Data Protection

 

1.                     Preface

1.1.                  The Errington Language School places great value on data protection.

1.2.                  This data protection statement informs you about the type, scope and purpose of the processing of personal data within our online service and the connected websites, functions and contents (hereinafter jointly referred to as "online service" or "website"). This data protection statement shall apply regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the online service is performed.

2.                     Data Controller

The data controller within the meaning of the General Data Protection Regulation, other data protection laws in force in the Member States of the European Union and other provisions of a data protection nature:

 

Errington Language School 
Arlette und Michael Errington
Seidenstraße 53     
70174 Stuttgart
Germany
Telephone: +49 711 2293474
E-mail: info@errington-schoool.de

3.                     Terms

3.1.                  Our data protection statement is based on the terms used by the European legislator for directives and regulations when issuing the General Data Protection Regulation (GDPR). Our data protection statement should be easy to read and understandable for the public and for our customers and business partners.

3.2.                  In order to guarantee this, we would like to explain the terms used in advance. The terms used, such as "personal data" or their "processing" are defined in Art. 4 of the General Data Protection Regulation (GDPR).

3.3.                  In this data protection statement we use the following terms, among others:

3.3.1.             Personal Data

Personal data is all information relating to an identified or identifiable natural person (hereinafter "data subject"). A natural person is considered identifiable if he can be identified directly or indirectly, in particular by attribution to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

3.3.2.             Data Subject

The data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

3.3.3.             Processing

Processing means any operation or series of operations carried out with or without the aid of automated procedures in relation to personal data, such as the collection, capture, organisation, sorting, storage, adaptation or alteration, reading, retrieval, use, disclosure by transmission, publication or any other form of provision, comparison or linking, restriction, erasure or destruction.

3.3.4.             Restriction of Processing

Restriction of processing is the labelling of stored personal data with the aim of restricting their future processing.

3.3.5.             Profiling

Profiling is any form of automated processing of personal data consisting in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person.

3.3.6.             Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.

3.3.7.             Data Controller or person responsible for processing

The data controller or person responsible for processing is the natural or legal person, authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data. Where the purposes and means of such processing are laid down by European Union law or by the law of the Member States, the data controller or the specific criteria for his appointment may be laid down in accordance with European Union law or the law of the Member States.

3.3.8.             Data Processor

The data processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller.

3.3.9.             Recipient

The recipient is a natural or legal person, authority, institution or other body to which personal data is disclosed, regardless of whether this is a third party or not. However, authorities which may receive personal data under European Union law or the law of the Member States within the framework of a particular investigation mandate shall not be regarded as recipients.

3.3.10.          Third Party

A third party is a natural or legal person, authority, institution or body other than the data subject, the data controller, the data processor and the persons authorised to process the personal data under the direct responsibility of the data controller or the data processor.

3.3.11.          Consent

Consent shall mean any informed and unequivocal expression of will which has been given voluntarily by the data subject in particular in the form of a declaration or other clear affirmative act by which the person indicates his or her consent to the processing of personal data concerning him or her.

4.                     General Information on Data Processing

4.1.                 Scope of Personal Data Processing

We only collect and use personal data of our users insofar as this is necessary to provide a functional website as well as our contents and services. The collection and use of the personal data of our users only ensues regularly with the user's consent. An exception applies in those cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.

4.2.                 Legal Basis for Personal Data Processing

4.2.1.              Insofar as we obtain the consent of the data subject for the processing of personal data, Art.  6  (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

4.2.2.              For the processing of personal data required for fulfilling a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.

4.2.3.              Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR shall serve as the legal basis.

4.2.4.              In the event that the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR shall serve as the legal basis.

4.2.5.              If processing is necessary in order to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject shall not outweigh the first-mentioned interest, Art. 6 (1) (f) GDPR shall serve as the legal basis for processing.

