DATA PRIVACY STATEMENT

I. Name and Address of the Data Controller

In terms of the General Data Protection Regulation and other national data protection laws of the EU member states and other data protection-related regulations, the data controller is:

EDAG aeromotive GmbH
Robert-Bosch-Straße 7A
85053 Ingolstadt
Germany

Tel.: +49 8458 3238-0
Fax: +49 8458 3238-29

E-Mail: info-aeromotive[at]edag.com
Website: www.edag-aeromotive.com

II. Name and Address of the Data Protection Officer

The data protection officer responsible can be contacted at the following:

INTARGIA Managementberatung GmbH
Dreieich Plaza 2a
63303 Dreieich

E-mail: datenschutz[at]edag.com

III. General Data Processing Information

1. Extent to which and purpose for which personal data is processed
We only ever collect and use personal data of our users to the extent to which this is necessary to provide a fully functional website and our contents and services. The regular collection and use of personal data of our users is only ever made with the user’s consent (insofar as legally required). One exception to this rule applies in cases in which, for factual reasons, it is not possible to obtain the user’s prior consent, or in which, according to applicable data protection legislation, the processing of this data is permitted on other legal grounds.

2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject to process his or her personal data, Art. 6 para. 1 p. 1 point a of the EU General Data Protection Regulation (GDPR) shall serve as the legal basis for the processing of personal data.

Art. 6 para. 1 p. 1 point b of the GDPR shall serve as the legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is party. This shall also apply to processing necessary for the performance of pre-contractual measures.Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 para. 1 p. 1 point c of the GDPR shall serve as the legal basis.

Should it be necessary to process personal data in order to protect the vital interests of the data subject or another natural person, Art. 6 para. 1 p. 1 point d of the GDPR shall serve as the legal basis.

Should processing be necessary to protect the legitimate interests of our company or a third party and such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, then Art. 6 para. 1 p. 1 point f of the GDPR shall serve as the legal basis for processing.

3. Data erasure and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose for which it has been saved ceases to apply. Further, data may also be stored if provided for by European or national legislators in Union directives, laws or other regulations, to which the data controller is subject. The data will also be deleted or blocked at such time as the storage period prescribed by the designated standards expires, unless it is necessary for the data to be stored for a further period for the conclusion or performance of a contract.

IV. Provision of the Website and Creation of Log Files

1. Description and extent of data processing
Every time our website is accessed, our system automatically acquires data and information from the computer system of the calling computer.

The following data is collected:

  • The user’s IP address
  • Date and time of access.
  • Page opened / name of file opened
  • Web browser and enquiring domain
  • Amount of data transferred
  • Browser used
  • Operating system used
  • Message stating whether access was successful or not

The data is also stored in the log files of our system. This data is not stored with other personal data of the user.

2. Legal basis for data processing
Art. 6 para. 1 p. 1 point f of the GDPR is the legal basis for the temporary storage of the data and the log files.

3. Purpose of data processing
The temporary storage of the IP address by the system is necessary in order to be able to deliver the website to the user’s computer. To this end, the user’s IP address must be stored for the duration of the session.

Data is stored in log files to ensure that the website functions properly. In addition, the data serves to optimize the website and to guarantee the security of our IT systems. No data evaluation is carried out for marketing purposes in this context.

These purposes are also in our legitimate interests in data processing under Art. 6 para. 1 p. 1 point f of the GDPR.

4. Storage duration
Data is deleted as soon as it is no longer needed for the purpose for which it was collected. In the case of data being collected in order to make the website available, this is the case when the session is terminated.

In the case of data stored in log files, this is the case after a maximum of seven days. Storage beyond this point in time is possible. In this case, the user’s IP address will be deleted or distorted, so that it can no longer be attributed to the accessing client.

5. Right to object and right of elimination
Data acquisition is essential for the provision of the website and the storage of data in log files is essential for operating the website. The user therefore has no right to object.

V. Use of Usercentrics (consent management)

1. Description and extent of data processing
We use the consent management service Usercentrics GmbH, Sendlinger Str. 7, 80331 München (hereinafter „Usercentrics“). Every time our website is accessed, our system automatically acquires data and information from the computer system of the calling computer. The following data is collected when using this service:

  • opt-in- and opt-out data
  • Referrer URL
  • User Agent
  • User settings
  • Consent ID
  • Time of consent
  • Type of consent
  • Template version
  • Banner language

2. Legal basis for data processing
Due to the legal obligation to store the aforementioned data, the legal basis is Art. 6 para. 1 p. 1 lit. c GDPR.

