the information required to confirm your registration.

5.2 Purpose of data processing

Your data will only be processed for the purpose of sending the newsletter you subscribed to.

5.3 Legal basis

The legal basis for this processing is Art. 6 para 1 sentence 1 lit. a GDPR (consent), which you have given us when subscribing to the newsletter.

5.4 Deletion of data and period of storage

Subject to a request for deletion, the data will be stored for as long as we need the data to send the newsletter. The data will be deleted if you unsubscribe from the newsletter, or if a newsletter is reported as undeliverable more than three (3) times, or if we generally stop sending out the newsletter you subscribed to.

5.5 Right to object and deletion possibilities

You can unsubscribe from the newsletter at any time by using the unsubscribe link provided at the end of each newsletter (“unsubscribe”. The explanations regarding the right of revocation can be found here [Sprungmarke einfügen] and also apply.

6. E-mail contact

6.1 Description and scope of data processing

We provide the e-mail address info@paytechlaw.com through wich you may contact us electronically. If you make use of this option, the data sent by you along with the email will be transmitted to us and stored. What data is transmitted and collected this way depends partly on your e-mail program, but usually contains the following data of the sender:

  • e-mail address
  • subject of the e-mail
  • last name, first name, title, company (if applicable)
  • message text and all personal data contained therein, e.g. postal address, telephone and facsimile number, mobile number.

Additionally, the following data is processed and stored upon receipt:

  • e-mail header, this contains the technically required information about the sending system and further information regarding the sending as well as the forwarding to the recipient system (e.g. details regarding date/time, IP addresses of the servers, ID numbers)
  • date and time of receipt by our system

Under no circumstances will the data be passed on to third parties, unless we have to refer to third parties to process the enquiry.

6.2 Purpose of data processing

The data will be processed exclusively for the purpose of processing your respective request. In addition, the technical data collected (e.g. e-mail headers) are used to prevent misuses of the e-mail address and to ensure the security of our IT systems.

6.3 Legal bases

The legal basis for the processing of the data is, to the extent the data processing is done for the purpose of the performance or initiation of a contract, Art. 6 para 1 sentence 1 lit. b GDPR.

The legal basis for the collection of additional data during the dispatch process is Art. 6 para 1 Sentence 1 lit. f. GDPR; the legitimate interests here lie in the prevention of abuse and ensuring system security (see above).

6.4 Erasure of data and period of storage

The data relating to an enquiry is generally deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent via e-mail, this is the case when the respective communication is finished and/or the request has been finally answered. Communication is finished when it can be inferred from the circumstances that the relevant facts have been finally clarified. Instead of deletion, the data will be saved with restrictions placed on their processing if continued storage of the data is necessary for the reasons stated in section 2.6 above, e.g. because the request or its content is subject to legal or supervisory data retention obligations.

6.5 Right to object and deletion possibilities

You can object to the processing of your data at any time, as explained here. [LINK] You also have the option of cancelling the communication with us at any time until the e-mail is sent. All personal data stored in connection with contacting us will be deleted in case of an objection, unless continued storage of the data is necessary for the reasons stated in section 2.6 above.

7. Web analysis

7.1 Description and purpose of the web analysis

In order to optimise our website and to adapt it to the changing habits and technical requirements of our users, we use tools for so-called web analysis. For example, we analyse which elements are visited by users, whether the information they are looking for is easy to find, etc. This information only becomes suitable for interpretation and informative when a larger group of users is analysed. For this purpose, the data collected is aggregated, i.e. summarised into larger units. For example, we can adapt the design of pages or optimise content if we discover that a relevant proportion of visitors uses new technologies or finds existing information only with difficulty, or not at all.

