Data Protection Policy

Data Protection Policy


Privacy policy for the website www.toskana.de
(Status: May 2018)

Download Information sheet for real estate clients (in German language)

Privacy Policy

The company Toscana Landhäuser GmbH has summarised the conditions under which personal data are processed on this website in this data protection declaration, which meets the requirements of the General Data Protection Regulation (GDPR). In principle, use of the website www.toskana.de is possible without providing personal data. This may require settings to disable certain services mentioned in this Privacy Policy. If certain services on this website are used, personal data may be transmitted. The details can be found in the following sections of this privacy policy.

I. Some terms used in this Privacy Policy

– Data controller
Toscana Landhäuser GmbH, represented by the Managing Director, for this website – Personal data
All data relating to an identified or identifiable person, cf. Art. 4 GDPR

– Data processing operations performed without the use of automated procedures such
as collection, collection, organisation, filing, storing, adapting, modifying, reading, querying, using and disclosure by transmission, dissemination, provision, comparison, linking, deletion and destruction in connection with personal data

– Consent
Explicit statement by which the data subject indicates his or her consent to the processing of personal data

– Deletion
Complete erasure of any traces of data without them being recoverable

– Blocking
Restriction of the processing of personal data, if storage obligations or legal requirements or a possible legal prosecution prevent the responsible person from deleting personal data

– Recipient
The purpose (person, company) of the forwarding of personal data, if this applies.

II. Name and address of the responsible party

The data controller in the sense of the data protection regulations is:

Toscana Landhäuser GmbH
Friedrichstrasse 120
10117 Berlin
Germany

Managing Director: Corinna Hohmuth

Phone: +49 (0)731-967330
Fax: +49 (0)731-9673333
Email: info@toskana.de

III. Name and address of the Data Protection Officer

The company Toscana Landhäuser GmbH does not have to appoint a data protection officer according to the legal requirements of the GDPR.

IV. General information on data processing

1. Scope of personal data processing

We collect and utilise our users’ personal data only insofar as this is necessary for provision of an operational site and of our content and services. Collection and utilisation of our users’ personal data is only undertaken periodically with the user’s consent. An exception applies in those cases where prior consent cannot be obtained for legal or circumstantial reasons and the processing of the data is permitted by law.

2. Legal basis for processing personal data

Insofar as we obtain the consent of the data subject for processing personal data, Art. 6 para. 1 (a) of the EU General Data Protection Regulation (GDPR) serves as legal basis.

In processing personal data necessary for performance of a contract to which the data subject is a party, Art. 6 para. 1 (b) of the GDPR applies as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 (c) of the GDPR applies as the legal basis. In the event that vital interests of the data subject or another natural person require a processing of personal data, Art. 6 para. 1 (d) of the GDPR applies as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 (f) of the GDPR applies as the legal basis for processing.

3. Collaboration with third parties

In the context of the processing of personal data by us, it may be that these data are transferred to third parties. These can also be our contractors. This takes place only on the basis of legal permission, you have consented to the passing on, a legal obligation provides for this or our legitimate interests according to Art. 6 para. 1 sentence 1 (f) GDPR allow this. If third parties receive personal data from us on the basis of an order processing, this transfer takes place in accordance with the terms of the contract. Art. 28 GDPR

4. Processing in third countries

It is possible that personal data may be transferred to third countries, also outside the EU, within the framework of our processing. If this is the case, this will be done on the basis of our legitimate interests, your consent, in fulfilment of existing (pre)contractual obligations or legal requirements. Where processing takes place in third countries, this is done in accordance with Art 44 GDPR, i.e. on the basis of special guarantees for compliance with the data protection level applicable in the EU, which in the USA is done, for example, through the Privacy Shield, or by observing special contractual obligations.

5. Data deletion and storage duration

The personal data of a relevant person will be deleted or blocked as soon as the purpose of storage ceases to exist. Furthermore, data may be stored if this has been provided by the European or national legislation in EU regulations, laws or other provisions to which the data controller is subject. Blocking or erasing of data will also be carried out if a storage deadline prescribed by the above-mentioned standards expires, unless data storage is a necessity for concluding or performing a contract.