3. Purpose of data processing
The service is used to manage consent. This serves to comply with legal obligations, according to which data processing requiring consent may only be carried out via the website if the corresponding consent of the user has been obtained. The Usercentrics service is used to store and manage the consent obtained. This also applies in the event of revocation of the consent given.

Usercentrics is used as an contract processor. Therefore, we have concluded contract for commissioned data processing with Usercentrics in accordance with the legal requirements.

4. Storage duration; right to object and right of elimination
The storage period is the period of time during which the collected data is stored for processing. The data must be deleted as soon as they are no longer required for the specified processing purposes.

The consent data (consent given and revocation of consent) is stored for three years. The data will then be deleted immediately.

The collection and storage of the data is required by law for the operation of the website. The user therefore has no right to object.

The privacy policy of the data processor can be found here: https://usercentrics.com/de/datenschutzerklaerung/

VI. USE OF COOKIES

1. Description and extent of data processing
Our website makes use of cookies. Cookies are data files stored on the user’s computer system in or by the Internet browser. If a user accesses a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic character string that enables the browser to be clearly identified the next time the website is accessed.

We use cookies to make our website more user-friendly. Some elements of our website require the accessing browser to be identified if the user changes from one page to another.
The following data is stored and transmitted in the cookies:

(1) The user’s IP address
(2) Date and time of access
(3) Login information
(4) Amount of data transferred
(5) Enquiring domain

On our website, we also use cookies which make it possible to analyse the user’s surfing habits.

The following data can be transmitted in this way:

(1) Equipment type, model, brand, screen resolution
(2) Operating system, versions, families
(3) Browser, version, configuration, engines, plugins, language, language code
(4) Location data
(5) Provider details
(6) Pages per visit, number of visits, repeat visits, time of visit, date of visit
(7) Entry pages, exit pages, page URL, title of page, search items, downloads
(8) Search engines, search item, websites, social networks
(9) Campaigns, campaign key word

When accessing our website, the user is informed that functional cookies are used, as are cookies for analysis and marketing purposes, and a Cookie Consent Manager is used to obtain his or her consent to the processing of the personal data used in this respect. Information regarding this data privacy statement is also issued in this context.

Detailed information on how the individual cookies work, information on how long they function and details of whether third parties have access to these cookies can also be found in the Cookie Consent Manager. You can access the Cookie Consent Manager any time by clicking the corresponding button in the footer of our website.

2. Legal basis for data processing
The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 p. 1 point f of the GDPR.. In this respect, we have carefully considered our interest in the use of cookies and your interest in confidentiality. In this case, our interest prevails. We are unable to provide our website without using the technically necessary cookies.

The legal basis for the processing of personal data using functional cookies and cookies for analysis and marketing purposes, provided the user’s consent for this purpose has been obtained, is Art. 6 para. 1 p. 1 point a of the GDPR.

3. Purpose of data processing
Depending on their intended use and function, we divide cookies into the following categories:

a) Technically necessary cookies
Technically necessary cookies guarantee functions without which our website cannot be be put to its intended use. These cookies are used exclusively by us, i.e. they are first party cookies. This means that all information stored in the cookies is returned to our website. Technically necessary cookies are used, for example, to ensure that users who have logged in always remain logged in when accessing various sub-pages of our website, and so do not have to re-enter login data every time they access a new page.

It is possible and permissible to use technically necessary cookies on our website without first obtaining consent. For this reason, individual technically necessary cookies cannot be activated or deactivated. These purposes are also in our legitimate interests in the processing of personal data under Art. 6 para. 1 p. 1 point f of the GDPR.  Our interest in ensuring the unobstructed provision of our website and the services it offers prevails.

b) Functional cookies
Functional cookies enable our website to store information that has already been input (such as registered name, language selection or a user’s location) and, on the basis of this information, offer improved and more personalised functions. The way in which these cookies collect and store data ensures that user behaviour on other websites cannot be tracked.

c) Performance cookies
In order to improve the website’s attractiveness, content and functionality, performance cookies collect aggregated information about how it is used. These cookies help us to determine whether, how often and how long which website subpages are visited and what content is of particular interest to users.

