Data protection declaration for website operators according to the
requirements of the GDPR
a) Newsletter tracking
If the website uses newsletter tracking, the associated data processing must be dealt with
separately. A standard of justification for data processing can be found in Art. 6 (1) (f) GDPR.
b) Blog with comment function
When operating a blog with a comment function, additional personal data (example:
pseudonyms) are stored. There is also a way to subscribe to comments. Commenting should
only be possible after obtaining consent to the processing of personal data. In this case, a
justification according to Art. 6 (1) (a) GDPR is possible.
c) Processing of special categories of personal data, Art. 9 GDPR
The processing of personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs or trade union membership, as well as the processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person, data concerning health
or data concerning sex life or sexual orientation a natural person are strictly prohibited.
However, Art. 9 Para. 2 GDPR contains a catalog of exceptions. If website operators process
data of this type on their website, a check must be carried out in advance. The corresponding
permission standard must then be specified in the data protection declaration.
4. Ecommerce
If the website operator offers users a platform for the conclusion of contracts (e.g. purchase
or service contracts), personal data of the contractual partner is usually also collected within
the framework of the conclusion of the contract. The website operator must draw attention
to this data processing separately and in detail. Insofar as the processing of the data is
necessary for the conclusion of the contract, Art. 6 Paragraph 1 lit. b GDPR serves as the permit
standard for data processing.
I. Disclosure of Personal Information to Third Parties
A large number of websites use third-party extensions. In such implementations, personal data is
often passed on to third-party providers or transmitted automatically. The type, scope, purpose
and duration of this processing of personal data can vary from case to case. A comprehensive list
of all situations in which personal data is passed on to third parties would go beyond the scope of
this model data protection declaration. The website operator must therefore check in each
2
individual case which third-party services he uses on his website and whether personal data is
passed on in the process. Accordingly, he must include this data processing in the data protection
declaration in accordance with the specifications (A.II.).
Examples of the transfer of personal data to third parties can be:
a) Passing on to service providers
Personal data is often passed on to service providers (e.g. suppliers) when contracts are
concluded via the website in particular. However, service providers can also act solely in the
interest of the website operator (e.g. technical service).
b) Payment services and payment procedures
A special case of disclosure to service providers is the disclosure of data to payment services.
c) Third party cookies
The integration of own cookies is part of the model data protection declaration (B.V.). Cookies
from third parties are also often used. These must be described in detail. Users must be
informed of the use of third-party cookies when accessing the website. You can prevent the
storage of these cookies in the browser settings. The legal basis for the use of third-party
cookies is Article 6 (1) (f) GDPR. However, a legitimate interest in the use of the cookie must
then also be stated in individual cases.
d) Use of social media plugins
When using social media plugins, personal user data is forwarded to the providers of social
networks. According to the previous legal situation, it was recommended to only use such
plugins as part of a "two-click solution". Accordingly, the data was only transmitted with the
prior consent of the user. Even after the introduction of the GDPR, this path is viable and
probably legally secure. The legal basis for processing the data after the user has given his
consent is Article 6 (1) (a) GDPR.
3
e) Website analytics services
Website analysis services (e.g. Google Analytics or Adobe Analytics) to increase the efficiency
of your own website, which are operated by third-party providers, require data about the
website visitors to be passed on to the third-party providers. As a rule, the consent of the user
is not obtained. A justification via Art. 6 (1) lit. f GDPR is conceivable if a legitimate interest of
the website operator can be presented. However, in order to protect the interests of users in
protecting their personal data, pseudonymization of the data is advisable. In this case, nothing
will speak against the use of the analysis services and the associated transfer of the
pseudonymised data. The exact use must be documented in the data protection declaration.
f) Advertising and Marketing Services
If advertising is placed on the website, this is usually done with the involvement of third-party
providers (e.g. Google AdSense or AdWords). In most cases, the user's personal data in the
form of the IP address is passed on to the intermediaries. If the advertising is necessary to
finance the website, a justification according to Art. 6 Para. 1 lit. f GDPR appears possible.
II. Defaults for adding more elements
The addition of further elements to the model data protection declaration must state the type,
scope, purpose, duration and revocation options of the respective data processing. The structure
could be designed as follows:
1. Scope of processing of personal data
This describes in as much detail as possible which personal data is processed on the
website by whom and in what way.
