Data Privacy Statement (Website) of FIDLOCK GmbH in accordance with the Provisions of the GDPR

Protecting your privacy is important to us. Therefore, we urge you to read carefully the following summary of how our websites www.fidlock.com and talks.fidlock.com work. The data privacy statement included there meets the guidelines of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). You should learn about how and why the website operator, FIDLOCK GmbH, uses personal data. Although our websites are equipped with various security precautions, absolute protection of your data cannot be guaranteed since security flaws in the internet cannot be ruled out. If you have concerns regarding the collection of your data, you will find the appropriate contact information under item 1.

 

I.                 Name and address of the controller

For the purposes of the GDPR, other national data protection laws of the member states, and other data protection provisions, the controller is:

FIDLOCK GmbH, Kirchhorster Straße 39, 30659 Hannover

Tel.: +49 511 961 593 10, Fax: +49 511 961 593 29

E-Mail: info@fidlock.com, Web: www.fidlock.com

If you have information requests, other requests, complaints or criticism regarding our data protection, you can contact the controller listed here.

 

II.                Name and address of the Data Protection Officer

An external Data Protection Officer helps to ensure data at our company is properly protected. If you have concerns regarding the processing of your personal data, you have the option of contacting that officer directly.

The controller’s data protection officer is:

Mr. Christopher Lenz, employed by backoffice360 GmbH, Gustav-Adolf-Straße 30, 30167 Hannover

Tel.: +49 511 1247 220, E-Mail: cl@backoffice360.de

 

III.              General information on data processing

1.       Extent of processing personal data

We collect and use personal data from our users only if this is needed for our content and services and to provide a functional website. We normally collect and use our users’ personal data only with their consent. This does not apply if practical circumstances prevent us from obtaining prior consent, or if we may or must process the data under statutory provisions. We will use your personal data only within our company. If personal data are forwarded to service providers as part of commissioned data processing, we will obligate those providers to comply with the GDPR and the BDSG (Federal Data Protection Act). We will pass your data on to agencies entitled to receive such information only if we are obligated to do so by law or a court order. 

2.      Legal basis for processing personal data

Legal bases for the data processing:

  • Art. 6(1)(a) GDPR: Obtaining the data subject’s consent
  • Art. 6(1)(b) GDPR: Processing to fulfill a contract to which the data subject is party, or to execute pre-contractual measures
  •  Art. 6(1)(c) GDPR: Data processing to fulfill a legal obligation to which the controller is subject
  • Art. 6(1)(d) GDPR: Processing to protect vital interests of the data subject or another natural person
  • Art. 6(1)(f) GDPR:Processing is necessary to guard the legitimate interests of the controller or a third party, unless this need is outweighed by the interests or basic rights and freedoms of the data subject which require that the personal data be protected 

3.      Data erasure and storage period

The data subject’s personal data will be erased or blocked as soon as the purpose of storage no longer applies. We may also store those data if such storage is provided for through the European or national legislature in the form of directives under European Union law, statutes or other provisions to which the controller is subject. The data will also be erased or blocked if a storage period prescribed by the standards mentioned expires, unless the data must be stored for longer to conclude or fulfill a contract.

4.      Obligation of employees to data privacy

The employees of Fidlock GmbH are contractually obligated to observe data privacy.

5.      Liability for encroachment by third parties

Please note that data are transmitted to us through an unencrypted connection, which might enable unauthorised third parties to gain knowledge of personal data. Fidlock GmbH will not be liable for any improper use of personal data by third parties resulting from the unencrypted connection. We strive to ensure as safe a transmission path as possible.

 IV.             Provision of the homepage and creation of log files

1.      Description and extent of the data processing

Whenever our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data will be collected:

  •   Information on the browser type and the version used
  •   The user’s operating system
  •   The user’s internet service provider
  •    The user’s IP address
  •    Date and time of access
  •    Websites from which the user’s system is directed to our internet site
  •    Websites which are accessed from the user’s system via our website

The data will also be stored in our system’s log files. These data will not be stored together with the user’s other personal data.

