Privacy policy

 

 

I. Name and address of the responsible person

The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Thomaseth GmbH

Management: Sina Thomaseth

Deutenbacher Str. 9
D-90453 Nürnberg

​E-mail: info@thomaseth-fashion.com

Telephone: +49 (0)911 632 02 62

II. General information on data processing

  1. Scope of the processing of personal data

As a matter of principle, we collect and use personal data of our users only to the extent that this is necessary for the provision of a functional website as well as our contents and services. The collection and use of our users’ personal data regularly only takes place with the user’s consent. An exception applies in those cases in which it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by legal regulations.

  1. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) 1 lit. (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) 1 lit. (b) DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 1 lit. c DSGVO serves as the legal basis.

In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) (d) DSGVO serves as the legal basis. 1 lit. (d) DSGVO serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 1 lit. f DSGVO serves as the legal basis for the processing.

  1. Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. In addition, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

 

III. Provision of the website and creation of log files

  1. Description and scope of data processing

 

Each time you visit our website, our system automatically collects data and information from the computer system of the calling computer.

The following data is collected:

Log files store, among other things, the

IP address,

the browser used,

time and date

and the system used by a site visitor.

We only store anonymised IP addresses of website visitors. At the web server level, this is done by storing an IP address <123.123.123> an IP-address < 23.123.123.XXX> in the log file by default instead of the visitor’s actual IP address, for example, where XXX is a random value between 1and 254. It is no longer possible to establish a personal reference.

The data is also stored in the log files of our system. Not affected by this are the IP addresses of the user or other data that enable the data to be assigned to a user. This data is not stored together with other personal data of the user.

 

  1. Legal basis for data processing

The legal basis for the temporary storage of the data is Art. 6 para. 1 lit. f DSGVO.

  1. Purpose of data processing

 

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 lit. f DSGVO.

  1. Duration of storage

 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case 14 days after the respective session has ended.

  1. Possibility of objection and removal

 

The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. Consequently, there is no possibility for the user to object.

 

IV. Use of cookies

  1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. When a user calls up a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:

(1) language settings

(2) items in a shopping cart

(3) log-in information

 

  1. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f DSGVO.

  1. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.

We need cookies for the following applications:

Provider/Service: Borlabs Cookie

Cookie name: borlabs-cookie

Purpose: Stores the visitor’s preferences selected in the Borlabs Cookie box.

Duration: 6 months

Provider/Service: WordPress

Cookie name: wordpress_sec_*

Purpose: To protect against hackers stores the account data as a hash.

Duration: Current session

Provider/Service: WooCommerce

Cookie-Name: wp_woocommerce_session_*

Purpose: The cookie contains information that identifies the customer and the session expiration time. For guest buyers, this is a randomly generated cryptographically strong ID.

Duration: 2 days

Provider/Service: WooCommerce

Cookie-Name: woocommerce_cart_hash

Purpose: Saves the items in the shopping cart.

Duration: Current session

Provider/Service: WooCommerce

Cookie-Name: woocommerce_items_in_cart

Purpose: To save items in the shopping cart.

Duration: Current session

Provider/Service: WPML

Cookie-Name: wp-wpml_current_language

Purpose: Stores the language used by the user

Duration: 1 day

:

The user data collected through technically necessary cookies are not used to create user profiles.

These purposes also constitute our legitimate interest in processing the personal data in accordance with Art. 6 1 lit. f DSGVO.

  1. Duration of storage, possibility of objection and elimination

Cookies are stored on the user’s computer and transmitted by the user to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

 

V. Google Web Fonts

 

  1. Description and scope of data processing

 

This site uses so-called web fonts (http://www.google.com/webfonts), which are integrated locally, for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly. If your browser does not support web fonts, a standard font is used by your computer.

  1. Legal basis for data processing

The legal basis is Art. 6 para. 1 lit. f DSGVO.

  1. Purpose of data processing

 

The integration of Google Web Fonts enables an appealing design of our homepage, a visually improved presentation of our texts and improves the loading time of our homepage, since Google Web Fonts are transferred to the cache of your browser to avoid multiple loading.

In these purposes also lies our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 lit. f DSGVO.

  1. Duration of storage, objection and removal options

 

You can set your browser so that the fonts are not loaded from the Google servers (e.g. by installing add-ons like NoScript or Ghostery for Firefox). If your browser does not support Google Fonts or you disable access to Google servers, the text will be displayed in the system’s default font.

Information on the data protection conditions of Google Web Fonts is available at: https://developers.google.com/fonts/faq#Privacy

General information on data protection is available in the Google Privacy Center at: http://www.google.com/intl/de-DE/privacy/

You can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by deactivating cookies in your browser.