2. Legal basis for processing personal data
The legal basis for the processing of personal data is stated here. As a rule, this will come
from the catalog of Art. 6 Para. 1 GDPR.
4
1. Purpose of data processing
This is a detailed description of the purposes for which the website operator is processing
personal data. If the processing is based on the norm of Art. 6 (1) lit. f GDPR, the legitimate
interest in the processing can usually also be seen here. In this case, however, it must always
be checked whether there are also more lenient means to achieve the purpose, which less
severely affect the interests of the users in the protection of their personal data.
2. Duration of storage
In principle, the data is deleted as soon as the purpose for which it was collected has been
fulfilled. However, it must be specified in more detail in individual cases when this is the case
for the specific application. If no precise information can be given, at least criteria should be
mentioned that make it easier for the user to determine the time of deletion.
3. Possibility of objection and elimination
For each data processing, the user must be given information about how the processing of
the data can be prevented or data that has already been processed can be deleted
prematurely. If the user has given his consent to the processing, it must be possible to revoke
it at any time. The revocation must not be more difficult than giving the consent. The
procedure for submitting the revocation must be described.
A. Sample data protection declaration according to the GDPR
I. Name and address of the person responsible
The person responsible within the meaning of the General Data Protection Regulation and
other national data protection laws of the member states as well as other data protection
regulations is:
Company: We-Three GmbH
Address: Hansekai 3, D-50735 Cologne, North Rhine-Westphalia, Germany
E-Mail: info@abetare.eu
Website: www.abetare.eu
5
II.Name and address of the data protection officer
The data protection officer of the person responsible is:
Veton Gashi
We-Three GmbH
Hansekai 3
50735 Köln
Germany
E-Mail: info@abetare.eu
Website: www.abetare.eu
III. General information on data processing
a. Scope of processing of personal data
In principle, we only process the personal data of our users to the extent that this is necessary
to provide a functional website and our content and services. The processing of personal data of
our users takes place regularly only with the consent of the user. An exception applies in such
cases in which it is not possible to obtain prior consent for actual reasons and the processing of
the data is permitted by statutory provisions.
b. Legal basis for processing personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6
(1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
Article 6 (1) (b) GDPR serves as the legal basis for the processing of personal data required to fulfill
a contract to which the data subject is a party. This also applies to processing operations that are
necessary to carry out pre-contractual measures.
Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company
is subject, Article 6 (1) (c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the
processing of personal data, Article 6 Paragraph 1 lit. d GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party
and if the interests, fundamental rights and fundamental freedoms of the person concerned do
not outweigh the first interest, Article 6 Paragraph 1 Letter f GDPR serves as the legal basis for the
processing.
6
c. Data Erasure and Storage Duration
The personal data of the person concerned will be deleted or blocked as soon as the purpose of
storage no longer applies. Storage can also take place if this has been provided for by the European
or national legislator in EU regulations, laws or other regulations to which the person responsible
is subject. The data will also be blocked or deleted if a storage period prescribed by the standards
mentioned expires, unless there is a need for further storage of the data for the conclusion or
fulfillment of a contract.
IV. Provision of the website and creation of log files
a. Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information
from the computer system of the accessing computer.
The following data is collected here:
(1) Information about the browser type and version used
(2) The user's operating system
(3) The user's internet service provider
(4) The IP address of the user
(5) Date and time of access
(6) Websites from which the user's system accesses our website
(7) Websites accessed by the user's system via our website
The data is also stored in the log files of our system. This data is not stored together
with other personal data of the user.
b. Legal basis for data processing
The legal basis for the temporary storage of the data and the log files is Article 6 (1) (f)
GDPR.
c. Purpose of data processing
Storage in log files takes place to ensure the functionality of the website. In addition, we
use the data to optimize the website and to ensure the security of our information
technology systems. An evaluation of the data for marketing purposes does not take
place in this context.
Our legitimate interest in data processing in accordance with Article 6 (1) (f) GDPR also
lies in these purposes.
7
d. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose
for which they were collected. In the case of the collection of data for the provision of
the website, this is the case when the respective session has ended.
If the data is stored in log files, this is the case after seven days at the latest. Storage
beyond this is possible. In this case, the IP addresses of the users are deleted or alienated
so that it is no longer possible to assign the calling client.