7.2 Google Analytics

We use the analysis software Google Analytics, a web analysis service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (Google). Google Analytics uses a tracking cookie to recognise a user who already visited our website in the past. The cookie is a small text file which is stored on your computer and which enables an analysis of the visits to our website (so-called usage profiles). The tracking cookie has a lifetime of one week. The information collected by the cookie about your use of our website (including your IP address) is generally transmitted to a Google server in the USA and stored there. Google Analytics has been extended by us by the code “gat._anonymizeIp();” to ensure an anonymous collection of IP addresses (so-called IP masking) before they are transmitted.

At our request, your IP address (the number assigned to your computer by your internet access provider) will therefore be shortened by Google beforehand within member states of the European Union or in other states party to the Agreement on the European Economic Area. The user profiles generated by Google Analytics are thus made anonymous, i.e. any inference to a specific person is virtually impossible. Only in exceptional cases, the full IP address will be transmitted to a Google server in the USA and shortened there.

The usage profiles contain, e.g., information about the length of the visit, approximate geographical origin, the origin of visitor traffic, exit pages and usage procedures. Google will use this information to evaluate your use of our website, to compile reports on website activities for us and to provide us with further services associated with the use of the website and the internet. We delete the anonymous user profiles collected by Google after twelve months.

The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. A transfer of this data by Google to third parties only takes place on the basis of legal regulations or within the scope of processing on behalf of a controller.

By using our website, you consent to the processing of the data collected about you by Google and to the manner of the data processing described above as well as to the named purpose. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, we would like to point out that in this case you may not be able to use all functions of our website to their full extent. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available at http://tools.google.com/dlpage/gaoptout?hl=en. As an alternative to the browser add-on or for browsers on mobile devices, you can prevent Google Analytics from collecting data by clicking the link provided below. An opt-out cookie is set to prevent future collection of your data when you visit this website. Disable Google Analytics.

For more information on Google Analytics and data protection, please visit

http://tools.google.com/dlpage/gaoptout?hl=in or http://www.google.com/intl/de/policies/privacy/index.html.

8. Social media plugins

8.1 General information

We have included social media network plugins (“plugins“) on our website. They provide various functions, the subject matter and scope of which is determined by the operators of the respective social media networks.

Please note that we are not providers of social media networks and have no influence on data processing by the respective service providers. More detailed information on their treatment of data can be found by accessing the links provided below or at the addresses of the providers listed below.

8.2 Twitter

Our website uses components of Twitter Inc, 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (“Twitter”). Twitter is a multilingual publicly accessible microblogging service where users can publish and distribute so-called “tweets”, i.e. short messages limited to (at the moment) 280 characters. These short messages are generally accessible to anyone, potentially worldwide, including to people not registered on Twitter. The tweets are also displayed to so-called “followers” of the respective user of a Twitter account. “Followers” are other users of Twitter who follow a certain user and his tweets. Twitter also has functions such as “hashtags”, which are keywords, as well as links and the possibility of distributing other people’s tweets (so-called “retweet”), thereby enabling users to address a broad audience.

The integrated components can be recognised by terms such as “Twitter” or “follow”, usually associated with the Twitter logo, a stylized blue bird. Using the Twitter buttons it is possible to share a page of our website on Twitter, such as a blog post, or to become a follower of our Twitter account. When you visit one of our websites which contains such a component, your browser establishes a direct connection to Twitter’s servers. The content of the Twitter buttons is transmitted directly from Twitter to your browser. We therefore have no influence on the extent of the data Twitter collects with the help of this method and can only inform you according to our level of knowledge: To our knowledge, only your IP address and the URL of the respective website will be transmitted, but not used for any purposes other than the presentation of the button. For more information, please see Twitter’s privacy policy at http://twitter.com/privacy.

Each time you visit one of the individual pages of our website on which a Twitter component (Twitter button) is embedded, your browser is automatically prompted by the respective Twitter component to download a representation of the corresponding Twitter component from Twitter. Further information on the Twitter buttons can be found at https://about.twitter.com/de/resources/buttons. As part of this technical process, Twitter will know which specific subpage of our website you are visiting. The purpose of embedding the Twitter component is to enable you to disseminate the contents of our website in order to make our website known in the digital world and to increase our visitor numbers.