You can find further information at https://www.google.com/policies/privacy/

VI. Social media

 

  1. Facebook

 

This website uses a link to Facebook. The links are recognizable by the Facebook logo.

 

a. Description and scope of data processing

 

Our homepage links to our page on Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), to communicate with customers, prospects and users. With respect to data processing, Facebook and we are joint data controllers within the meaning of Art. 26 para. 1 GDPR. Our mutual obligations resulting from the joint responsibility are set out in an agreement between Facebook and us, the so-called “Page Insights Supplement Regarding the Responsible Party”. This agreement can be viewed here: https://www.facebook.com/legal/terms/page_controller_addendum.

We statistically evaluate how you use our fan page. For this purpose, we receive extensive statistics on the use of our Facebook pages, the so-called “Facebook Insights”, which, however, do not contain any personal data. You can find more information about Facebook Insights at: https://www.facebook.com/legal/terms/information_about_page_insights_data.
We do not create profiles on individual users.

We use the statistics to adapt our fan page to the user needs . For this purpose, we use the interests of the users evaluated by Facebook and resulting from the statistics. For this purpose, Facebook uses cookies, among other things, as follows

  • Setting and reading of a cookie and subsequent processing of personal data, including in the form of linking usage data to statistics (so-called insights) by means of the datr cookie.
  • Setting and reading a cookie and subsequent processing of personal data in the form of linking usage data for profiling and advertising purposes by means of the fr cookie, among others.
  • Saving and reading a cookie and subsequent processing of personal data in the form of linking the usage data with the information on statistics (so-called insights) previously deposited by the registered user in the context of the registration process by means of the c_user cookie.

Information is available at https://de-de.facebook.com/policies/cookies/

 

b. Legal basis for the processing of personal data

 

The legal basis is our legitimate interest in informing users and communicating with users pursuant to Art. 6 para. 1 S. 1 lit. f) DSGVO. If you communicate with us via Facebook, the legitimate interest in answering your inquiry lies in accordance with Art. 6 para. 1 S. 1 lit. f DSGVO. If your request is aimed at the conclusion of a contract or the implementation of pre-contractual measures, the additional legal basis for the processing is Art. 6 para. 1 S. 1 lit. b DSGVO. (see above).

c. Duration of storage, possibility of objection and elimination

Personal data from the contact request will be deleted if further storage is not necessary. This is the case when the circumstances indicate that the matter in question has been conclusively clarified and the conversation with the user has ended. Contract-relevant data is stored for six years (257 HGB) after termination of the contract and tax-relevant data for 10 years (§ 147 AO).

Information on the storage period of cookies at Facebook is available at https://de-de.facebook.com/policies/cookies/

You can deactivate or restrict the transmission of cookies by changing the settings in your internet browser. Cookies that have already been stored can be deleted at any time. This can also be done automatically.

d. Transfer to third countries

Data processing may also take place outside the EU or the EEA, namely in particular on Facebook servers located in the USA. This may give rise to risks for users because, for example, it could make it more difficult to enforce users’ rights. The standard contractual clauses for the transfer of personal data to third countries in accordance with the GDPR, which were approved by the European Commission in its Decision 2021/914 of June 4, 2021, apply to the transfer of data; (https://de-de.facebook.com/legal/EU_data_transfer_addenDum )

  1. Instagram

 

This website uses a link to Instagram. The links are recognizable by the Instagram logo.

 

a. Description and scope of data processing

 

This website uses a link to Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA).

Our mutual obligations arising from shared responsibility are set forth in an agreement between Facebook and us, called the “Page Insights Amendment Regarding the Responsible Party.” This agreement can be viewed here: https://www.facebook.com/legal/terms/page_controller_addendum.

We would like to point out that you use this Instagram page and its functions on your own responsibility. This applies in particular to the use of interactive functions (for example, commenting or rating).

When you visit our Instagram page, Instagram collects, among other things, your IP address and other information that is present on your PC in the form of cookies. This information is used to provide us, as operators of the Instagram pages, with statistical information about the use of the Instagram page

When you access an Instagram page, the IP address assigned to your end device is transmitted to Instagram. When you access an Instagram page, the IP address assigned to your end device is transmitted to Instagram. According to Instagram, this IP address is anonymised (for “German” IP addresses) and deleted after 90 days. Instagram also stores information about the end devices of its users.

If you are currently logged in to Instagram as a user, a cookie with your Instagram ID is located on your end device. This enables Instagram to track that you visited this page and how you used it. This also applies to all other Instagram pages. Via Instagram buttons embedded in websites, it is possible for Instagram to record your visits to these website pages and assign them to your Instagram profile. Based on this data, content or advertising can be offered tailored to you.