V. Possibility of objection and elimination
The collection of the data for the provision of the website and the storage of the data in log
files is absolutely necessary for the operation of the website. Consequently, there is no
possibility of objection on the part of the user.
VI. Use of cookies
a) Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the internet browser or by
the internet browser on the user's computer system. If a user calls up a website, a cookie can
be stored on the user's operating system. This cookie contains a characteristic character string
that enables the browser to be clearly identified when the website is called up again.
We use cookies to make our website more user-friendly. Some elements of our website require
that the calling browser can be identified even after a page change.
The following data is stored and transmitted in the cookies:
(1) Language Settings
(2) Items in a shopping cart
(3) Login Information
The user data collected in this way is pseudonymized by technical precautions. It is therefore no
longer possible to assign the data to the calling user. The data is not stored together with other
personal data of the user.
8
When accessing our website, users are informed by an information banner about the use of
cookies for analysis purposes and are referred to this data protection declaration. In this context,
there is also a reference to how the storage of cookies can be prevented in the browser settings.
When accessing our website, the user is informed about the use of cookies for analysis purposes
and their consent to the processing of the personal data used in this context is obtained. In this
context, there is also a reference to this data protection declaration.
b) Legal basis for data processing
The legal basis for the processing of personal data using cookies is Art. 6 Para. 1 lit. f GDPR.
c) Purpose of data processing
The legal basis for the processing of personal data using technically necessary cookies is Article
6 (1) (f) GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes is Article
6(1)(a) GDPR if the user has given their consent.
The purpose of using technically necessary cookies is to simplify the use of websites for users.
Some functions of our website cannot be offered without the use of cookies. For these it is
necessary that the browser is recognized even after a page change.
We need cookies for the following applications:
(1) Cart
(2) Acceptance of language settings
(3) Remembering search terms
The user data collected by technically necessary cookies are not used to create user profiles.
Analysis cookies are used to improve the quality of our website and its content. Through the
analysis cookies we learn how the website is used and can thus continuously optimize our
offer.
Our legitimate interest in the processing of personal data in accordance with Article 6 (1) (f)
GDPR also lies in these purposes.
9
d) Duration of storage, possibility of objection and removal
Cookies are stored on the user's computer and transmitted to our site. Therefore, as a user, you
also have full control over the use of cookies. By changing the settings in your Internet browser,
you can deactivate or restrict the transmission of cookies. Cookies that have already been saved
can be deleted at any time. This can also be done automatically. If cookies are deactivated for our
website, it may no longer be possible to use all the functions of the website to their full extent.
The transmission of Flash cookies cannot be prevented via the browser settings, but can
be prevented by changing the Flash Player settings.
VII. Newsletter
a. Description and scope of data processing
You can subscribe to a free newsletter on our website. When registering for the newsletter, the
data from the input mask is transmitted to us.
In addition, the following data is collected during registration:
(1) IP address of the calling computer
(2) Date and time of registration
Your consent will be obtained for the processing of the data as part of the registration process and
reference will be made to this data protection declaration.
If you purchase goods or services on our website and enter your e-mail address, this can
subsequently be used by us to send a newsletter. In such a case, only direct advertising for
your own similar goods or services will be sent via the newsletter.
There is no transfer of data to third parties in connection with data processing for sending
newsletters. The data will only be used to send the newsletter.
b. Legal basis for data processing
The legal basis for processing the data after the user has registered for the newsletter is Article
6(1)(a) GDPR if the user has given their consent.
10
c. purpose of data processing
The collection of the user's e-mail address serves to deliver the newsletter.
The collection of other personal data as part of the registration process serves to prevent
misuse of the services or the email address used.
d. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which
they were collected. The e-mail address of the user is therefore stored as long as the subscription
to the newsletter is active.
The other personal data collected as part of the registration process is usually deleted after
a period of seven days.
e. Possibility of objection and elimination
The subscription to the newsletter can be canceled by the user concerned at any time. For this
purpose, there is a corresponding link in every newsletter.
This also enables a revocation of the consent to the storage of the personal data collected
during the registration process.