2.       Legal basis for data processing

The legal basis for storing the data and the log files temporarily is Art. 6(1)(f) GDPR.

3.      Purpose of data processing

The IP address must be temporarily stored by the system so the webpage can be delivered to the user’s computer. To do so, the user’s IP address must remain stored during the entire session.
It is stored in log files to ensure the webpage’s functionality. The data also help us optimise the webpage and ensure the security of our IT systems. In this context, the data will not be evaluated for marketing purposes.
These purposes also include our legitimate interest in data processing under Art. 6(1)(f) GDPR.

4.      Storage period

The data will be erased when they are no longer needed to attain the objective of their collection. If the data were collected to provide the webpage, they will be erased when the respective session is over.
If the data are stored in log files, this will normally last a maximum of seven days. Storage past that point is possible. In this case, the user’s IP address will be deleted or distorted so that it can no longer be allocated to the accessing client.

5.      Possibility for objection and rectification

Data must be collected for the webpage to be provided, and they must be stored in log files for the internet site to be operated. Consequently, the user may not object to this.

V.               Use of cookies

1.      Description and extent of the data processing

Our website uses cookies. Cookies are text files which are stored on the user’s computer system in or by the internet browser. If the user accesses a webpage, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string that enables an unambiguous identification of the browser when the webpage is accessed again. We use cookies to make our webpage more user-friendly. A few elements of our internet site make it necessary to identify the accessing browser even after a change of sites.

In so doing, the following data are stored and transmitted in the cookies:

  •    Language settings
  •    Login information
  •    Screen resolution

2.       Legal basis for data processing

The legal basis for using cookies to process personal data is Art. 6(1)(f) GDPR.

3.     Purpose of data processing

The purpose of using technically necessary cookies is to make it easier for the user to use webpages. A few functions of our internet site cannot be offered without the use of cookies. For these, it is necessary that the browser be recognisable again even after a change of sites.

We need cookies for the following applications:

  •    Language settings
  •    Login information
  •    Screen resolution
  •    Cookie accept (information banner)

The user data collected through technically necessary cookies is not used to create user profiles.

These purposes also include our legitimate interest in processing the personal data under Art. 6(1)(f) GDPR.

4.      Storage period; Possibility for objection and rectification

Cookies are stored on the user’s computer and transmitted from that computer to our site. Therefore, as a user you have full control over the use of cookies. By changing the settings on your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can be done automatically. If cookies are deactivated for our website, it might not be possible to use all the website’s functions to their full extent.

 

VI.             Newsletter

1.      Description and extent of the data processing

Our websites allow subscribing to a newsletter free of charge. It informs you regularly about new products, events, fairs (also on FIDLOCK Talks) and other FIDLOCK related news. Therefore, the data from the input screen will be transmitted to us.

The following data will be collected:

  •    E-mail address (required specification) 
  •    First and last name (optional specification)
  •    Company name (optional specification)
  •    Region and accordingly time zone (optional specification)

Additionally, the following data will be collected during the registration: Date and time of the registration.

For statistical purposes, for the recognition of reading habits and the personalization of the content, it will be recorded if and at what time the Newsletter is opened and which links are clicked.

To process the data, your consent will be obtained during the registration procedure by a so-called double-opt-in-process and this privacy statement will be referred to. The double-opt-in-process means that you will receive an e-mail after the registration, asking you to confirm your subscription. This confirmation is required to verify whether the owner of an e-mail address was the one who registered for the newsletter.

No data will be forwarded to third parties in connection with the data processing to send the newsletter. Your data entered here will be solely used to personalize and send the newsletter. Sending out the newsletter occurs via the newsletter service provider CleverReach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany. The general privacy policy of the newsletter service provider can be reviewed here: www.cleverreach.com/en/privacy-policy/. According to Art. 28 para 3. p 1. of the GDPR, an order data processing contract with the newsletter service provider is present.

