We are pleased that you are interested in our company.

Data protection is a top priority for the management of MIXACO Maschinenbau – Dr. Herfeld GmbH + Co. KG. In principle, it is possible to use the websites of MIXACO Maschinenbau – Dr. Herfeld GmbH + Co. KG without entering any personal data. However, if a data subject would like to use particular services offered by our company on our website, the processing of personal data could be necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the data subject.

The processing of personal data, for instance, the name, address, email address or phone number of a data subject, always occurs in compliance with the General Data Protection Regulation and in agreement with the country-specific data protection regulations applicable for MIXACO Maschinenbau – Dr. Herfeld GmbH + Co. KG. With this privacy policy, our company would like to inform the public about the nature, scope and purpose of the personal data we collect, use and process. Furthermore, this privacy policy informs data subjects of the rights to which they are entitled.

As the controller for data processing, MIXACO Maschinenbau – Dr. Herfeld GmbH + Co. KG has implemented countless technical and organisational measures to guarantee that the protection of the personal data processed via this website is as comprehensive as possible. Nevertheless, internet-based data transmission generally may involve security vulnerabilities, meaning that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us using alternative methods, for instance by phone.

  1. Definitions

The privacy policy of MIXACO Maschinenbau – Dr. Herfeld GmbH + Co. KG is based on the terms used by the European legislature when adopting the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and comprehensible for the public as well as for our customers and business partners. To guarantee this, we would like to clarify the terminology used in advance.

In this privacy policy, we use the following terms, among others:

  1. Personal data

Personal data is all information related to an identified or identifiable natural person (hereafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  1. Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

  1. Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  1. Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

  1. Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

  1. Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

  1. Controller or data processing controller

The controller or data processing controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

  1. Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  1. Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

  1. Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 

  • Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

II.            Name and address of the controller

The controller under the definition of the General Data Protection Regulation and other national data protection laws of the Member States, as well as other provisions of data protection law, is:

MIXACO Maschinenbau – Dr. Herfeld GmbH + Co. KG

Niederheide 2
58809 Neuenrade
Germany
Phone: +49 (0)2392 – 9644 0
Email: [email protected]
Website: mixaco.com

III.           Name and address of the data protection officer

DataCo GmbH
Dr. Patrick Schweisthal
Siegfriedstraße 8
80803 München
Deutschland
+49 89 41207033
[email protected]
www.dataguard.de

IV.          General information about data processing

1.    Scope of the processing of personal data

In general, we only collect and use the personal data of our users insofar as this is required in order to provide a functional website as well as our content and services. The collection and use of personal data concerning our users only regularly occurs with the user’s consent. An exception will apply in cases where obtaining prior consent is not possible for factual reasons and the processing of data is permitted by statutory provisions.

2.    Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations concerning personal data, Art. 6 (1)(a) of the EU General Data Protection Regulation (GDPR) is the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is party, Art. 6 (1)(b) of the GDPR is the legal basis. This also applies for processing operations that are required for taking steps prior to entering into a contract.

Insofar as processing personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1)(c) of the GDPR is the legal basis.

In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 6 (1)(d) of the GDPR is the legal basis.

If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6 (1)(f) of the GDPR is the legal basis for processing.

3.    Erasure of data and duration of storage

The data subject’s personal data will be erased or blocked as soon as the purpose of storage is no longer valid. Storage beyond this period can occur if this is provided for by the European or national legislature in directives under Union law, laws or other regulations to which the controller is subject. Blocking or erasure of the data will be carried out when the storage period prescribed by the listed regulations has elapsed, unless further storage of the data is required in order to conclude or execute a contract.

V.            Provision of the website and creation of log files

1.    Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.

The following data is collected in this process:

  1. Information about the browser type and version used
  2. The user’s operating system
  3. Date and time of access
  4. Websites from which the user’s system arrives at our website

Data will also be stored in our system log files. This does not include the user’s IP addresses or other data which could make it possible to associate the data with an individual user. This data will not be stored together with other personal data concerning the user.

2.    Legal basis for data processing

The legal basis for the temporary storage of data is Art. 6 (1)(f) GDPR.

3.    Purpose of data processing

It is necessary for the system to temporarily store the IP address in order to deliver the website to the user’s computer. For this purpose, the user’s IP address needs to remain stored for the duration of the session.

These purposes also establish our legitimate interest in data processing pursuant to Art. 6 (1)(f) GDPR.