VIII. Registration
a. Description and scope of data processing
On our website we offer users the opportunity to register by providing personal data. The data is
entered into an input mask and transmitted to us and stored. A transfer of data to third parties
does not take place. The following data is collected and stored as part of the registration process:
(1) The IP address of the user
(2) Date and time of registration
(3) User's name, address and date of birth
(4) E-mail address of the user
(5) Bank Details
(6) Profile picture
11
The temporary storage of the IP address by the system is necessary to enable delivery of the
website to the user's computer. For this purpose, the IP address of the user must remain stored
for the duration of the session.
As part of the registration process, the user's consent to the processing of this data is obtained.
b. Legal basis for data processing
The legal basis for processing the data is Article 6(1)(a) GDPR if the user has given their consent.
If the registration serves to fulfill a contract to which the user is a party or to carry out pre-
contractual measures, the additional legal basis for the processing of the data is Article 6
(1) (b) GDPR.
c. purpose of data processing
The registration does not serve to conclude a contract with the user student:
Registration of the "Student" user is required for the provision of certain content and
services on our website.
(1) To identify the user "Student"
(2) To register his user account
(3) For the purchase of a good or service
The registration serves to conclude a contract with the user teacher:
Registration of the user "teacher" is required to fulfill a contract with the user or to carry
out pre-contractual measures.
(1) To identify the user "teacher"
(2) To register his user account
(3) To collect personal data to create the contract.
(4) To check a teaching qualification
d. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which
they were collected.
Storage of data with the "Student" user account:
12
Is the case for the data collected during the registration process if the registration on our
website is canceled or changed.
The storage of data with the user account “teacher”:
This is for use during the registration process to perform a contract or
This is the case for carrying out pre-contractual measures if the data is no longer required
for the performance of the contract. Even after the conclusion of the contract, it may be
necessary to store personal data of the contractual partner in order to comply with
contractual or legal obligations.
e. Possibility of objection and elimination
As a user, you have the option to cancel the registration at any time. You can have the data stored
about you changed at any time.
Under the Dashboard tab, the user has access to his user profile, where the data can be changed
or the user account deleted.
For the user profile “Teacher”:
If the data is required to fulfill a contract or to carry out pre-contractual measures, the
data can only be deleted prematurely if there are no contractual or legal obligations to the
contrary.
IX. Contact form and email contact
a. Description and scope of data processing
There is a contact form on our website which can be used to contact us electronically. If a user
takes advantage of this option, the data entered in the input mask will be transmitted to us and
saved. These dates are:
i. Name first Name
ii. e-mail address
iii. phone number
iv. category of the subject
v. personal message
At the time the message is sent, the following data is also stored:
13
(1) The IP address of the user
(2) Date and time of registration
Your consent will be obtained for the processing of the data during the sending process and
reference will be made to this data protection declaration.
Alternatively, you can contact us via the email address provided. In this case, the user's personal
data transmitted with the e-mail will be stored.
In this context, the data will not be passed on to third parties. The data will only be used to
process the conversation.
b. Legal basis for data processing
The legal basis for processing the data is Article 6(1)(a) GDPR if the user has given their consent.
The legal basis for the processing of the data that is transmitted in the course of sending an e-
mail is Article 6 (1) (f) GDPR. If the e-mail contact is aimed at concluding a contract, the
additional legal basis for processing is Art. 6 (1) (b) GDPR.
c. purpose of data processing
The processing of the personal data from the input mask serves us solely to process the contact.
If contact is made by e-mail, this is also the necessary legitimate interest in the processing of the
data.
The other personal data processed during the sending process serve to prevent misuse of the
contact form and to ensure the security of our information technology systems.
d. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which
they were collected. For the personal data from the input mask of the contact form and those
sent by e-mail, this is the case when the respective conversation with the user has ended. The
conversation is over when it can be inferred from the circumstances that the facts in question
have been finally clarified.
The additional personal data collected during the sending process will be deleted after a period
of seven days at the latest.
e. Possibility of objection and elimination
14
The user has the option to revoke his consent to the processing of personal data at any time. If
the user contacts us by email, he can object to the storage of his personal data at any time. In
such a case, the conversation cannot be continued.
The user has the option at any time to revoke his consent to the storage of personal data by e-
mail.
All personal data that was saved in the course of making contact will be deleted in this case. In
such a case, the conversation cannot be continued.