We use the Google service reCaptcha to determine whether a person or a computer makes a specific entry in our contact or newsletter form. Google uses the following information to determine if you are a human being or a computer: IP address of the terminal device you are using, the website you are visiting and on which the captcha is integrated, the date and duration of the visit, the identification data of the browser and operating system type used, Google account if you are logged in to Google, mouse movements on the reCaptcha areas and tasks for which you must identify images. The legal basis for the described data processing is Art. 6 para. 1 lit. f GDPR. There is a legitimate interest on our part in this data processing to ensure the security of our website and to protect us from automated input (attacks).

2.      Legal foundation for data processing

The legal foundation for the data processing after the registration for our newsletter and after receiving the user’s consent is Art. 6 para. 1 lit. f General Data Protection Regulation.

3.      Purpose of data processing

The user’s e-mail address is collected for the sole purpose of sending the newsletter.

The collection of other personal data during the registration process prevents the misuse of the services or the used e-mail address.

For statistical purposes, for the recognition of reading habits and the personalization of the content, it will also be recorded if and at what time the Newsletter is opened, and which links are clicked.

4.      Storage period

The data (e.g. opening- and click-rates) will be erased as soon as they are no longer required for the purpose they were collected. The other data collected during the registration process will be deleted a week after unsubscribing and/or the revoking one's consent, provided legal regulations or other justified interests don't conflict with the deletion according to Art. 6 para. 1 lit. f GDPR. In such a case, the processing of the data will be limited to the purpose of fending off claims. The same applies to personal data collected during the registration process of users who started the double-opt-in-process without completing it. Deletion of the data can be individually requested any time if previous consent is confirmed concurrently.

5.     Possibility for objection and rectification

The subscription to our newsletter can be cancelled by the user at any time. For this purpose, each newsletter contains a corresponding link. This also enables the revocation of consent for the storage of collected personal data during the registration process. Moreover, cancelling the subscription, the revocation of consent, as well as the objection of storage are possible by sending an e-mail to newsletter@fidlock.com.

 

VII.            Contact form and email contact

1.      Description and extent of the data processing

Various contact forms are available on our websites which can be used to contact us electronically. If a user takes advantage of this possibility, the data entered into the input mask will be transmitted to us and stored. These data are:

  •     Form of address
  •     Name
  •     Information on whether a company or private person is involved
  •     Branch
  •     Email
  •     Country
  •     Telephone
  •     Message

When the message is sent, the following data will be stored as well: Date and time of dispatch.

To process the data, your consent will be obtained during the sending procedure and this data privacy statement will be referred to. In the alternative, contact can be made via the email address provided. In this case, the user’s personal data transmitted along with the email will be stored. The data will be used exclusively to process the conversation.

2.      Legal basis for data processing

If the user’s consent has been obtained, the legal basis for processing the data is Art. 6(1)(a) GDPR. The legal basis for processing data transmitted when an email is sent is Art. 6(1)(f) GDPR. If the email contact aims to conclude a contract, an additional legal basis for the processing is Art. 6(1)(b) GDPR.

3.      Purpose of data processing

Processing the personal data from the input mask serves the exclusive purpose of helping us process the contact that is made. Making contact through email also constitutes the required legitimate interest in processing those data. The other personal data processed during the sending procedure serve to prevent misuse of the contact form and ensure the security of our IT systems.

4.     Storage period

The data will be erased when they are no longer needed to attain the objective of their collection. Personal data from the input mask of the contact form and those which were sent via email will be erased when the respective conversation with the user has ended. The conversation will end when circumstances reveal that the situation concerned has been finally cleared up. The additional personal data collected during the sending procedure will also be erased after the matter has been conclusively cleared up.

5.     Possibility for objection and rectification

The user may at any time revoke their consent to have their personal data processed. If the user contacts us through email, they can object at any time to having their personal data stored. In such a case, the conversation cannot be continued. The withdrawal of consent and objection to storage are enabled by sending an email to info@fidlock.com. In this case, all personal data that were stored when contact was established will be erased.
 

 VIII.         Events

1. Description and scope of data processing

We regularly offer interested parties digital events via our website Fidlock Talks. Participation in events requires a user account, which must be set up through registration.