4.3.                 Data Deletion and Storage Period

4.3.1.              The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the data controller is subject.

4.3.2.              The data shall also be blocked or deleted if the storage period prescribed by the aforementioned standards expires, unless there is a need for the further storage of the data for the conclusion or fulfilment of a contract.

5.                     Technical and Organisational Measures

5.1.                  In order to guarantee that personal data cannot be read, copied, altered or erased without authorisation during electronic transmission, transport or storage on data carriers, we use a state-of-the-art encryption procedure in accordance with Art. 9 GDPR.[1]

5.2.                  This site uses Transport Layer Security (TLS) encryption for security reasons and to protect the transmission of confidential content, such as requests you send to our system. Data that you transmit to our system cannot easily be read by third parties.

5.3.                  You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

6.                     Provision of the Website and Creation of Log Files

6.1.                 Description and Scope of Data Processing

6.1.1.              Each time you visit our website, our system automatically collects data and information from the computer system of the accessing computer.

6.1.2.              The following data is collected:

§  information about the type of browser and the version used

§  operating system of the user

§  internet  service provider of the user

§  date and time of access

§  websites from which the system of the user reaches our website

§  websites accessed by the system of the user via our website

 

6.1.3.              The data is also saved in the log files of our system. Not affected by this are the IP addresses of the user or other data that enable the attribution of the data to a user. This data is not stored together with other personal data of the user.

6.2.                 Legal Basis for Data Processing

6.3.                  The legal basis for the temporary storage of data is Art. 6 (1) (f) GDPR.

6.4.                 Purpose of Data Processing

6.5.                  The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this, the IP address of the user must remain stored for the duration of the session.

6.6.                  Our legitimate interest in data processing according to Art. 6 (1) (f) GDPR also lies in these purposes.

6.7.                 Duration of Storage

6.8.                  The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

6.9.                 Possibility for Appeal and Removal

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

7.                     Use of Cookies

7.1.                 Description and Scope of Data Processing

7.1.1.              We use so-called cookies on the basis of our legitimate interests on this website. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a distinctive character string that enables a unique identification of the browser when the website is accessed again.

7.1.2.              We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after changing the webpage.[2]

7.1.3.              The following data is stored and transmitted in the cookies: [3]

§  language settings

§  items in a shopping basket

§  log-in information

7.1.4.              When you visit our website, an information banner informs you about the use of cookies for analytical purposes and refers you to this data protection statement. In this context, there is also a note on how the storage of cookies in the browser settings can be prevented.

7.2.                 Legal Basis for Data Processing

7.2.1.              The legal basis for the processing of personal data by using technologically necessary cookies is Art. 6  (1) (f) GDPR.

7.3.                 Purpose of Data Processing

7.3.1.              The purpose of using technologically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For this it is necessary that the browser is recognised after changing the webpage.

7.3.2.              The user data collected by technologically necessary cookies is not used to create user profiles.

7.3.3.                            We require cookies for the following applications: [4]

§  Shopping basket

§  Adopting language settings

§  Remembering search terms

7.3.4.              For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6 (1) (f) GDPR.

7.4.                 Duration of Storage, Possibility for Appeal and Removal

7.4.1.              Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your internet browser. Cookies which are already stored can be deleted at any time. This can also ensue automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website in full.

8.                     Contact Form and E-Mail Contact

8.1.                 Description and Scope of Data Processing

8.1.1.              On the basis of our legitimate interests, we use a contact form on this website, which can be used for electronic contact. If a user takes advantage of this possibility, the data entered in the input mask will be transmitted to us and stored.

8.1.2.              This data includes:

§  Salutation

§  Title

§  first name and surname

§  e-mail address

§  address

§  telephone number

8.1.3.              In the course of the sending process, your consent is obtained for the processing of the data and reference is made to this data protection statement.

8.1.4.              Alternatively, you can contact us via the e-mail address provided. In this case, the user's personal data transmitted by e-mail will be stored.

8.1.5.              In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the interchange.

8.2.                 Legal Basis for Data Processing

8.2.1.              The legal basis for the processing of the data, if consent by the user exists, is Art. 6 (1) (a) GDPR.