V. Provision of the website and creation of log files

1. Description and scope of data processing

Every time you visit our website, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:

  1. (1) Information regarding the used browser type and version
  2. (2) The user’s operating system
  3. (3) The user’s Internet service provider
  4. (4) The IP address of the user, if applicable the previously visited website
  5. (5) Date and time of access
  6. (6) Websites from which the user’s system accesses our website
  7. (7) Websites accessed by the user’s system via our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for temporary storage of data and log files is Art. 6 para. 1 (f) of the GDPR.

3. Purpose of the data processing

Temporary storage of IP address by the system is necessary to enable delivery of the website to the user’s computer. To this end, the user’s IP address must remain stored for the duration of the session.

The data is stored in log files to ensure the website’s functionality. The data is also used to optimise the website and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes is undertaken in this context. These purposes also encompass our legitimate interest in data processing in accordance with Art. 6 para. 1 (f) of the GDPR.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collection for provision of the website, this will be undertaken once the respective session has ended.

Any data is to be stored in log files will be stored within seven days at the latest. Further storage is possible. In this case, the user’s IP addresses will be deleted or distorted, so that assignment of the accessing client is no longer possible.

5. Objection and removal option

Collection of data for provision of the website and storage of data in log files is absolutely necessary for operation of the website. Consequently, there is no option to object on the part of the user.

VI. Hosting services

We use hosting services which we make use of for the purpose of providing this website and the services associated therewith with a partner (third party and recipient of data). During hosting, personal data are processed, in particular the data from the log files, cookies, but also communication data from the contact forms etc. of affected persons. The purpose of the processing is to provide the online offer. For these purposes, our legitimate interest also lies in the processing of personal data pursuant to Art. 6 para. 1 (f) GDPR. The data will be deleted as soon as they are no longer required for the provision of the offer. Users have no right of objection. There is an agreement with the partner in accordance with Art. 28 GDPR.

VII. Use of cookies

a) Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic character string that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our website require that the requesting browser can be identified even after changing pages.

If you do not want cookies to be stored, you will be asked to deactivate the setting in your own Internet browser. Please note that in this case not all functions of the website can be used in full.

The following data is stored and transmitted in the cookies:

The following is a list of the stored data. Examples may include:

  1. (1) Language settings
  2. (2) Items in a shopping cart
  3. (3) Log-in information

In the event of using cookies that are not technically necessary:

We also use cookies on our website which enable analysis of the user’s surfing behaviour.

The following data can be transmitted in this way:

The following is a list of the data collected. For example, this can include:

  1. (1) Entered search terms
  2. (2) Frequency of page views
  3. (3) Use of website functions

The user data collected in this way is pseudonymised via technical precautions. It is therefore no longer possible to assign the data to the accessing user. The data is not stored together with users’ other personal data.

When accessing our website, users are informed by an information banner on the use of cookies for analytical purposes and referred to this data protection declaration. A note is also included in this context as to how the user can disable the storage of cookies in the browser settings.

When accessing our website, the user will be informed about the use of personal data used in this context. Reference is also made to this Privacy Policy, in this context.

b) Legal basis for the data processing

The legal basis for processing personal data using cookies is Art. 6 para. 1 (f) of the GDPR.

The legal basis for processing personal data using technically necessary cookies is Art. 6 para. 1 (f) of the GDPR.

The legal basis for processing personal data by using cookies for analytical purposes, if the user’s consent to this has been obtained, is Art. 6 Para. 1 (a) GDPR.

c) Purpose of the data processing

The purpose of using technically necessary cookies is to simplify use of websites for users. Some features of our website are not offered without the use of cookies. In this case, it is necessary that the browser be recognised even after changing the page.

We require cookies for the following applications:

The following is a list of applications. Examples may include:

  1. (1) Shopping cart
  2. (2) Applying language settings
  3. (3) Remembering search terms

The user data collected by technically necessary cookies shall not be used to create user profiles.

The analysis cookies are used to improve the quality of our website and its content. Using analysis cookies, we learn how the site is used and can constantly optimise our service.

For these purposes, our legitimate interest also lies in the processing of personal data pursuant to Art. 6 Para. 1 (f) of the GDPR.

e) Duration of storage, objection and removal option

Cookies are stored on the user’s computer and transmitted to our site. Therefore, as a user you have full control of the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all of the website’s features.

