10. Details on your rights as a data subject
You can request confirmation from us on whether we process personal data concerning you. If such processing is carried out, you can request details of the following information from the controller:
- the purposes for which the personal data is processed;
- the categories of personal data which are processed;
- the recipients or categories of recipients to whom personal data concerning you has been or will be disclosed;
- the planned length of storage of the personal data concerning you or, if it is not possible to provide specific details of this, the criteria for determining the storage period;
- the existence of a right to the rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to object to this processing;
- the existence of a right to complain to a supervisory authority;
- all available information on the origin of the data, if the personal data is not collected from the data subject;
- the presence of automated decision-making including profiling in accordance with Article 22(1) and (4) GDPR and – at least in these cases – meaningful information on the logic involved as well as the significance and the intended consequences of such processing for the data subject
You have the right to request information on whether personal data concerning you will be transferred to a third country or to an international organisation. In this regard, you can request information on the appropriate safeguards in accordance with Article 46 GDPR related to transmission.
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must carry out the rectification immediately.
a) Duty to erase
You can ask the controller to erase personal data concerning you immediately and the controller is obliged to erase this data immediately where one of the following grounds applies:
- The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
- You withdraw your consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and there are no other legal grounds for the processing.
- You submit an objection to the processing in accordance with Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you submit an objection to the processing in accordance with Article 21(2) GDPR.
- The personal data concerning you was processed unlawfully.
- The erasure of personal data concerning you is necessary to fulfil a legal obligation under EU law or the law of a Member State to which the controller is subject.
- The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) GDPR.
b) Disclosing information to third parties
If the controller has made personal data concerning you public and is obliged to delete it in accordance with Article 17(1) GDPR, it shall take reasonable steps, taking into account available technology and implementation costs, including technical measures, to inform controllers who are processing the personal data that you as the data subject, have requested the erasure of all links to this personal data or of copies or replications of this personal data.
The right to erasure is not granted if the processing is necessary
- to exercise the right to freedom of expression and information;
- to fulfil a legal obligation which requires processing in accordance with EU law or the Member States to which the controller is subject or to perform a task that is carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons in the public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, if the right set out in (a) is likely to render impossible or seriously impair the achievement of the objectives of this processing, or
- to establish, exercise or defend legal claims.
Under the following circumstances, you can request the processing of personal data concerning you to be restricted:
- for a period enabling the controller to verify the accuracy of the personal data, if you are contesting the accuracy of the personal data concerning you;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of use of the personal data instead;
- if the controller no longer needs the personal data for processing purposes, but you need it to establish, exercise or defend your legal rights, or
- if you have objected to the processing in accordance with Article 21(1) GDPR and verification of whether the controller’s legitimate grounds override your grounds is still pending.
If the processing of personal data concerning you has been restricted, this data may, with the exception of storage, only be processed with your consent or to establish, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State.
Where processing has been restricted under the aforementioned conditions, you will be informed by the controller before the restriction is lifted.
If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to inform all recipients to whom the personal data concerning you was disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or would involve a disproportionate effort.
You have the right vis-à-vis the controller to information on these recipients.
You have the right to receive personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, if
- the processing is based on consent in accordance with Article 6(1)(a) GDPR or Article 9 (2)(a) GDPR or on a contract in accordance with Article 6(1)(b) GDPR and
- the data is being processed with the help of automated processes.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, where this is technically feasible. The freedom and rights of others may not be adversely affected by this.
The right to data portability does not apply for the processing of personal data that is necessary to perform a task that is carried out in the public interest or in the exercise of official authority vested in the controller.
- You have the right, for reasons arising from your own particular situation, to object at any time to the processing of personal data concerning you that is performed in accordance with Article 6(1)(e) or (f) GDPR; this also applies to any profiling based on these provisions.
- The controller will no longer process the personal data concerning you, unless it can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing facilitates the establishment, exercise or defence of legal claims.
- Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
- If you object to the processing for direct advertising purposes, the personal data concerning you will no longer be processed for these purposes.
- Notwithstanding Directive 2002/58/EC, you are also entitled in the context of the use of information society services to exercise your right of objection by means of automated procedures for which technical specifications are used.
10.8 Right to withdraw the declaration of consent given under data protection law in accordance with Article 7(3)
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent will not affect the lawfulness of processing carried out based on the consent prior to withdrawal.
10.9 Automated individual decision-making, including profiling (Article 12 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or similar significant adverse effects for you.
This does not apply if the decision
- is necessary for the conclusion or fulfilment of a contract between you and the controller,
- is permissible under the law of the EU or the Member States to which the controller is subject, and this law contains adequate measures to safeguard your rights and freedoms and your legitimate interests, or
- is made with your express consent.
However, these decisions may not be based on special categories of personal data in accordance with Article 9(1) GDPR, unless Article 9(2)(a) or (g) applies and suitable steps to protect rights and freedoms and your legitimate interests have been taken.
In the cases stated in (1) and (3), the controller will take suitable steps to safeguard rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
10.10 Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you believe that the processing of the personal data concerning you infringes the GDPR.
The supervisory authority where the complaint was lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial legal remedy in accordance with Article 78 GDPR.