These cookies do not store any information that would allow the user to be identified. The information collected is aggregated, and does not allow us to directly identify the individual. The only purpose it serves is to compile statistics in order to better tailor the content of our website to the needs of our users, to improve user experience, and to optimise our range of services.

d) Marketing cookies
Marketing cookies come from external advertising companies (third party cookies) and are used to collect information about the websites visited by the user, to create targeted advertising for the user, and to display advertisements based on the user’s interests. They are also used to limit the frequency with which an advertisement appears, and to measure the effectiveness of advertising campaigns. This information may be shared with third parties, advertisers for instance.

4. Storage duration and right of elimination
Cookies are stored on the user’s computer, from which they are transmitted to our website. As the user, you therefore have complete control over the use of cookies.

Even if you have consented to the use of cookies, you can withdraw your consent at any time, with future effect. Please use one of the following options to do this:

    • You can inform us that you wish to withdraw your consent or change your settings in our Cookie Consent Manager, which can be accessed at any time via the website.
    • You can prevent cookies from being stored by adjusting your browser software accordingly; we would, however, like to draw your attention to the fact that if you do so, this might possibly result in your not being able to use all the functions offered on this website to the full.
    • Cookies which have already been stored can be removed from your settings at any time. This can also be done automatically.
    • Further, you can prevent the collection of data generated by the cookie and relating to your use of our websites (including your IP address) and the processing of this data by downloading and installing the plugin available for your browser.
    • You can also use the tools developed as part of self-regulation programs in many countries, e.g. https://www.aboutads.info/choices/ (USA) or http://www.youronlinechoices.com/uk/your-ad-choices (EU), to manage marketing cookies.

5. Forwarding of personal data
If you accept the functional cookies above and beyond those that are technically necessary, and cookies for analysis and advertising purposes, you also consent to the processing of your data in the USA pursuant to Art. 49 para. 1 p. 1 point a of the GDPR. We would like to point out that the European Court of Justice regards the US as a country with a level of data protection that is insufficient by EU standards. In view of this fact, no other suitable data protection safeguards exist. There is therefore a risk of your data being processed by U.S. authorities for control and monitoring purposes, possibly without the possibility of legal recourse. If you do not want this to happen, click Refuse.

VII. REGISTRATION FOR APPLICANT LOGIN

1. Description and extent of data processing
On the external website of the EDAG GROUP (https://www.edag.com/en/career/jobs-application/job-advertisements), we offer users the opportunity to register on our recruiting portal; when using this, they are required to provide personal data. The data is entered in an input mask, transmitted to us, and stored. There is no disclosure of data to third parties. The following data is collected during the registration process:

(1) Title
(2) Name, First name
(3) E-Mail
(4) Phone
(5) Nationality
(6) Date of Birth

The following data is also stored at the time the registration is submitted:

(7) The user’s IP address
(8) Date and time of registration

During the registration process, we refer to the data privacy statement for applicants for further processing of the application documents.

2. Legal basis for data processing
The legal basis for the processing of data, provided the user’s consent has been obtained, is Art. 6 para. 1 p. 1 point a of the GDPR.

If the point of the application is to enter into a contract, then Art. 6 para. 1 p. 1 point b of the GDPR will serve as an additional legal basis for processing.

3. Purpose of data processing
The user must register in order to be able to use the recruiting portal.

4. Storage duration
Data is deleted as soon as it is no longer needed for the purpose for which it was collected. For the data collected during the registration procedure, this is the case when the registration on the website is closed or amended.

In the event of a rejection, the applicant data that has been uploaded is deleted no later than six months after the end of the application process. If the data subject gives the data controller his or her consent to being contacted at a later date in order to resume the application process, should another position for which he or she might be considered become available, then any data that has been transmitted is deleted at the end of a period of 24 months.

5. Right to object and right of elimination
As the user, you can cancel your registration at any time. You can amend any stored data concerning you at any time.

VIII. E-MAIL CONTACT

1. Description and extent of data processing
There is a contact form on our website, and this can be used to contact us online. Should a user make use of this option, the data entered in the input mask is transmitted to us and stored. The following data is mandatory:

(1) Your reason for contacting us
(2) E-mail address

The following optional data may also be supplied:
(3) Salutation
(4) First name
(5) Surname
(6) Street
(7) Zip code
(8) Town/city
(9) Country
(10) Company
(11) Telephone
(12) Message

The following data is also stored at the time the message is sent:

(13) The user’s IP address
(14) Date and time of registration

Your consent to the processing of this data will be requested and reference made to this data privacy statement when you send your message.