The transmission of Flash cookies cannot be prevented via the browser settings, but by changing the Flash Player settings.

VIII. Contact form and email contact as well as frames and links

1. Description and scope of data processing

There is a contact form on our website in various places that can be used for electronic contact. If a user accepts this option, the data entered in the input screen will be transmitted to us and stored. This data is: Surname, first name, email address and usually IP address of the user and date and time of registration.

During the sending process, your consent is obtained for processing data and reference is made to this privacy policy.

Alternatively, you can contact us via the provided e-mail address. In this case, the user’s personal data that is transmitted along with the email will be stored.

The data can be processed in a customer relationship management system or a comparable digital system.

2. Legal basis for data processing

The legal basis for processing the data, if the user’s consent to this has been obtained, is Art. 6 para. 1 (a) of the GDPR.

The legal basis for processing the data transferred in the course of sending an email is Art. 6 para. 1 (f) of the GDPR. If you send us an e-mail with the intention to enter into a contract with us, this creates an additional legal basis for its processing per Art. 6 para. 1 (b) GDPR.

3. The purpose of data processing

The processing of personal data in the input screen is used by us only for processing the contact. In the event of contact by email, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the sending process is for preventing the misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of retention

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the contact form input mask and those sent by email, this is the case when the respective conversation has ended or when a pre-contractual measure or a contract has been linked to the establishment of contact, when this has expired and there are no more legal retention periods. The conversation will have ended when it is evident from the circumstances that the matter at hand has been conclusively resolved. We routinely review the necessity of further processing of data every two years and observe the legal retention periods.

Personal data that was additionally collected during the sending procedure will be deleted at the latest after a period of seven days.

5. Objection and removal options

The user has the option of revoking his or her consent to the processing of personal data, at any time. A user who has contacted us by email can object at any time to the storage of his or her personal data. It will not be possible to continue the conversation in this case. The revocation is made by email to info@toskana.de

All personal data stored in the course of contacting us will be deleted as a result.

Please note that our website also includes contact forms/iframes/links to external providers:

  • www.makler-empfehlung.de with the evaluations there
  • www.immowelt.de
  • www.immonet.de
  • www.ivd.net
  • www.bellevue.de
  • www.luxuryrealestate.com
  • www.ivd24.de
  • www.immobilienscout24.de

It is pointed out that personal data is also collected and processed on the websites of these providers, but we do not have access to the revocation or the cancellation option there. The data will only be forwarded for the purpose of the request made by the data subject. The legal basis for processing the personal data of users is Art. 6 para. 1 (f) of the GDPR.

IX. Google Analytics

1. Description and scope of data processing

We use Google Analytics on our website. These are operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A. Google uses cookies (see above). The information generated by the collection of the cookie is transferred to a Google server in the USA and stored there. Google guarantees that the data protection regulations are observed and is certified under the Privacy Shield Agreement. We use Google Analytics with activated IP anonymisation, where the IP address is shortened. Only in exceptional cases will the full IP address be transmitted to the USA and shortened there.

2. Legal basis for data processing

The legal basis for processing is your consent under Art. 6 para. 1 (f) of the GDPR.

3. The purpose of data processing

The processing of personal data serves us to improve our online presence and to evaluate user behaviour on our website. Google uses the transmitted personal data to create evaluations of the usage behaviour on our website. In addition, other Google services are offered to us. Google does not combine the transmitted IP address or parts thereof with further personal data.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the contact form input mask and those sent by email, this is the case when the respective conversation has ended or when a pre-contractual measure or a contract has been linked to the establishment of contact, when this has expired and there are no more legal retention periods. The conversation will have ended when it is evident from the circumstances that the matter at hand has been conclusively resolved. We routinely review the necessity of further processing of data every two years and observe the legal retention periods.

Personal data that was additionally collected during the sending procedure will be deleted at the latest after a period of seven days.

5. Objection and removal options

Users can deactivate the provision of cookies in their browser. Then the functionality of the website may be limited. You can prevent the data that is generated by cookies about your use of the website from being passed on to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

Further information on the use of data for advertising purposes by Google, possible settings and objections can be found on the websites of Google: https://www.google.com/intl/de/policies/privacy/partners/ (“Use of data by Google when using our partners’ websites or apps”), http://www.google.com/policies/technologies/ads (“Use of data for advertising purposes”), http://www.google.de/settings/ads (“Manage information Google uses to show you advertisements”) and http://www.google.com/ads/preferences/ (“Determine what ad Google shows you”).