X. Web Analysis
a. Scope of processing of personal data
We use the Google Analytics software on our website to analyze the surfing behaviour of our
users. The software sets a cookie on the user's computer (see above for cookies). If individual
pages of our website are called up, the following data is stored:
i. Two bytes of the IP address of the user's calling system
ii. The accessed website
iii. The website from which the user accessed the accessed website (referrer)
iv. The sub-pages that are accessed from the accessed website
v. The length of stay on the website
vi. The frequency of visits to the website
The software runs exclusively on the servers of our website. A storage of the personal data of
the users only takes place there. The data will not be passed on to third parties.
b. Legal basis for processing personal data
The legal basis for the processing of users' personal data is Article 6 (1) (f) GDPR.
c. purpose of data processing
The processing of users' personal data enables us to analyse the surfing behaviour of our users.
By evaluating the data obtained, we are able to compile information about the use of the
individual components of our website. This helps us to constantly improve our website and its
user-friendliness. Our legitimate interest in the processing of the data according to Art. 6 (1) (f)
GDPR also lies in these purposes. By making the IP address anonymous, the interest of the user
in the protection of their personal data is sufficiently taken into account.
d. Duration of storage
15
The data will be deleted after 26 months as soon as they are no longer required for our
recording purposes.
e. Possibility of objection and elimination
Cookies are stored on the user's computer and transmitted to our site. Therefore, as a user,
you also have full control over the use of cookies. By changing the settings in your Internet
browser, you can deactivate or restrict the transmission of cookies. Cookies that have already
been saved can be deleted at any time. This can also be done automatically. If cookies are
deactivated for our website, it may no longer be possible to use all the functions of the website
to their full extent.
You can find more information about the privacy settings of the Google Analytics software
under the following link: https://support.google.com/
XI. rights of the data subject
If personal data is processed by you, you are the data subject within the meaning of the GDPR
and you have the following rights vis-à-vis the person responsible:
a. right of providing information
You can request confirmation from the person responsible as to whether personal data relating
to you is being processed by us.
If such processing is present, you can request information from the person responsible for the
following information:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data being processed;
(3) the recipients or categories of recipients to whom your personal data has been or will be
disclosed;
(4) the planned duration of the storage of the personal data concerning you or, if specific
information on this is not possible, criteria for determining the storage duration;
(5) the existence of a right to rectification or erasure of personal data concerning you, a right
to restriction of processing by the person responsible or a right to object to this processing;
16
(6) the existence of a right of appeal to a supervisory authority;
(7) all available information about the origin of the data if the personal data are not collected
from the data subject;
(8) the existence of automated decision-making including profiling in accordance with Art. 22
(1) and (4) GDPR and - at least in these cases - meaningful information about the logic
involved and the scope and intended effects of such processing for the data subject.
You have the right to request information as to whether your personal data is being transmitted
to a third country or to an international organization. In this context, you can request to be
informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the
transmission.
b. Right to Rectification
You have a right to correction and/or completion to the person responsible if the processed
personal data concerning you is incorrect or incomplete. The person responsible must make the
correction immediately.
c. Right to restriction of processing
Under the following conditions, you can request the restriction of the processing of your personal
data:
(1) if you dispute the accuracy of the personal data concerning you, for a period enabling the
controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse to delete the personal data and instead request
that the use of the personal data be restricted;
(3) the person responsible no longer needs the personal data for the purposes of processing,
but you need them to assert, exercise or defend legal claims, or
(4) if you have lodged an objection to the processing pursuant to Art. 21 (1) GDPR and it has
not yet been determined whether the legitimate reasons of the person responsible
outweigh your reasons.
If the processing of personal data concerning you has been restricted, this data - apart from its
storage - may only be used with your consent or to assert, exercise or defend legal claims or to
protect the rights of another natural or legal person or for reasons of important public interest of
the Union or a Member State are processed.
17
If the restriction of processing has been restricted according to the above conditions, you will be
informed by the person responsible before the restriction is lifted.
d. Right to Erasure
a) Obligation to delete
You can request the person responsible to delete the personal data concerning you immediately,
and the person responsible is obliged to delete this data immediately if one of the following
reasons applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they
were collected or otherwise processed.
(2) You revoke your consent on which the processing was based pursuant to Article 6 Paragraph
1 Letter a or Article 9 Paragraph 2 Letter a GDPR and there is no other legal basis for the
processing.