8.2.2.              The legal basis for the processing of the data which is transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR. If the e-mail contact aims at the conclusion of a contract, then the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

8.3.                 Purpose of Data Processing

8.3.1.              The processing of the personal data from the input mask serves only for the processing of contacting. If contact has been made via e-mail, this also constitutes the necessary legitimate interest in the processing of the data.

8.4.                 Duration of Storage

8.4.1.              The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those that were sent by e-mail, this is the case if the respective interchange with the user is terminated. The interchange is terminated when it can be inferred from the circumstances that the facts in question have been conclusively clarified.

8.5.                 Possibility for Appeal and Removal

8.5.1.              The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the interchange cannot be continued.

8.5.2.              All personal data stored in the course of contacting us will be deleted in this case.

9.                     Google Fonts

9.1.                 Scope of Personal Data Processing

9.1.1.              On the basis of our legitimate interests, we use the Google Fonts service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

9.1.2.              Google Fonts provides an intuitive and robust directory of open source designer web fonts. With an extensive catalogue, typography can be seamlessly integrated into any design project.

9.1.3.              The service is used for the integration of fonts (web fonts) on our internet pages. The integration of Google Fonts ensues by accessing Google via the URL fonts.google.com. The fonts come from different designers and are open-source.

9.1.4.              When users access our online service, a request is usually transmitted to a Google server in the USA and stored and processed there.

9.1.5.              Technically, the fonts embedded in our website are stored on a Google server and then loaded from there when the page is accessed. By using Google Fonts, Google's servers send respective files to each user, based on the technologies supported by the user's browser.

9.1.6.              Google is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

9.1.7.              Connection to Google Fonts is not authenticated. When you visit our website, no cookies or login information are sent to Google via the Google Fonts service. Respective requests to the servers of the Google Fonts service are made to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com, so that requests for fonts are generally separate from login information which can otherwise be sent to Google domains, such as google.com or google.de, and authenticated.

9.1.8.              Google Fonts logs CSS and font file request records. Google assigns aggregated usage numbers for statistical purposes on the popularity of font families and publishes these results on an analytics page  (https://fonts.google.com/analytics).

9.1.9.              More information about the Google Fonts service can be found at developers.google.com/fonts/faq.

9.2.                 Legal Basis for Personal Data Processing

The legal basis for the processing of personal data of users is Art. 6 (1) (f) GDPR.

9.3.                 Purpose of Data Processing

9.3.1.              Data processing ensues in the interest of analysing, optimising and economically operating the online service in order to integrate content or service offers from third party providers or their content and services.

9.3.2.              We use Google Fonts to make our website independent of the fonts installed by the user, the so-called system fonts, and to ensure a consistent display image on different systems.

9.3.3.              The purpose and scope of data collection and further processing and use of the data by Google can be viewed in Google's data protection statement at policies.google.com/privacy.

9.4.                 Duration of Storage

9.4.1.              The data will be deleted as soon as they are no longer needed for the purpose of keeping a record.

9.5.                 Possibility for Appeal and Removal

9.5.1.              More information on data use by Google, possible settings and objections can be obtained on the Google websiteshttps://www.google.com/intl/de/policies/privacy/partners (“Use of data by Google when using partners’ websites or apps”), www.google.com/policies/technologies/ads (“Use of data for advertising purposes”), www.google.de/settings/ads (“Administrating information which Google uses to display adverts”).

10.                  Google Maps

10.1.              Scope of Personal Data Processing

10.1.1.           On the basis of our legitimate interests, we use the Google Maps service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

10.1.2.           Google Maps is an online map service by Google. The earth's surface can be viewed as a road map or as an aerial or satellite image.

10.1.3.           The service is used for the integration of map data on our website. The integration of Google Maps is done by accessing a Google server via an interface, the Google Maps API.