X. Google Fonts

We integrate fonts from Google (Google FONTS). Address of the provider as under Google Analytics. Personal data can be transmitted here, see Google Analytics. For further information, please refer to our privacy policy https://policies.google.com/privacy?hl=en. There is a possibility of opt-out under following link: https://adssettings.google.com/authenticated

XI. Google Maps

We integrate maps from Google (Google Maps). Address of the provider as under Google Analytics. Personal data can be transmitted here, see Google Analytics. For further information, please refer to our privacy policy https://policies.google.com/privacy?hl=de.

There is a possibility of opt-out under the following link: https://adssettings.google.com/authenticated

XII. YouTube

We integrate the videos of the platform YouTube of the provider Google, address of the provider as under Google Analytics, on our website. Personal data can be transmitted here, see Google Analytics. For further information, please refer to our privacy policy https://policies.google.com/privacy?hl=de.

In addition, additional cookies are set when a video is played. In addition, personal data can be transmitted to YouTube and linked to an existing Google profile if you have an account there and are logged in. If you wish to prevent this transfer, please log out of your account before using the service.
There is a possibility of opt-out under the following link: https://adssettings.google.com/authenticated

XIII. Social Plug-ins

We use various social plug-ins on our website, in which personal data is collected on the one hand and forwarded to these providers on the other.

We use the following social plug-ins based on our legitimate interests (i.e. interest in analysing, optimising and operating our website economically in accordance with the Terms and Conditions of this Agreement). Art. 6 para. (f) GDPR.

1. Use of Facebook social plug-ins

Plug-ins are integrated on this website for the social network Facebook, Provider Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. You can find an overview of Facebook plug-ins here: https://developers.facebook.com/docs/plugins/.

Facebook guarantees compliance with European data protection standards and is certified under the EU-US Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). If you call such a plug-in, a direct connection is established with Facebook’s servers, which can be located in Europe or the USA. The content of the plug-in is transmitted by Facebook directly to the user’s device to be integrated into the online offer. Pseudonymous usage profiles of users may be created from the processed data. We therefore have no influence on the scope of the data which Facebook collects using this plug-in and inform you according of our knowledge. Other Facebook data may be combined with this data, especially if you have a profile on the Facebook page and are logged in. However, even without a user account, your IP address and the time of access are usually stored there.

For the purpose and scope of data collection and further processing and use of data by Facebook, as well as the related rights and settings options to protect the privacy of users, please see Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

If you do not want Facebook to collect data about you via our online offer and link this to your membership data stored on Facebook, you must log out of Facebook before using our online offer and delete your cookies. More settings and ways to revoke permission to use your data for advertising purposes are available in your Facebook profile settings: https://www.facebook.com/settings?tab=ads or the US web page http://www.aboutads.info/choices/ or the EU web page http://www.youronlinechoices.com/.

The settings apply across platforms, i.e. they are applied to all devices, such as desktop computers or mobile devices.

We operate our own company page on Facebook, which we have also linked to and which you can subscribe to. There, further personal data will be collected from you.

Facebook Messenger may also be part of this service and personal data may also be collected about it.

2. Facebook Pixel

The Facebook Pixel plug-in is included on our pages. Facebook Inc, 1 Hacker Way, Menlo Park, CA, 94025 USA, is integrated. You can find an overview of Facebook plug-ins here: https://developers.facebook.com/docs/plugins/.

Facebook guarantees compliance with European data protection standards and is certified under the EU-US Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). If you call such a plug-in, a direct connection is established with Facebook’s servers, which can be located in Europe or the USA. The content of the plug-in is transmitted by Facebook directly to the user’s device to be integrated into the online offer. Pseudonymous usage profiles of users may be created from the processed data. We therefore have no influence on the scope of the data which Facebook collects using this plug-in and inform you according of our knowledge. Other Facebook data may be combined with this data, especially if you have a profile on the Facebook page and are logged in. However, even without a user account, your IP address and the time of access are usually stored there.