If you are logged in to Twitter at the same time, Twitter recognises which specific subpage of our website you are visiting every time you visit our website, and for the entire duration of the respective stay on our website. This information is collected by Twitter and assigned to your respective Twitter account by Twitter. If you click one of the Twitter buttons embedded on our website, the data and information thus transmitted will be assigned to your personal Twitter user account and stored and processed by Twitter.

Twitter receives information via the Twitter component about your visit on our website whenever you are logged in to Twitter at the same time you visit our website; this happens regardless of whether you click on the Twitter component or not. If this transmission of information to Twitter is not desired by the data subject, she or he can prevent this transmission by logging out of her or his Twitter account before visiting our website.

9. Security

We have taken the necessary technical and organisational security measures to protect your personal data from loss and misuse. For example, your data is stored in a secure operating environment in a data centre in the EU which is not accessible to the public.

Should you wish to contact us via e-mail, we would like to point out that the confidentiality of the transmitted information is not guaranteed. The content of e-mails can be viewed by third parties. We therefore recommend sending us confidential information, e.g. mandate or application documents, exclusively by post, or to agree with us upon a more secure procedure (e.g. encryption).

10. Amendment of this data protection policy

For legal and/or organisational reasons, amendments or adjustments to our data protection policy will be required from time to time. Please therefore always ensure you are looking at the current version of our data protection policy, which can be accessed automatically by clicking on the respective link which is displayed during the cookie query. Amendments always apply to personal data collected in the future. The protection of the data collected and stored by us before the relevant amendments is therefore not affected.

11. Your rights as a data subject

As a person affected by the processing of personal data, the GDPR grants you certain rights, which you can find out more about here.

12. Contact

If you have any questions regarding data protection, please contact us. The best way to do this is to use the contact address given in section 1, or the contact details given here.

Overview: Your rights as a data subject

The EU GDPR grants you, as a data subject affected by the processing of personal data, certain right, about which we would like to inform you about below (sections 1 – 12). In addition, in section 13 we have explained the essential technical terms used in this data protection policy.

1. Your rights, possibility of contact

The GDPR grants you certain rights as a person affected by the processing of personal data. If you would like to make use of one or more of these rights, you can contact one of our employees at any time. The relevant employee will take care of your request without undue delay. You can do this, for example, by using the contact options listed under section 1 of the data protection policy, or you can contact us via our website. There are no other costs than the postage costs or the transmission costs according to the applicable basic tariffs.

You can also contact our data protection officer at any time via the following details:

Annerton Rechtsanwaltsgesellschaft mbH
Munich office

Wagmüllerstraße 23
DE – 80538 München

Tel.  +49 (0)89 306683-0
Fax  +49 (0)89 306683-212
E-Mail: datenschutz@annerton.com

2. Right to obtain confirmation (Art. 15 GDPR)

You have the right to ask us to confirm whether we are processing personal data concerning you.

3. Right of access (Art. 15 GDPR)

You have the right to request information from us at any time and free of charge as to whether or not we process personal data relating to you.

If you are a data subject because our company processes your personal data, you are entitled to information about

  • the purposes of the processing;
  • the categories of the personal data concerned;
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
  • to the extent possible, the envisaged period for which the personal data will be stored; or, if this is not possible, the criteria used to determine that period (e.g. statutory retention periods, etc.) must be communicated in any case;
  • your right to request rectification or deletion of your personal data or the restriction of processing personal data concerning you or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from you as the data subject, any available information as to their source;

You are also entitled to information as to whether your personal data is the subject of an automated individual decision within the meaning of Art. 22 GDPR (so-called “profiling”), and if this is the case, which decision criteria form the basis of such an automated individual decision (logic) or which effects and scope the automated individual decision may have for you.