10.1.4.           When users access a page of our online service, in which a corresponding map section has been integrated, a request is transmitted to a Google server in the USA and stored and processed there. By using Google Maps, Google's servers send corresponding data to the user's browser to display the map material.

10.1.5.           Google is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

10.1.6.           More information about the Google Maps service can be found at https://support.google.com/maps/.

10.2.              Legal Basis for Personal Data Processing

The legal basis for the processing of personal data of users is Art. 6 (1) (f) GDPR.

10.3.              Purpose of Data Processing

10.3.1.           Data processing ensues in the interest of analysing, optimising and economically operating the online service in order to integrate content or service offers from third party providers or their content and services.

10.3.2.           We use Google Maps to integrate verified map data in our online presence.

10.3.3.           The purpose and scope of data collection and further processing and use of the data by Google can be viewed in Google's data protection statement at policies.google.com/privacy.

10.4.              Duration of Storage

10.4.1.           The data will be deleted as soon as they are no longer needed for the purpose of keeping a record.

10.5.              Possibility for Appeal and Removal

10.5.1.           More information on data use by Google, possible settings and objections can be obtained on the Google websiteshttps://www.google.com/intl/de/policies/privacy/partners (“Use of data by Google when using partners’ websites or apps”), www.google.com/policies/technologies/ads (“Use of data for advertising purposes”), www.google.de/settings/ads (“Administrating information which Google uses to display adverts”).

11.                  Facebook

11.1.              Description and Scope of Data Processing

11.1.1.           On the basis of our legitimate interests, we use social plugins ("plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook").

11.1.2.           The plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are identified by one of the Facebook logos (a white "f" on a blue tile, the term "like” or a "thumbs up" sign) or are marked with the addition of a "Facebook Social Plugin". The list and the appearance of the Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.

11.1.3.           Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law.

(https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

11.1.4.           If a user accesses a function of this online service which contains such a plugin, his device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated into the online service. User profiles can be created from the processed data. We therefore have no influence on the amount of data Facebook collects with the help of this plugin and therefore inform users according to our level of knowledge.

11.1.5.           By integrating the plugins, Facebook receives information that a user has accessed the corresponding page of the online service. If the user is logged in to Facebook, Facebook can assign the visit to his Facebook account. When users interact with the plugins, such as pressing the Like button or posting a comment, the information is sent directly from your device to Facebook and stored there. If a user is not a member of Facebook, it is still possible for Facebook to obtain and store their IP address. According to Facebook, only an anonymised IP address is stored in Germany.

11.2.              Legal Basis for Data Processing

The legal basis for the processing of personal data of users is Art. 6 (1) (f) GDPR.

11.3.              Purpose of Data Processing

11.3.1.           The data processing ensues in the interest of the analysis, optimisation and economic operation of the online service.

11.3.2.           The purpose and scope of the data collection and further processing and use of the data by Facebook, as well as the relevant rights and settings options for the protection of the privacy of the users, can be found in the Facebook data protection information: https://www.facebook.com/about/privacy/.

11.4.              Duration of Storage

11.4.1.           The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.

11.5.              Possibility for Appeal and Removal

11.5.1.           If a user is a Facebook member and does not want Facebook to collect data about him via this online service and link it to his membership data stored on Facebook, he must log out of Facebook before using our online service and delete his cookies.

11.5.2.           Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: www.facebook.com/settings or via the US page www.aboutads.info/choices/ or the EU page www.youronlinechoices.com. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.

12.                  Twitter

12.1.              Description and Scope of Data Processing

12.1.1.           Based on our legitimate interests, we use components of Twitter, which is operated by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA (“Twitter”).

12.1.2.           Twitter is a multilingual public microblogging service on which users can publish and distribute so-called tweets, i.e. short messages limited to 140 characters. These short messages are available to everyone, including people who are not registered on Twitter. The tweets are also displayed to the so-called followers of the respective user. Followers are other Twitter users who follow a user's tweets. Furthermore, Twitter makes it possible to address a broad audience via hashtags, links and retweets.