For the purpose and scope of data collection and further processing and use of data by Facebook, as well as the related rights and settings options to protect the privacy of users, please see Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

If you do not want Facebook to collect data about you via our online offer and link this to your membership data stored on Facebook, you must log out of Facebook before using our online offer and delete your cookies. More settings and ways to revoke permission to use your data for advertising purposes are available in your Facebook profile settings: https://www.facebook.com/settings?tab=ads or the US web page http://www.aboutads.info/choices/ or the EU web page http://www.youronlinechoices.com/.

The settings apply across platforms, i.e. they are applied to all devices, such as desktop computers or mobile devices.

3. Twitter

You can access functions and content of the Twitter service via our website. Twitter is an offering of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. It may contain content such as images, videos, texts or buttons with which you can interact on the service or subscribe to our contributions. If you are a member of Twitter, Twitter can assign the calling of contents and functions to your profile. Twitter ensures compliance with European data protection standards and is certified with the EU-US Privacy Shield Agreement.

(https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active).

You can find Twitter’s privacy policy here: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.

If you want to prevent the connection of data with your profile, you should log out of Twitter and delete your cookies before using it.

4. Google Plus

We have included Google Plus on our website. Provider is Google Inc., address of the provider as under Google Analytics. Personal data can be transmitted here, see Google Analytics. For further information, please refer to our privacy policy https://policies.google.com/privacy?hl=de.

There is a possibility of opt-out under the following link: https://adssettings.google.com/authenticated
Through interaction with this service, personal data may be collected and transmitted, in particular the IP address. And the time of the call. This may include content such as images, videos, texts and buttons with which users interact or subscribe to our contributions. If you are a member of the Google Plus platform, Google Plus can assign the above content and functions to your profile.

If you want to prevent the connection of data with your profile, you should log out of Google Plus and delete your cookies before using it.

5. Xing

We have integrated functions and contents of the Xing service on our website. The provider is XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany. This may include content such as images, videos, texts and buttons with which users interact or subscribe to our contributions. If you are a member of the Xing platform, Xing can assign the above content and functions to your profile. Xing’s privacy policy: https://www.xing.com/app/share?op=data_protection.

If you want to prevent the connection of data with your profile, you should log out of Twitter and delete your cookies before using it.

XIV. Rights of the data subject

If your personal data is processed, you are an affected person (data subject) in the meaning of the GDPR and you have the following rights with respect to the responsible party:

1. Right to information

You can request that the responsible party confirm whether we will process personal data that concerns you.

If such processing takes place, you can request the following information from the data controller:

  1. (1) the purposes for processing the personal data;
  2. (2) the categories of personal data being processed;
  3. (3) the recipients or categories of recipients to whom your personal data has been or will be disclosed;
  4. (4) the planned storage duration of your personal data or, if specific information in that regard is not possible, criteria for determining the storage period;
  5. (5) the existence of a right of rectification or deletion of your personal data or of a restriction on processing by the data controller or of a right to oppose such processing;
  6. (6) the existence of a right of appeal to a supervisory authority;
  7. (7) any available information on the origin of the data if the personal data has not been collected from the person concerned;
  8. (8) the existence of automated decision-making, including profiling, in accordance with Article 22 Para. 1 and 4, GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the person concerned.

You have the right to request information regarding whether your personal information will be transmitted to a third-party country or an international organisation. In this respect, you can request the appropriate guarantees in accordance with Art. 46 of the GDPR in connection with the transmission.

2. The right of rectification

You have a right of rectification and/or completion with respect to the data controller if the personal data processed concerning you is incorrect or incomplete. The responsible party shall make the correction immediately.

3. The right to limitation of processing

Under the following conditions, you may request that the processing of your personal data be restricted:

  1. (1) you contest the accuracy of your personal data for a period that enables the data controller to verify the accuracy of the personal data;
  2. (2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. (3) the data controller no longer needs the personal data for processing purposes, but they are required by you for the establishment, exercise or defence of legal claims or
  4. (4) you have objected to processing pursuant to Art. 21 Para. 1 GDPR pending the verification whether the legitimate grounds of the controller overrides your reasons.

Where processing of the personal data that concerns you has been restricted, such data – apart from being stored – may be processed only with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on the grounds of an important public interest of the Union or of a Member State.

If the processing restriction has been done in accordance with the above conditions, you will be informed by the responsible party before the restriction is lifted.