If personal data is transferred to a third country outside the scope of the GDPR, you are entitled to information as to whether, and, if so, on the basis of which guarantees, an appropriate level of protection within the meaning of Art. 45, 46 GDPR is ensured at the data recipient in the third country.

You also have a right of access to information on whether personal data has been transferred to a third country or to an international organisation. If this is the case, you also have the right to obtain information on the appropriate guarantees linked to the transmission.

4. Right to rectification (Art. 16 GDPR)

As the data subject, you have the right to require, without undue delay, that we rectifiy inaccurate personal data concerning you. You also have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data, including by means of providing a supplementary statement.

5. Right to erasure (Art. 17 GDPR, so-called “right to be forgotten”)

As the data subject, you have the right to require that we erase your personal data immediately, provided that one of the following reasons applies and insofar as the processing is not absolutely necessary for other reasons:

  • the personal data is no longer required in relation to the purposes for which it was collected or otherwise processed;
  • you have given consent on which the processing was based pursuant to Art. 6 para 1 sentence 1 lit. a GDPR or pursuant to Art. 9 para 2 lit. a GDPR, and you have withdrawn this consent and there is no other legal ground for the processing;
  • you have filed an objection to data processing pursuant to Art. 21 GDPR and there are no overriding legitimate grounds for the processing,
  • your personal data was processed unlawfully;
  • a child’s data was collected in relation to information society services pursuant to Art. 8 para. 1 GDPR.
  • the deletion of the personal data is necessary to fulfil a legal obligation under European Union law or the law of the member states to which we are subject;
  • the personal data was collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

There is no right to obtain erasure of personal data if

  • the right to freedom of expression and information runs counter to the deletion of the data;
  • the processing of personal data is necessary (i) to fulfil a legal obligation (e.g. statutory retention obligations), (ii) to perform tasks carried out in the public interest or with respect to interests under EU law and/or the law of the member states (this also includes interests in the field of public health) or (iii) for archiving and/or research purposes;
  • the personal data is required to establish, exercise or defend legal claims.

The deletion must take place without undue delay.

If personal data has been made public by us and we are obliged to erase the personal data pursuant to Art. 17 para. 1 GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and implementation costs, to inform other data processors which process the published personal data, that you have requested the erasure of all links to this personal data or of copies or replications of this personal data, unless processing is absolutely necessary for other reasons.

6. Right to restriction of processing (Art. 18 GDPR)

As the data subject, you have the right to request us to restrict the processing of your personal data in the following cases:

  • you contest the accuracy of your personal data. In this case you can ask us not to use your data for other purposes while the accuracy is being checked and to only process them in this respect to a limited extent;
  • in the event of unlawful data processing, instead of erasing the data in accordance with Art. 17 para 1 lit. d GDPR, you may request the restriction of data used in accordance with Art. 18 GDPR;
  • if you need your personal data to establish, exercise or defend legal claims, but your personal data is otherwise no longer required, you can ask us to restrict processing to the aforementioned legal prosecution purposes;
  • if you have filed an objection against data processing pursuant to Art. 21 para 1 GDPR and it is not yet clear whether our interests in processing outweigh your interests, you may request that your data not be used for other purposes for the duration of the examination and be restricted in this respect.

Personal data, the processing of which has been restricted at your request, may – subject to the storage of such data – only be used for the following purposes

  • with your consent,
  • to establish, exercise or defend legal claims,
  • for the protection of the rights of another natural or legal person, or
  • for reasons of important public interest of the European Union or of a member state.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.

7. Notification obligation (Art. 19 GDPR)

As the data subject, you have the right to request us to inform all recipients to whom we have disclosed the personal data concerning you of this rectification, erasure or restriction of processing in cases where you exercise your right of rectification (section 4), erasure (section 5) or restriction of processing (section 6) unless this proves impossible or involves a disproportionate effort. You have the right to be informed by us of these recipients upon your request.