12.1.3.            Each time one of the individual pages of this website is accessed, which is operated by the data controller and on which a Twitter component (Twitter button) has been integrated, the internet browser on the information technology system of the data subject is automatically prompted by the respective Twitter component to transmit data to Twitter. Further information about Twitter buttons can be found at about.twitter.com/de/resources/buttons. In the course of this technical process, Twitter is informed which specific subpage of our website is visited by the data subject. The purpose of integrating the Twitter component is to enable our users to disseminate the content of this website, to make this website known in the digital world and to increase our visitor numbers.

12.1.4.           If the data subject is logged on to Twitter at the same time, Twitter recognises whenever the data subject accesses our website and during the entire duration of the visit on our website, which specific subpage of our website the data subject visits. This information is collected by the Twitter component and attributed to the respective Twitter account of the data subject. If the data subject presses one of the Twitter buttons integrated on our website, the data and information thus transmitted will be attributed to the personal Twitter user account of the data subject and stored and processed by Twitter.

12.1.5.           Twitter receives information via the Twitter component that the data subject has visited our website whenever the data subject is logged on to Twitter at the same time as accessing our website; this happens regardless of whether the data subject clicks on the Twitter component or not. If such a transmission of this information to Twitter is not desired by the data subject, he can prevent the transmission by logging out of his Twitter account before accessing our website.

12.2.              Legal Basis for Data Processing

The legal basis for the processing of personal data of users is Art. 6 (1) (f) GDPR.

12.3.              Purpose of Data Processing

12.3.1.           The data processing ensues in the interest of the analysis, optimisation and economic operation of the online service.

12.3.2.           The purpose and scope of data collection and further processing and use of the data by Twitter can be viewed in Twitter's data protection statement at https://twitter.com/privacy?lang=de. LinkedIn’s cookie regulation can be viewed at https://policy.pinterest.com/cookies.

12.4.              Duration of Storage

12.4.1.           The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.

12.5.              Possibility for Appeal and Removal

12.5.1.           If a user is also a Twitter user and does not want Twitter to collect data about him via this online service and link it to the user data stored on Twitter, he must log out of Twitter before using our online service and delete his cookies.

12.5.2.           Pinterest offers the possibility to unsubscribe from targeted adverts at https://help.pinterest.com/en/articles/personalization-and-data.

12.5.3.           Twitter offers you the possibility to view data that Twitter has determined from inferences from your activity on and outside of Twitter under https://twitter.com/your_twitter_data.

13.                  Rights of the Persons Concerned

If personal data are processed by you, you are the data subject in the sense of the GDPR and you have the following rights vis-à-vis the data controller:

13.1.              Right of Information

13.1.1.           You can demand confirmation from the data controller whether personal data concerning you will be processed by us.

13.1.2.           If such processing has taken place, you can demand the following information from the data controller:

(1)        the purposes for which the personal data is processed;

(2)        the categories of personal data processed;

(3)        the recipients or categories of recipients to whom the personal data concerning you has been disclosed or is still being disclosed;

(4)        the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;

(5)        the existence of a right to have your personal data concerning you rectified or deleted, a right to have the processing restricted by the data controller or a right to object to such processing;

(6)        the existence of a right of appeal to a supervisory authority;

(7)        any available information on the origin of the data if the personal data is not collected from the data subject;

(8)        the existence of automated decision-making, including profiling in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

13.1.3.           You have the right to request information as to whether the personal data concerning you is transmitted to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees according to Art. 46 GDPR in connection with the transmission.

13.2.              Right to Rectification

13.2.1.           You have a right to rectification and/or completion vis-à-vis the data controller if the processed personal data concerning you is incorrect or incomplete. The data controller shall make the correction immediately.