Data collected:

  • Salutation (mandatory)
  • First and last name (mandatory)
  • Company (optional)
  • E-mail (mandatory)
  • Password (mandatory)

In addition, the date and time of registration are collected.

After completing your registration process, you will receive an e-mail in which you must confirm the creation of your user account. This so-called double opt-in procedure is necessary to prevent unwanted registrations with third-party information.

Once the user account has been set up, you can register for events on Fidlock Talks. You will receive confirmation of participation and a reminder before the start of the event by email.

The events are held via the GoToWebinar tool from LogMeIn Ireland Limited. The details of your user account will be processed by GoToWebinar for your participation and for the implementation of the event. If you participate via chat function or request to speak, this data will also be processed. The transmission and processing of video images of the participants does not take place.

Additional information about GoToWebinar can be found in the LogMeIn Trust&Privacy Center at https://www.logmein.com/trust

For Fidlock Talks, we have concluded an order processing contract with the provider LogMeIn Ireland Limited.

For completed events, we offer resources on past events in a media library.

2. Legal basis for the data processing

The legal basis for the processing of data when registering a user account and participating in events is Art. 6 para. 1 lit. a DSGVO if consent has been given.

3. Purpose of the data processing

The collection of mandatory data during the registration of a user account serves to plan and organise the events and to inform interested parties. The registration itself serves to prevent misuse of the event platform.

The processing of data in the context of events serves exclusively the provision and implementation of the event.

4. Duration of the storage

The data of the user account and the registration will be stored as long as the user account is used. Upon request, the user account and the data contained therein can be deleted. Any further storage will only take place if this is required by legal provisions or if a justified interest within the meaning of Art. 6 Para. 1 lit. f DSGVO precludes deletion. Instead of deletion, the data may then be blocked. A legitimate interest as a purpose is limited to the possible defence of claims.

The user account will be deleted within 14 days.

Data collected during an event will only be stored for the duration of the event. Any further processing of the data will only take place with the consent of the person concerned.

5. Possibility of objection and removal

The user account can be terminated by the data subject at any time. For a deletion request, you can contact talks@fidlock.com.  This also enables the revocation of consent to the storage of personal data collected during the registration process.

 

IX.          Email applications

1.      Description and extent of the data processing

Whenever you send us an email application, we will process your personal data which you make available electronically for the purposes of the application. All personal data will be treated as strictly confidential and used only to process your email application, in accordance with applicable statutory data protection provisions.

As part of your email application, we will collect and process the following personal data:

  •     Last name, First name
  •     Address
  •     Telephone number
  •     Email address
  •     Application documents (application letter, curriculum vitae, certificates, photo, etc.)

We will not transmit to any third parties the personal data and files you have transmitted to us, unless you have expressly consented to such transmission in advance or it is mandatory under the statutes.

2.      Legal basis for the data processing

The legal basis for the data processing after your send your email application is § 26(1) BDSG (Federal Data Protection Act, new version).

3.      Purpose of data processing

Your personal application data are collected and processed only to fill positions within our company. As a general principle, your data will be forwarded only to our company’s in-house offices and departments which are responsible for the specific application procedure. If your application is successful, the data and files you provide can be used for administrative matters as part of your employment.

4.      Storage period

If your application is not successful, we will store the transmitted personal data and files in our applicant database for six months, so we can answer subsequent questions about the application. The data and files will be erased after six months. This does not apply if statutory provisions oppose erasure, further storage is necessary for evidential purposes, or you have expressly consented to longer storage.

If we are currently unable to offer you a position, but your profile convinces us that your application might be of interest for future job offers, we will store your personal application data for longer than six months if you expressly consent to such storage and use.

5.       Data security

We highly value our systems’ security and use modern data storage and security technology to optimally protect your data. All systems in which your personal data are stored are protected against third-party access and accessible to only a certain group of people who are responsible for personnel.

Please note that absolute data security cannot be guaranteed during email communication.

6.      Possibility for objection and rectification

During the email application process, you may demand at any time that individual files or bits of personal data you have transmitted be erased. However, we reserve the right to store a limited quantity of your data for six months to comply with statutory provisions, especially the obligation to provide evidence under the General Equal Treatment Act (AGG). The same applies if you wish to withdraw your application.