Alternatively, an e-mail address is also provided, if you prefer to contact us this way. In this case, the personal data of the user transmitted with the e-mail is stored.
In this respect, there is no disclosure of data to third parties. Such data is used solely to process the communication.

2. Legal basis for data processing
The legal basis for the processing of data, provided the user’s consent has been obtained, is Art. 6 para. 1 p. 1 point a of the GDPR.

The legal basis for the processing of data collected when an e-mail is being sent is Art. 6 para. 1 p. 1 point f of the GDPR. If the point of the e-mail contact is to enter into a contract, then Art. 6 para. 1 p. 1 point b of the GDPR will serve as an additional legal basis for processing.

3. Purpose of data processing
The sole reason for processing personal data from the input mask is to enable us to handle communication with you. If contact is established by e-mail, this also establishes a legitimate interest in processing the data.
The other personal data collected when the message is sent serve to guarantee the security of our IT systems.

4. Storage duration
Data is deleted as soon as it is no longer needed for the purpose for which it was collected. For personal data from the input mask of the contact form and data transmitted by e-mail, this is the case when a particular communication with the user is finished. Communication is finished when circumstances indicate that the matter concerned has been fully resolved.
The additional personal data collected while the message is being sent will be deleted after a period of no more than seven days has elapsed.

5. Right to object and right of elimination
The user has the right to withdraw his or her consent to the processing of the personal data at any time. If the user contacts us by e-mail, he or she can object to the storage of his or her personal data at any time. If this is the case, then the communication cannot be continued. In this case, all personal data collected as a result of contact being made will then be erased.

IX. WEB TRACKING

1. Description and extent to which personal data is processed
This website uses Google Analytics, a web analytics service of Google Inc. (“Google”). Use includes the Universal Analytics operating mode. This makes it possible for data, sessions and interaction across multiple devices to be assigned to a pseudonymised user-ID, permitting the cross-device analysis of the activities of a user.

Google Analytics makes use of “cookies”, data files which are stored on your computer and enable the use of the website to be analysed. As a rule, the information relating to your use of this website generated by the cookie is transferred to a Google server in the USA, where it is saved. If IP address anonymisation has been activated on this website, Google will truncate your IP address within member states of the European Union or other states party to the Agreement on the European Economic Area. Only in exceptional cases is the IP address transferred to a Google server in the USA and truncated there.  On behalf of the owner of this website, Google will use this information to evaluate your usage of the website, to compile reports on the website activities, and to perform further services relating to the use of the website and Internet for the website owner.

To do this, the following data concerning you is processed:

  1. The user’s IP address
  2. Date and time of access
  3. Login information
  4. Amount of data transferred
  5. Enquiring domain
  6. Equipment type, model, brand, screen resolution
  7. Operating system, versions, families
  8. Browser, version, configuration, engines, plugins, language, language code
  9. Location data
  10. Provider details
  11. Pages per visit, number of visits, repeat visits, time of visit, date of visit
  12. Entry pages, exit pages, page URL, title of page, search items, downloads
  13. Search engines, search item, websites, social networks
  14. Campaigns, campaign key word

The IP address sent by your browser via Google Analytics is not merged with other data by Google.

2. Legal basis for the processing of personal data
Provided the user’s consent has been obtained, the legal basis for the use of Google Analytics is Art. 6 para. 1 p. 1 point a of the GDPR.

3. Purpose of data processing
The purpose behind the use of the web analytics service is to analyse and make regular improvements to the use of our website. The statistics obtained enable us to improve our services and make them more interesting to you, our users. For any exceptional cases in which personal data is transferred to the USA, standard contractual clauses have been agreed with Google under the terms of the contractual arrangements.

4. Storage duration, right to object and right of elimination
Any data that is sent by Google and linked with cookies, user authentication (e.g. user ID) or advertising IDs is automatically deleted after 14 months. According to Google, data which has come to the end of its storage period is automatically deleted once a month. We draw your attention to the fact that we have no influence over how long data is stored by Google.

You are entitled to withdraw your consent at any time without affecting the admissibility of any processing carried out prior to its withdrawal. Using our Consent Manager is the easiest way to withdraw your consent.