You can find information on the use of cookies at: https://help.instagram.com/1896641480634370?ref=ig

The current version of Instagram’s data protection declaration can be found at the URL https://help.instagram.com/519522125107875

 

b. Legal basis for the processing of personal data

 

The legal basis is our legitimate interest in informing users and communicating with users pursuant to Art. 6 para. 1 S. 1 lit. f DSGVO. If you communicate with us via Instagram, the legitimate interest in responding to your request is based on Art. 6 para. 1 S. 1 lit. f DSGVO. If your request is aimed at the conclusion of a contract or the implementation of pre-contractual measures, the additional legal basis for the processing is Art. 6 para. 1 S. 1 lit. b DSGVO.

 

c. Duration of storage, possibility of objection and elimination

 

Personal data from the contact request will be deleted if further storage is not necessary. This is the case if it is clear from the circumstances that the matter in question has been conclusively clarified and the conversation with the user has ended. Contract-relevant data is stored for six years after the end of the contract (§ 257 HGB) and tax-relevant data for 10 years (§ 147 AO).

You can deactivate or restrict the transmission of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically.

If you want to avoid Instagram collecting data about your behavior online, you should log out of Instagram or disable the “stay logged in” function, delete the cookies on your device, and exit and restart your browser. This will delete Instagram information that can directly identify you. This allows you to use our Instagram page without revealing your Instagram identifier. When you access interactive features of the page (like, comment, message, and more), an Instagram login screen appears. After any login, you will again be recognizable to Instagram as a specific user.

Instagram stores data until it is no longer needed to provide Services and Meta Products or until your account is deleted, whichever comes first. This is a case-by-case determination that depends on things like the nature of the data, why it is being collected and processed, and relevant legal or operational storage needs. For example, if you search for something on Facebook, you can access and delete this request from your search history at any time; however, the log of this search is deleted only after 6 months.

d. Sharing to third countries

 

Instagram is a global service. Through the use of Instagram, data may also be transmitted outside of the home country, including to the United States.

Data will also be transferred to Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).

 

 

VII. Registration

  1. Description and scope of data processing

 

On our website, we offer users the opportunity to register by providing personal data. The data is entered in an input mask and transmitted to us and stored. The data will not be passed on to third parties. The following data is collected as part of the registration process:

Name

Username

Password

Email address

Address

Phone number

The following data is also stored at the time of registration:

Date and time of registration

E-mail address

User ID generated in increments

Password encrypted as a hash

Activation key (Randomly generated key)

As part of the registration process, consent is obtained from the user to process this data.

  1. Legal basis for data processing

 

The legal basis for the processing of data is Art. 6 para. 1 lit. a DSGVO if the user has given his consent. 1 lit. a DSGVO.

  1. Purpose of data processing

Registration of the user is necessary for the provision of certain content and services on our website, which include the contractual data, orders, account details for the purpose of carrying out the business relationship.

  1. Duration of storage

 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

This is the case for the data collected during the registration process, if the registration on our website is cancelled or modified.

  1. Possibility of objection and removal

 

As a user, you have the option to cancel the registration at any time. You can have the data stored about you changed at any time.

Please send us a message for this purpose.

VIII. Contact button and e-mail contact

  1. Description and scope of data processing

There is a contact button on our website which can be used to contact us electronically. If a user takes advantage of this option, he or she will be directed to his or her email programme and the contact data entered in the email will be transmitted to us and stored. These data are usually:

First name and surname

Email address

Alternatively, it is possible to contact us via the e-mail address provided. In this case, the user’s personal data transmitted with the e-mail will be stored.

It does not pursue in this context any disclosure of data to third parties. The data is used exclusively for the processing of the conversation.

  1. Legal basis for data processing

 

The legal basis for the processing of data is Art. 6 para. 1 lit. a DSGVO if the user has given his or her consent. 1 lit. a DSGVO.

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f DSGVO. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.

  1. Purpose of data processing

 

The processing of personal data from the input mask serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the submission process are used to prevent misuse of the contact form and to ensure the security of our information technology systems.

  1. Duration of storage

 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified.

In the event that a contract is concluded, the data is stored in accordance with the statutory retention periods of 6 or 10 years.

  1. Possibility of objection and elimination

 

The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

In this case, please send us a message.

All personal data stored in the course of contacting us will be deleted in this case.

XI. Google Analytics

  1. Description and scope of data processing

This website uses Google Analytics, a web analytics service provided by Google, Inc. („Google“). The use is made on the basis of Art. 6 para. 1 S. 1 lit. f. DSGVO. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website such as

  • Browser type/version,
  • operating system used,
  • Referrer URL (the previously visited page),
  • Host name of the accessing computer (IP address),
  • Time of the server request,

are usually transferred to a Google server in the USA and stored there. The IP address transmitted by your browser as part of Google Analytics is not merged with other data from Google. We have also extended Google Analytics on this website with the code “anonymizeIP”. This guarantees the masking of your IP address so that all data is collected anonymously. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

When calling up our website, the user is informed about the use of cookies for analysis purposes and his or her consent to the processing of personal data used in this context is obtained. In this context, a reference to this privacy policy is also made.