The withdrawal of consent and objection to storage are enabled by sending an email to bewerbung@fidlock.com.

 

X.     Web analysis through Google Analytics ebanalyse durch Google Analytics

1.      Extent of the processing of personal data

On our websites, we use the software tool Google Analytics to analyse our users’ surfing behaviour. The software places a cookie on the user’s computer (for more on cookies, see above). If individual pages of our website are accessed, the following data are stored:

  •    Two bytes from the IP address of the user’s accessing system
  •    The accessed website
  •    The website from which the user arrived at the accessed website (referrer)
  •    The subpages which are accessed from the accessed website
  •     Amount of time spent on the website
  •     How often the website is accessed
  •     Information on the browser type and the version used
  •    The user’s operating system

These websites use Google Analytics reports on demographic features, which use data from interest-based Google ads and visitor data from third-party providers (such as age, gender and interest). Those data cannot be traced to anyone in particular and can be deactivated at any time via the ad settings. The information generated by the cookie regarding your usage of these websites (including your IP address) are generally transferred to a Google server in the U.S., where it is stored. Google will use this information to evaluate your use of the websites, create reports about website activities for the website operator, and render additional services which are related to website use and internet use. Google might also transmit the information to third parties if this is prescribed by law or if third parties process these data on Google’s behalf. In no case will Google combine your IP address with other Google data. You can prevent the cookies from being stored by adjusting your browser settings accordingly, but we must point out that if you do, you will not be able to use all of this website’s functions to their full extent. The software is set so that IP addresses are not stored in their entirety, but 2 bytes of the IP address are masked (example:  192.168.xxx.xxx). This means that the truncated IP address can no longer be connected to the accessing computer.

2.      Legal basis for processing personal data

The legal basis for processing the user’s personal data is Art. 6(1)(f) GDPR.

3.     Purpose of data processing

The processing of the user’s personal data allows us to analyse that user’s surfing behaviour. By evaluating the data obtained, we can compile information about how individual components of our website are used. And this helps us to continually improve our websites and their user-friendliness. These purposes also include our legitimate interest in processing the data under Art. 6(1)(f) GDPR. Anonymising the IP address takes the user’s interest in protecting their personal data adequately into account.

4.      Storage period

After the IP address is masked or dissociated from personal reference, the data are no longer personal. Therefore, these masked IP addresses will not be erased automatically.

5.     Possibility for objection and rectification

You can also keep Google from collecting and processing the data which the cookie generates regarding your use of the websites (including your IP address) by downloading and installing the browser plug-in available under the following link (https://tools.google.com/dlpage/gaoptout?hl=en). An opt-out cookie will be placed, which prevents your data from being recorded when you visit our websites in the future. You will find more detailed information under tools.google.com/dlpage/gaoptout or www.google.com/intl/de/analytics/privacyoverview.html (general information about Google Analytics and data privacy). We wish to point out that on this website Google Analytics is extended by the code “gat._anonymizeIp();” to guarantee that IP addresses are collected in anonymised form (known as “masking”).

 

XI.    Use of social media

Our internet presence uses plug-ins from various social networks (“Facebook”, “Twitter”, “Instagram”, “YouTube”, and “Xing”). The buttons bear the logo of the social network in question. When you visit our websites, the buttons are deactivated, or merely linked, so that no data will be sent to the social networks unless you click a button. Doing so will establish a direct connection to the server of that social network. If you are logged into a social network, that network provider can assign this website visit to your user account. If you don’t want this to happen, we recommend that you log out of your account in advance. Even if you are not a member of a social network, that network’s provider might learn your IP address and store it. If you don’t want this to happen, don’t click the button. FIDLOCK cannot influence how or to what extent social networks will collect, process or use data. Those networks’ data privacy statements will reveal their data privacy regulations and your rights in this regard.