(3) You object to the processing in accordance with Article 21 (1) GDPR and there are no
overriding legitimate reasons for the processing, or you object to the processing in
accordance with Article 21 (2) GDPR.
(4) The personal data concerning you was processed unlawfully.
(5) The deletion of personal data concerning you is necessary to fulfill a legal obligation under
Union law or the law of the Member States to which the person responsible is subject.
(6) The personal data concerning you was collected in relation to information society services
offered pursuant to Article 8 (1) GDPR.
b) Information to third parties
If the person responsible has made the personal data relating to you public and is obliged to delete
it in accordance with Art. 17 (1) GDPR, he shall take appropriate measures, including technical
measures, to protect the person responsible for data processing, taking into account the available
technology and the implementation costs , who process the personal data, that you, as the data
subject, have requested them to delete all links to this personal data or copies or replications of
this personal data.
c) Exceptiones
The right to erasure does not exist if processing is necessary:
(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation that requires processing under Union or Member State law to
18
which the controller is subject, or to perform a task that is in the public interest or in the
exercise of official authority vested in the controller would;
(3) for reasons of public interest in the field of public health in accordance with Article 9 (2)
lit. h and i and Article 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or
for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law mentioned under
Section a) is likely to make it impossible or seriously impair the achievement of the
objectives of this processing, or
(5) to assert, exercise or defend legal claims.
e. right to information
If you have asserted the right to correction, deletion or restriction of processing against the person
responsible, he is obliged to inform all recipients to whom the personal data concerning you have
been disclosed of this correction or deletion of the data or restriction of processing, unless this
proves to be impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by the person responsible.
f. Right to data portability
You have the right to receive the personal data concerning you that you have provided to the
person responsible in a structured, common and machine-readable format. In addition, you have
the right to transmit this data to another person responsible without hindrance by the person
responsible for providing the personal data, provided that
(1) the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR
or on a contract pursuant to Article 6(1)(b) GDPR and
(2) the processing is carried out using automated procedures.
In exercising this right, you also have the right to have the personal data concerning you
transmitted directly from one person responsible to another person responsible, insofar as this is
technically feasible. The freedoms and rights of other people must not be impaired by this.
The right to data portability does not apply to processing of personal data that is required to
perform a task that is in the public interest or in the exercise of official authority that has been
assigned to the controller.
g. Right to object
You have the right, for reasons arising from your particular situation, to object at any time to the
processing of your personal data, which is based on Article 6 Paragraph 1 lit. e or f GDPR; this also
applies to profiling based on these provisions.
19
The person responsible no longer processes the personal data relating to you unless he can
demonstrate compelling legitimate grounds for the processing which outweigh your interests,
rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you is processed in order to operate direct advertising, you have
the right to object at any time to the processing of your personal data for the purpose of such
advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct marketing purposes, the personal data relating to you
will no longer be processed for these purposes.
In connection with the use of information society services, you have the option – notwithstanding
Directive 2002/58/EC – to exercise your right to object by means of automated procedures that
use technical specifications.
h. Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time.
The revocation of the consent does not affect the legality of the processing carried out on the
basis of the consent up to the point of revocation.
i. Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning you or similarly significantly affects you.
This does not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the person
responsible,
(2) is permissible on the basis of Union or Member State legislation to which the person
responsible is subject and this legislation contains appropriate measures to safeguard your
rights and freedoms and legitimate interests, or
(3) with your express consent.
However, these decisions may not be based on special categories of personal data according to
Article 9 Paragraph 1 GDPR unless Article 9 Paragraph 2 lit. a or g GDPR applies and appropriate
measures have been taken to protect your rights and freedoms and your legitimate interests .
With regard to the cases referred to in (1) and (3), the person responsible shall take appropriate
measures to safeguard your rights and freedoms and your legitimate interests, including at least
the right to obtain human intervention on the part of the person responsible, to express his or her
point of view and to challenge the decision.
20
j. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a
complaint with a supervisory authority, in particular in the member state of your place of
residence, your place of work or the place of the alleged infringement, if you believe that the
processing of your personal data is contrary to violates the GDPR.
The supervisory authority to which the complaint was lodged will inform the complainant about
the status and the results of the complaint, including the possibility of a judicial remedy under
Art. 78 GDPR .