13.3.              Right of Restriction of Processing

13.3.1.           Under the following conditions, you may demand that the processing of personal data concerning you be restricted:

(1)        if you dispute the accuracy of the personal data concerning you for a period of time that enables the data controller to verify the accuracy of the personal data;

(2)        the processing is unlawful and you refuse to erase the personal data and instead request that the use of the personal data be restricted;

(3)        the data controller no longer needs the personal data for the purposes of processing, but you do need them to assert, exercise or defend legal claims, or

(4)        if you have filed an objection to the processing in accordance with Art. 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the data controller outweigh your reasons.

13.3.2.           If the processing of personal data concerning you has been restricted, such data may only be processed – apart from being stored – with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State.

13.3.3.           If the processing restriction has been restricted according to the above conditions, you will be informed by the data controller before the restriction is lifted.

13.4.              Right to Erasure

13.4.1.           You may demand that the data controller erase the personal data relating to you immediately and the data controller is obliged to erase this data immediately if one of the following reasons applies:

(1)        The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.

(2)        You revoke your consent on which the processing was based in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and there is no other legal basis for processing.

(3)        You file an objection against the processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing in accordance with Art. 21 (2) GDPR.

(4)        The personal data concerning you has been processed unlawfully.

(5)        The erasure of personal data concerning you is necessary to fulfil a legal obligation under European Union law or the law of the Member States to which the data controller is subject.

(6)        The personal data concerning you has been collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

13.5.              Information to Third Parties

If the data controller has made the personal data concerning you public and is obliged to erase it in accordance with Art. 17 (1) GDPR, he shall take appropriate measures, including technological measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.

13.6.              Exceptions

The right to erasure does not exist insofar as the processing is necessary

(1)        for the execution of the right of expression and information;

(2)        for fulfilling a legal obligation required for processing under the law of the European Union or of the Member States to which the data controller is subject or for the performance of a task in the public interest or for executing official authority conferred on the data controller;

(3)        for reasons of public interest in the field of public health according to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;

(4)        for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR, insofar as the law referred to under a) is likely to render impossible or seriously impair the attainment of the objectives of such processing, or

(5)        for asserting, executing or defending legal claims.

13.7.              Right to Information

13.7.1.           If you have exercised your right to have the data controller correct, delete or restrict the processing, he is obliged to inform all recipients to whom the personal data concerning you has been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.

13.7.2.           The data controller has the right to be informed about such recipients.

13.8.              Right of Data Portability

13.8.1.           You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to transfer this data on to another data controller without obstruction by the data controller to whom the personal data was provided, provided that

(1)                        processing is based on consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR and

(2)            processing is carried out using automated procedures.

13.8.2.           In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technologically feasible. The freedoms and rights of other persons must not be affected by this.

13.8.3.           The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the execution of official power conferred on the data controller.

14.                  Right of Objection

14.1.               You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you under Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.

14.2.               The data controller will no longer process the personal data concerning you, unless he can substantiate legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

14.3.               If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing.

14.4.               If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

14.5.               You have the possibility to exercise your right of objection in connection with the use of the information society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.

15.                  Right of Revocation of the Data Protection Declaration of Consent

You have the right to revoke your data protection declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.

16.                  Automated Decision in Individual Cases Including Profiling

You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect against you or significantly impairs you in a similar manner. This does not apply, if the decision

(1)        is necessary for the conclusion or performance of a contract between you and the data controller,

(2)        is admissible by law of the European Union or of the Member States to which the data controller is subject and that law contains appropriate measures to safeguard your rights, freedoms and legitimate interests, or

(3)        is made with your express consent.

16.1.               However, these decisions may not be based on special categories of personal data in accordance with Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

16.2.               In the cases referred to in (1) and (3), the data controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the data controller, to state his own position and to challenge the decision.

17.                  Right to Complain at a Supervisory Authority

17.1.               Without prejudice to any other administrative law or legal


17.2.               action, you have the right to appeal to a supervisory authority, in particular in the Member State where you are staying, working or the alleged infringement has taken place, if you believe that the processing of personal data concerning you is contrary to the GDPR.

17.3.               The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of legal action under Art. 78 GDPR.