8. Right to data portability (Art. 20 GDPR)

As the data subject, you have the right – subject to the following provisions – to demand that we provide to you the data concerning you in a common electronic, machine-readable data format. The right to data portability includes the right to transfer the data to another controller; at your request, we will therefore – as far as this is technically possible – transfer data directly to a party appointed, or yet to be appointed by you, as the controller.

The right to request the transfer ofd data exists only for data provided by you and presupposes that the processing is based on a form of consent pursuant to Art. 6 para 1 lit. a GDPR or Art. 9 para 2 lit. a GDPR, or for the purpose of the execution of a contract pursuant to Art. 6 para 1 lit. b GDPR, and that it is carried out using automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to request the transfer of data as per Art. 20 GDPR does not affect the right to data erasure according to Art. 17 GDPR.

The first copy is free of charge; an appropriate fee may be charged for further copies.

The right to request the transfer of data is subject to the rights and freedoms of others whose rights may be affected by the transfer of the data.

9. Right to object (Art. 21 GDPR)

As the data subject, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation, which is based on Art. 6 para 1 sentence 1 lit. e or lit. f GDPR, with future effect. This also applies to profiling based on these provisions.

We no longer process personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or the processing serves to establish, exercise or defend legal claims.

If we process personal data for direct marketing purposes, you have the right to object to this at any time. This also applies to any profiling (section 10), insofar as it is linked to such direct advertising. If you object to our processing for direct advertising purposes, we will no longer process your personal data for these purposes.

To exercise your right of objection, you can contact any of our employees or use the contact option provided in section 1. You may also exercise your right of objection by automated means using technical specifications in connection with the use of information society services, notwithstanding Directive 2002/58/EC.

Please note that the exercise of the right of objection is directed towards future processing. Processing that has already taken place in the past is neither invalid nor must it be reversed.

10. Automated individual decision-making including profiling (Art. 22 GDPR)

As the data subject, you have the right to ask us not to be subject to a decision based solely on automated processing – including profiling – which has legal effect against you or which significantly affects you in a similar manner, provided that the decision

a)    is not necessary for entering into or performance of a contract between you and us; or

b)   is authorised by European Union or member state law to which we are subject and which also lays down suitable measures to safeguard your rights, freedoms and legitimate interests; or

c)    is based on your explicit consent.

If the decision is necessary in case a) for the entering into or performance of a contract between you and us, or in case b) with your explicit consent, we will take reasonable measures to protect your rights, freedoms and your legitimate interests, including at the very least the right to obtain the intervention of a person by the controller, the right to state your own position and to challenge the decision.

11. Right to withdraw consent to data processing (Art. 7 para. 3 GDPR)

You may withdraw your consent at any time without giving reasons, and may change or completely withdraw your consent to the processing of personal data with effect for the future.

To exercise your right of withdrawal, you can contact any of our employees or use the contact option indicated under section 1.

Please note that if you exercise your right of withdrawal, it is directed towards future processing. Processing that has already taken place in the past is neither invalid nor must it be reversed.

12. Remedies, right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

You are entitled to lodge a complaint with the competent supervisory authority for data protection. You may contact your local supervisory authority in the member state where you are living, working or where the suspected infringement has taken place. You will find the data protection authority responsible for us in section 1.

13. Definitions

In this data protection policy we use, among others, the following terms defined in Art. 4 GDPR:

13.1     “Personal data“ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

13.2     “Data subject“ means any identified or identifiable natural person, whose personal data are processed by the controller.

13.3     “Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

13.4     “Restriction of processing“ means the marking of stored personal data with the aim of limiting their processing in the future.

13.5     “Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

13.6     “Pseudonymisation“ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

13.7     “Controller“ means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for nomination may be provided for by Union or Member State law .

13.8     “Processor“ means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.

13.9     “Recipient“ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

13.10   “Third party“ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

13.11   “Consent“ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Status: January 2020