 

XII.      DoubleClick

DoubleClick is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). DoubleClick uses cookies to show you ads that will be relevant to you. In so doing, your browser will be assigned a pseudonymous ID number to check which ads are faded into your browser and which were called up. The use of DoubleClick cookies enables Google and its partner websites to place ads based on prior visits to our or other websites. You can permanently deactivate this cookie under www.google.com/settings/ads/plugin. We have included YouTube videos in our online services, which are stored at www.youtube.com and can be played directly from our website. To include videos, we use the “expanded data privacy mode” of the provider YouTube. According to YouTube, no information about visitors to our websites will be stored unless they watch the video. Although we use the expanded data privacy mode, we cannot rule out the possibility that Google might place a DoubleClick cookie to serve advertising purposes. You can permanently deactivate this cookie under www.google.com/settings/ads/plugin.

 

XIII.     Dissociation from links to external sources

As the content provider, FIDLOCK GmbH is legally responsible for our “own content” which we keep ready for use. And that content must be differentiated from cross-referencing links to content held by other providers. Through such cross-referencing, FIDLOCK GmbH holds “external content” ready for use which is identified on our websites. Links are dynamic references. When the external content was first linked, FIDLOCK GmbH checked it for whether it might trigger responsibility under civil or criminal law. However, the content is not periodically checked for changes which could justify any new responsibility.

 

XIV.     Installation of third-party programmes

If additional programmes such as Java Script or Flash® (Adobe) are necessary to correctly display the website or media service, you must install such programmes yourself, as a user of these websites or media services. No required software will be automatically installed without permission. However, FIDLOCK GmbH reserves the option of offering the visitor such additional programmes, but without having to obtain any consent for their installation on the visitor's computer. FIDLOCK GmbH is not obligated to display the website correctly. 

 

XV.      Rights of the data subject

If your personal data are processed, you are the data subject as defined by the GDPR and are entitled to the following rights toward the controller:

1. Right to information

You can demand that the controller confirm whether we are processing personal data concerning you. If this is the case, you can demand access to the following information from the controller:

  1. the purposes for which the personal data are being processed;
  2.  the categories of personal data being processed;
  3.  the recipient or categories of recipients to whom the personal data concerning them were or will be disclosed;
  4. the planned duration of the storage of the personal data concerning them, or if no specific information is available to this end, the criteria for determining the storage period;
  5. the existence of a right to have the personal data concerning them rectified or erased, a right to restrict its processing through the controller, or a right to object to that processing.
  6.  the right to complain to a supervisory authority;
  7. all available information on the origin of the data, if the personal data were not collected from the data subject;
  8.  the existence of automated decision-making, including profiling under Art. 22(1 and 4) GDPR and—at least in these cases—meaningful information about the logic involved, as well as the implications and sought-after effects such processing would have for the data subject. (Not currently used.)

You have the right to demand whether the personal data concerning you are transmitted to a third country or international organisation. In this context, you may demand to be informed about the appropriate guarantees under Art. 46 GDPR in connection with such transmission.

2. Right to correction

If the processed personal data that concern you are incorrect or incomplete, you have the right against the controller to have them corrected, deleted, or both. The controller must undertake such correction without undue delay.

3. Right to restrict the processing

You may demand that the processing of the personal data concerning you be restricted, under the following conditions:

  1. if you dispute that the personal data concerning you are incorrect, for a duration which enables the controller to check their correctness.
  2. the processing is unlawful and you waive your right to have the data deleted, instead demanding that their use be restricted;
  3. the controller of the personal data no longer needs them for the purposes of their processing, but you need them to assert, exercise or defend against legal claims, or
  4. if you have filed an objection against the processing under Art. 21(1) GDPR and it has not yet been established whether the controller’s legitimate reasons outweigh your reasons.

If the processing of the personal data concerning you has been restricted, those data—regardless of their storage—may be processed only (1) with your consent, (2) to assert, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state. if the processing has been restricted according to the aforementioned conditions, the controller will inform you before that restriction is lifted.