  1. Legal basis for data processing

The legal basis is Art. 6 para. 1 lit. a DSGVO.

  1. Purpose of data processing

The analysis cookies are used to evaluate the use of the website, to compile reports about the website activities and to provide further services to the visitor related to the website use and internet use as well as to be able to optimize the website to the visitor behavior and to increase the findability.

  1. Duration of storage, objection and removal options

You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent the collection by Google Analytics by clicking on this link. Please add. An opt-out cookie will be set that prevents future collection of your data when visiting this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again. [Note. You can find information on how to integrate the opt-out cookie at: https://developers.google.com/analytics/devguides/collection/gajs/?hl=de#disable].

We continue to use Google Analytics to analyze data from Double Click cookies and also AdWords for statistical purposes. If you do not wish to do so,you can deactivate this via the Ads Preferences Manager http://www.google.com/settings/ads/onweb/?hl=de).

X. Encryption

This site uses SSL encryption for security reasons and to protect the transmission of all content.

You can recognize an encrypted connection by the fact that the browser address bar changes from “http://” to “https://” and by the lock symbol in your browser line.

We also offer the option of sending encrypted e-mails to us via DATEV eG. For this purpose, we will send you a corresponding e-mail with the encryption details upon request.

 

 

XI. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

  1. Right of access

You may request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing is taking place, you may request the controller to provide you with the following information:

(1) the purposes for which the personal data are processed;

(2) the categories of personal data which are processed;

(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;

(4) the envisaged duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the duration of the storage;

(5) the existence of a right to rectify or erase the personal data concerning you, a right to have the controller restrict the processing, or a right to object to such processing;

(6) the existence of a right of appeal to a supervisory authority;

(7) any available information on the origin of the data, if the personal data are not collected from the data subject;

(8) the existence of automated decision making including profiling pursuant to Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information on whether personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to. Article 46 of the GDPR in connection with the transfer.

  1. Right to rectification

You have a right to rectification and/or completion vis-à-vis the data controller, insofar as the personal data processed concerning you are inaccurate or incomplete. The controller must carry out the rectification without delay.

  1. Right to restriction of processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;

(3) the controller no longer needs the personal data for the purposes of processing, but you need them for the assertion, exercise or defense of legal claims; or

(4) if you object to the processing pursuant to Art. 21 para. 1 DSGVO and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.

If the processing of personal data relating to you has been restricted, this data – apart from being stored – may only be used with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

  1. Right to erasure

a. Obligation to delete

You may request the controller to delete the personal data concerning you without undue delay, and the controller is obliged to delete such data without undue delay, if one of the following reasons applies:

(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2) You withdraw your consent on which the processing was based pursuant to Art. 6 par. 1 lit. a or Art. 9 para. 2 lit. a DSGVO and there is no other legal basis for the processing.

(3) You object to the processing pursuant to Art. 21 par. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. Art. 21 par. 2 GDPR to object to the processing.

(4) The personal data concerning you have been processed unlawfully.

(5) The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.

(6) The personal data concerning you have been processed in relation to information society services offered pursuant to Art. 8 para. 1 DSGVO collected.

Information to third parties

If the controller has made the personal data concerning you public and is responsible pursuant to. Art. 17 par. 1 GDPR it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested that they erase all links to, or copies or replications of, that personal data.

Exceptions

The right to erasure does not exist insofar as the processing is necessary to

(1) to exercise the right to freedom of expression and information;

(2) compliance with a legal obligation to which the processing is subject under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest. or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the field of public health pursuant to Art. 9 par. 2 lit. h and i and Art. 9 para. 3 GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 par. 1 GDPR, insofar as the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or

(5) for the assertion, exercise or defence of legal claims.

  1. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the data controller.

  1. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that

(1) the processing is based on consent pursuant to. Art. 6 par. 1 lit. a DSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to. Art. 6 par. 1 lit. b DSGVO is based and

(2) the processing is carried out with the aid of automated procedures.

In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  1. Right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 lit. e or f DSGVO; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.

  1. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

  1. Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the controller,

(2) is permitted by legislation of the Union or the Member States to which the controller is subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests; or

(3) is done with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 DSGVO, unless Art. 9 para. 2 lit. (a) or (g) applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases referred to in (1) and (3), the controller shall take reasonable steps to safeguard the rights and freedoms of, and the legitimate interests of, the data subject, which shall include, at least, the right to obtain the intervention of a person on the part of the controller, to express his or her point of view and to contest the decision.

  1. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.