4. Right to deletion

a) Obligation to delete data

You have the right to demand the deletion of your personal data from responsible party without undue delay and the data controller shall have the obligation to erase personal data without undue delay, where one of the following grounds applies:

  1. (1) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  2. (2) You withdraw your consent on which the processing is based according to Art. 6 Para. 1 (a) or Art. 9 para. 2 (a) GDPR, and where there is no other legal ground for its processing.
  3. (3) You object pursuant to Art. 21 Para. 1 of the GDPR, and there are no overriding legitimate grounds for processing, or you submit an objection to the processing pursuant to Art. 21 para. 2 GDPR to the processing;
  4. (4) The personal data concerning you have been unlawfully processed.
  5. (5) The personal data concerning you must be deleted for compliance with a legal obligation under Union or Member State law to which the data controller is subject.
  6. (6) The personal data concerning you has been collected in relation to services offered by information society services pursuant to Art. 8 para. 1 of the GDPR.

b) Transfer of personal data to third parties

If the data controller has made personal data that concerns you public and is subject to the obligation to delete them pursuant to Art. 17 para. 1 of the GDPR, that responsible party shall take appropriate measures, including technical means, while taking into account available technology and implementation costs, to inform the parties responsible for data processing who process the personal data, that you as the person concerned have requested deletion of all links to such personal data or of copies or replications of such personal data.

c) Exceptions

The right to deletion does not exist insofar as processing is necessary

  1. (1) to exercise the right of freedom of expression and information;
  2. (2) for the performance of a legal obligation required for processing under the law of the Union or of the Member States to which the person responsible is subject or for the performance of a task in the public interest or in the exercise of official authority conferred to the person responsible;
  3. (3) for reasons of public interest in the field of public health in accordance with Art. 9 Para. 2 (h) and (i), as well as Art. 9 para. 3 of the GDPR;
  4. (4) for archiving purposes in the interest of public, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR, to the extent that the law referred to in clause (a) is likely to render impossible or seriously prejudicial the attainment of the objectives of such processing; or
  5. (5) to assert, exercise or defend legal claims;

5. Right to information

If you have exercised your right to have the responsible party correct, delete or limit the processing, this party is obliged to inform all recipients to whom the personal data that concerns you has been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.

It is your right to have the controller inform you regarding such recipients.

6. Right to data portability

You have the right to obtain your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, insofar as

  1. (1) the processing is based on consent pursuant to Art. 6 para. 1 (a) of the GDPR or Art. 9 para. 2 (a) of the GDPR or on a contract pursuant to Art. 6 para. 1 (b) GDPR and
  2. (2) the processing is carried out using automated methods.

In exercising this right, you shall have the right to have the personal data transmitted directly from one data controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the responsible party (data controller).

7. Right of objection

You have the right, for reasons arising from your specific situation, to object to the processing of personal data concerning you at any time, which is carried out in accordance with Art. 6 para. 1 (e) or (f) of the GDPR; the same applies to profiling based on these provisions.

The responsible party will no longer process the personal data that concerns you, unless the party can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data that concerns you is being processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data that concerns you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing.

If you object to processing that is for direct marketing purposes, the personal data that concerns you will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. The right to revoke the data protection declaration of consent

You have the right at any time to revoke your data protection declaration of consent. The withdrawal of consent shall not affect the lawfulness of processing taking place on the basis of this consent before its revocation.

9. Automated decision in individual cases, including profiling

You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect against you or significantly impairs you in a similar manner. This shall not apply if the decision:

  1. (1) is necessary for entering into, or performance of, a contract between the you and a data controller;
  2. (2) is admissible by law of the Union or of the Member States to which the person responsible is subject, and that law provides for appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
  3. (3) is based on your explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9, para. 1 of the GDPR, unless Art. 9 para. 2 (a) or (g) of the GDPR and appropriate measures have been taken to protect your rights and freedom as well as your legitimate interests.

In the cases referred to in (1) and (3), the responsible party shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person on the part of the responsible party, to state his or her own position and to challenge the decision.

10. The right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of personal data that concerns you is in contravention of GDPR.

The supervisory authority with which the appeal has been filed shall inform the appellant of the status and results of the appeal, including the possibility of a judicial remedy under Art. 78 of the GDPR.