You can prevent cookies from being stored by adjusting your browser software accordingly; we would, however, like to draw your attention to the fact that if you do so, this might possibly result in your not being able to use all the functions offered on this website to the full. Further, you can prevent the acquisition of the data generated by the cookie and relating to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin: http://tools.google.com/dlpage/gaoptout?hl=de.
Opt-out cookies prevent the future acquisition of your data when visiting this website. To prevent acquisition across multiple devices by Universal Analytics, you will have to activate the opt-out for all systems in use. Click here to set the opt-out cookie: [ga-optout text = “Deactivate Google Analytics”] This website uses Google Analytics with the “_anonymizeIp()” function. This ensures that IP addresses are processed in truncated form, making it impossible to trace them to a specific user. Should the data about you that has been collected produce a direct personal link, this is immediately blocked, so the personal data is instantly deleted.

5. Forwarding of personal data
Information on the third-party provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. The conditions of use can be found at: http://www.google.com/analytics/terms/de.html; a data privacy summary can be found at: http://www.google.com/intl/de/analytics/learn/privacy.html, and a data privacy statement at: http://www.google.de/intl/de/policies/privacy.

To this purpose, we have also entered into a data processing contract with Google.

If you accept the functional cookies above and beyond those that are technically necessary, and cookies for analysis and advertising purposes, you also consent to the processing of your data in the USA pursuant to Art. 49 para. 1 p. 1 point a of the GDPR. We would like to point out that the European Court of Justice regards the US as a country with a level of data protection that is insufficient by EU standards. In view of this fact, no other suitable data protection safeguards exist. There is therefore a risk of your data being processed by U.S. authorities for control and monitoring purposes, possibly without the possibility of legal recourse. If you do not want this to happen, click Refuse.

6. Google Tag-Manager
We use Google Tag Manager. Google Tag Manager is a solution that enables marketers to manage website tags via one interface. The Tag Manager tool itself (which implements the tags) is a service that can collect personal data by setting cookies. The tool triggers other tags that under certain circumstances may themselves collect data. Google Tag Manager does not access this data. If deactivation has been effected at domain or cookie level, it will remain in force for all tracking tags implemented with Google Tag Manager. Google’s privacy policy for this tool can be found here: http://www.google.de/tagmanager/use-policy.html

Click here for exclusion from data collection by the Google Tag Manager.
Collection by Google Tag Manager is enabled. DISABLE

X. USE OF GOOGLE WEB FONTS

1. Description and extent of data processing
We use the web fonts provided by Google and downloaded to our local server to ensure that font types are shown consistently. To this end, the required web fonts are loaded into your browser cache so that texts and fonts are displayed correctly. If your browser does not support web fonts, a default font from your computer is used.

No cookies are set when you call up the page. Also, no direct connection to Google’s servers is established, as the fonts are integrated locally into our website.

2. Legal basis for data processing
Due to our legitimate interest in fonts being shown consistently, Art. 6 para. 1 p. 1 point f of the GDPR is the legal basis for processing.

3. Purpose of data processing
Google Web Fonts is a freely available library of over 800 fonts. Google Web Fonts allows us to present our website to the user in an attractive design and in the same quality across all devices. This is the only way of making it technically possible for all visitors to our homepage to have a consistent and pleasant user experience.

This is also a legitimate interest within the meaning of Art. 6 para. 1 p. 1 point f of the GDPR.

4. Storage duration, right to object and right of elimination
Data is stored for as long as it is needed for the purpose for which it was collected. You have the option of objecting to the use by changing your browser settings.

XI. USE OF FONTAWESOME

1. Description and extent of data processing
We use the Fontawesome function of Fonticons, Inc. to ensure that font types are shown consistently. This is downloaded locally to our servers and retrieved from them when the page is accessed. To this end, the required fonts and icons are loaded into your browser cache so that texts and fonts are displayed correctly. If your browser does not support Fontawesome fonts, a default font from your computer is used.

No cookies are set when you call up the page.  Also, no direct connection to Fonticons’ servers is established, as the fonts are integrated locally into our website.

2. Legal basis for data processing
Due to our legitimate interest in fonts being shown consistently,  Art. 6 para. 1 p. 1 point f of the GDPR is the legal basis for processing.

3. Purpose of data processing
Fontawesome is a freely available library of fonts and icons, and allows us to present our website to the user in an attractive design and in the same quality across all devices. This is the only way of making it technically possible for all visitors to our homepage to have a consistent and pleasant user experience.
This is also a legitimate interest within the meaning of Art. 6 para. 1 p. 1 point f of the GDPR.