4. Right to erasure

a. Obligation to erase

You may demand from the controller that the personal data concerning you be erased without undue delay, and the controller will be obligated to do so provided one of the following grounds applies:

  1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You withdraw your consent on which the processing is based under Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
  3. You object to the processing under Art. 21(1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing under Art. 21(2) GDPR.
  4. The personal data concerning you were illegally processed.
  5. The personal data concerning you must be erased to fulfil a legal obligation under EU or member state law to which the controller is subject.
  6. The personal data concerning you were collected in regard to information society services offered pursuant to Art. 8(1) GDPR.
  7. Information to third parties

If the controller has publicised the personal data but is obligated under Art. 17(1) GDPR to erase them, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

b. Exceptions

The right to erasure does not exist if the processing is necessary:

  1. to exercise the right to information and freedom of expression;
  2. to fulfil a legal obligation which requires the processing under EU or Member State law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller;
  3. for reasons of the public interest in the area of public health under Art. 9(2)(h and i) as well as Art. 9(3) GDPR;
  4. for purposes of archiving, academia or historical research which lie in the public interest, or for statistical purposes under Art. 89(1) GDPR, insofar as the right mentioned in section a) is expected to prevent or seriously impair the realisation of the objectives of this processing, or
  5. to establish, exercise or defend against legal claims.

5.      Right to information

If you have asserted your right to rectification, erasure or restriction of the processing toward the controller, that controller is obligated to communicate such correction or deletion of the data or restriction of its processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or would entail a disproportionate effort. You have the right to be informed by the controller about those recipients.

6.      Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as

  1. the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and
  2. the processing occurs with the help of automated procedures.

In exercising this right, you may also have the personal data concerning you transmitted directly from one controller to another, insofar as this is technically feasible. Doing so must not impair the rights and freedoms of others. The right to data portability does not apply if personal data must be processed to carry out a task in the public interest or in the exercise of public authority vested in the controller.

7.      Right to object

You have the right to object at any time, for reasons arising from your particular situation, if personal data concerning you are processed based on Art. 6(1)(e or f) GDPR. This also applies to profiling based on these provisions. The controller will cease processing the personal data concerning you unless the controller can verify compulsory legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done to assert, exercise or defend against legal claims. If the personal data concerning you are processed for direct marketing purposes, you may object to that processing at any time. This also applies to any profiling connected to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).

8.      Right to withdraw the declaration of consent under data protection laws

You have the right to withdraw your declaration of consent under data protection laws at any time. Withdrawing your consent will not affect the legality of processing that has already occurred based on your consent.

9.      Automatic decision-making in individual cases, including profiling

You have the right not to be subject to a decision based exclusively on automated processing—including profiling—which legally affects or otherwise significantly impairs you. This does not apply if that decision

  1. is necessary to conclude or fulfill a contract between you and the controller.
  2. is permitted under EU or member state law to which the controller is subject and which stipulates reasonable measures for guarding your rights, freedoms and legitimate interests, or
  3. is made with your express consent.

However, these decisions may not be based on special categories of personal data under Art. 9(1) GDPR unless Art. 9(2)(a or g) GDPR apply and reasonable measures have been taken to protect your rights, freedoms and legitimate interests. Regarding the cases mentioned in (1) and (3), the controller must take reasonable measures to guard your rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present your own point of view, and to contest the decision.

10.      Right to complain to a supervisory authority

If you believe that the processing of the personal data concerning you breaches the GDPR, you have the right to complain to a supervisory authority—especially in the member state of your abode, your workplace, or the place of the suspected breach—without prejudice to other administrative rights or judicial remedies. The supervisory authority to which the complaint is submitted will inform the complainant about the status and results of that complaint, including the possibility for judicial remedy under Art. 78 GDPR.

Competent supervisory authority:

Data Protection Authority of the State of Lower Saxony

Barbara Thiel, Prinzenstraße 5, 30159 Hannover

Phone.: +49 511 120 45 00, Fax: +49 511 120 45 99, E-Mail: poststelle@lfd.niedersachsen.de

 

XVI.      Amending the data privacy statement

As the controller, we reserve the right to amend the data privacy statement at any time regarding applicable data protection provisions.

 

Last revision: March 2021