4. Storage duration, right to object and right of elimination
Data is stored for as long as it is needed for the purpose for which it was collected. You have the option of objecting to the use by changing your browser settings.

XII. ONLINE PRESENCE IN SOCIAL MEDIA

We maintain online presences within social networks in order to communicate with any customers, interested parties and users active there, and to inform them about our services. In this context, only simple links are used, or only social media plug-ins that do not establish any connection to the network in question when the page is loaded. This is the difference between the social media plug-ins used here and the the widespread Like buttons, which transmit data to the social networks as soon as the page is loaded, without the button having to be clicked. Additional information on the processing of data can be found in the following social media data privacy statement.

XIII. USE OF CLOUDFLARE

1. Description and extent of data processing
We use the CDN Cloudflare (Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA), to increase the speed and security of our website. This is done through a Content Delivery Network (CDN) which creates copies of our websites and distributes them on Cloudware’s servers. Using a load balancing system, a large part of our website is then made available to the visitor from the server that, on the basis of workload and proximity to the visitor, is able to do so the fastest.

Cloudflare also offers various security services such as DDoS protection or the web application firewall.

In order to implement Cloudflare’s CDN services, the following data concerning you is processed:

  • Data of the retrieved web page
  • The browser type used
  • The operating system,
  • The referrer URL,
  • The IP address
  • The requesting provider

2. Legal basis for data processing
The legal basis for the processing of data once you have given your consent is Art. 6 para. 1 sentence 1 point a of the GDPR. Consent is voluntarily given. We would like to point out, however, that if it is not given, the performance of our website may be impaired for you.

3. Purpose of data processing
We need to use CDN Cloudflare to provide you with the best and fastest possible service on our website (e.g. by reducing loading times) and moreover to make our website more secure and protect it from attacks.

4. Storage duration, right to object and right of elimination
Data is stored for as long as it is needed for the purpose for which it was collected – as a rule up to 7 days. You have the option of objecting to the use by changing your browser settings.

5. Forwarding of Personal Data
Cloudflare also processes your personal data in the USA. With your consent to the integration of the functions, you also consent to the processing of your data in the USA pursuant to Art. 49 para. 1 sentence 1 point a of the GDPR. We would like to point out that the European Court of Justice regards the US as a country with a level of data protection that is insufficient by EU standards. In view of this fact, no other suitable data protection safeguards exist. There is therefore a risk of your data being processed by U.S. authorities for control and monitoring purposes, possibly without the possibility of legal recourse. If you do not want this to happen, click Refuse.

XIV. RIGHTS OF DATA SUBJECT

If personal data concerning you is processed, you are the data subject as defined in the GDPR, and have the following rights against the data controller:

1. Right to be informed
You can ask the controller to provide you with confirmation as to whether or not personal data concerning you is processed by us.

If such processing is being undertaken, you can ask the controller to provide you with information concerning the following:

(1) The purposes for which the personal data is processed;

(2) The personal data categories which are processed;

(3) The recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;

(4) The planned storage duration of the personal data concerning you or, if it is not possible to provide concrete information on this point, criteria for defining the storage duration;

(5) The existence of a right to correct or delete the personal data concerning you, a right to limit processing by the controller, or a right to object to such processing;

(6) The existence of a right to lodge a complaint with a supervisory authority;

(7) All available information concerning the origin of the data, if the personal data was not acquired from the data subject him or herself;

(8) The existence of automated decision-making and profiling in accordance with Art. 22 para. 1 and 4 of the GDPR and – at least in these cases – meaningful information on the logic involved and the implications and intended impact of such processing for the data subject.
You have the right to request information on whether or not the personal data concerning you is transmitted to a third country or international organisation. In this context, you may ask for information on appropriate guarantees in accordance with Art. 46 of the GDPR relating to the transmission of data.

2. Right to rectification and completion
You have a right to have the controller correct or complete any personal data concerning you which, having been processed, is either incorrect or incomplete. The data controller must carry out any corrections without undue delay.

3. Right to restrict processing
Subject to the following conditions, you can request that processing of the personal data concerning you be restricted:

(1) If you dispute the accuracy of the personal data concerning you for a period which allows the controller to check the accuracy of the personal data;

(2) The processing is unlawful and you refuse deletion of the personal data, instead requesting that use of the personal data be restricted;

(3) The controller no longer needs the personal data for processing purposes, but you need it in order to establish, exercise or defend legal claims, or

(4) If you have filed an objection to the processing of the data in accordance with Art. 21 para. 1 of the GDPR, and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.

If the processing of the personal data concerning you has been restricted, then, storage aside, this data may only be processed with your consent (insofar as legally required), or to establish, exercise or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of substantial public interest on the basis of Union or Member State law.

If the processing has been restricted under the above-mentioned conditions, you will be informed by the controller before the restriction is lifted.

4. Right to deletion

a) Obligation to delete
You can ask the controller to delete the personal data concerning you without undue delay, and the controller is obliged to delete this data without delay if one of the following reasons applies:

(1) The personal data concerning you is no longer needed for the purposes for which it was collected or otherwise processed.

(2) You revoke your consent, which served as the basis for processing in accordance with Art. 6 para. 1 p. 1 point a or Art. 9 para. 2 point a of the GDPR, and there is no other legal basis for the processing.

(3) You file an objection to processing in accordance with Art. 21 para. 1 of the GDPR, and there are no overriding legitimate reasons for the processing, or you file an objection to processing in accordance with Art. 21 para. 2 of the GDPR.

(4) The personal data concerning you has been unlawfully processed.

(5) Deletion of the personal data concerning you is necessary in order to ensure compliance with a legal obligation under Union or Member State law to which the data controller is subject.

(6) The personal data concerning you has been acquired in relation to the offer of information society services in accordance with Art. 8 para. 1 of the GDPR.

b) Information to third parties
If the controller has made the personal data concerning you public, and is obliged to delete such data in accordance with Art. 17 para. 1 of the GDPR, then, taking into account the technologies available and implementation costs, he – the controller – applies appropriate measures, which may also be of a technical nature, to inform the people responsible for processing personal data that, as the data subject, you have requested that they should delete all links to this personal data as well as all copies or replications of this personal data.

c) Exceptions
The data subject does not have the right to have his or her data deleted if processing is necessary

(1) to exercise the rights to freedom of expression and freedom of information;

(2) to comply with a legal obligation calling for processing on the basis of Union or Member State law to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the field of public health in accordance with Art. 9 para. 2 points h and i and Art. 9 para. 3 of the GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 of the GDPR, insofar as the right set out in section a) is likely to render impossible or seriously impair the achievement of the purposes of this processing, or

(5) to establish, exercise or defend legal claims.

5. Right to information
If you have exercised your right to have the controller correct, delete or restrict the processing of your data, then the controller is obliged to inform all recipients to whom the personal data concerning you has been disclosed of such correction or deletion of the data or restriction of the processing, unless it proves impossible to do so or would involve unreasonable expense and effort.

You are entitled to have the controller inform you of these recipients.

6. Right to data portability
You have the right to receive the personal data concerning yourself with which you have provided the controller in a structured, commonly used and machine-readable format. Further, you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, providing that

(1) the processing is based on consent in accordance with Art. 6 para. 1 p. 1 point a of the GDPR or Art. 9 para. 2 point a of the GDPR or on a contract in accordance with Art. 6 para. 1 p. 1 point b of the GDPR, and

(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.

The right to data portability does not apply to processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object
You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 para. 1 p. 1 point e or f of the GDPR; this also applies to profiling based on these provisions.

The controller will no longer process the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves to establish, exercise or defend legal claims.

If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling, insofar as it is related to such direct marketing.
Should you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

In the context of the use of information society services – notwithstanding Directive 2002/58/EG – you are entitled to exercise your right to object by automated means using technical specifications.

8. Right to withdraw declaration of consent under data protection law
You have the right to withdraw your declaration of consent to the processing of personal data at any time. The withdrawal of consent shall not affect the lawfulness of processing based on your consent before its withdrawal.

9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects that concern you or significantly affects you in a similar way. This shall not apply if the decision
(1) is necessary for entering into or the performance of a contract between you and the data controller,
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests, or
(3) is made with your explicit consent.

These decisions must not, however, be based on special categories of personal data referred to in Art. 9 para. 1 of the GDPR, unless Art. 9 para. 2 point a or g applies, and suitable measures have been undertaken to safeguard your rights and freedoms and your legitimate interests.

With regard to the cases described in points (1) and (3), data controller will implement suitable measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy in accordance with Art. 78 of the GDPR.