4.    Duration of storage

The data will be deleted as soon as it is no longer required for fulfilling the purpose of its collection. When collecting data in order to provide the website, this is the case when the respective session has ended.

5.    Option of objection and elimination

The collection of data to provide the website and the storage of data in log files is necessary for the operation of the website. Accordingly, the user is not entitled to object.

VI.          Use of cookies

  1. Description and scope of data processing

Our website uses cookies. Cookies are text files stored in the internet browser or stored by the internet browser on the user’s computer system. If a user accesses a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string of characters that make it possible to unambiguously identify the browser when accessing the website again.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can also be identified after changing to a different page.

The following data will be stored and transmitted in these cookies:

  1. Language settings
  2. Login information
  3. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 (1)(f) GDPR.

  1. Purpose of data processing

The purpose for using technically required cookies is to simplify the use of websites for the user. Some features of our website cannot be offered without the use of cookies. For these features, the browser needs to be identifiable even after changing to a different page.

We require cookies for the following application:

  • Adopting language settings

The user data collected by technically required cookies will not be used to create user profiles.

These purposes also establish our legitimate interest in the processing of personal data pursuant to Art. 6 (1)(f) GDPR.

  1. Duration of storage, option of objection and elimination

Cookies are stored on the user’s computer and transmitted by this computer to our website. For this reason, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be accomplished using automated methods. If cookies are deactivated for our website, you may not be able to use all features of their website to their full extent.

VII.  Newsletter

1.    Description and scope of data processing

On our website you have the option of subscribing for a newsletter free of charge. When subscribing to the newsletter, data from the input field will be transmitted to us.

This includes:

  • Your email address

The following data will also be collected during subscription:

  • Date and time of registration

During the subscription process, your consent will be obtained for data processing and reference will be made to this privacy policy.

No data will be forwarded to third parties in connection with the processing of data for mailing the newsletter. This data will exclusively be used for mailing the newsletter.

2.    Legal basis for data processing

The legal basis for data processing after the user subscribes to the newsletter, if the user has given consent, is Art. 6 (1)(a) GDPR.

3.    Purpose of data processing

The user’s e-mail address is collected in order to deliver the newsletter.

4.    Duration of storage

The data will be deleted as soon as it is no longer required for fulfilling the purpose of its collection. Accordingly, the user’s email address will only be stored as long as the newsletter subscription is active.

 

5.    Option of objection and elimination

The data subject can unsubscribe from the newsletter at any time. For this purpose, there is a corresponding link in each newsletter.

VIII.        Contact form and email contact

1.    Description and scope of data processing

Our website contains a contact form that can be used for establishing electronic contact. If a user makes use of this option, the data entered in the input field will be transmitted to us and stored. This data includes:

  1. Company name
  2. Name
  3. Email
  4. Phone
  5. Message

At the time the message is sent, the following data will also be stored:

  • Date and time of registration

During the sending process, your consent will be obtained for data processing and reference will be made to this privacy policy.

As an alternative, contact is possible via the email address provided. In this case, the user’s personal data transmitted in the email will be stored.

No data will be forwarded to third parties in this context. This data will exclusively be used for processing the conversation.

2.    Legal basis for data processing

The legal basis for data processing, if the user has given consent, is Art. 6 (1)(a) GDPR.

The legal basis for processing data transmitted when sending an email is Art. 6 (1)(f) GDPR. If the objective of email contact is to conclude a contract, an additional legal basis for processing is Art. 6 (1)(b) GDPR.

3.    Purpose of data processing

We exclusively process personal data from the input field in order to facilitate contact. For contact via email, this purpose also establishes the necessary legitimate interest in data processing.

Other personal data processed during the sending process serves to prevent misuse of the contact form and guarantee the security of our IT systems.

4.    Duration of storage

The data will be deleted as soon as it is no longer required for fulfilling the purpose of its collection. For personal data from the input field on the contact form and any data sent by email, this is the case when the respective conversation with the user has ended. The conversation has ended if the circumstances indicate that the relevant issue has been conclusively resolved.

 

Additional personal data collected during the sending process will be deleted after no more than seven days.

5.    Option of objection and elimination

The user can withdraw his or her consent to the processing of personal data at any time. If the user contacts us via email, he or she can object to the storage of his or her personal data at any time If this is the case, the conversation may not be continued.

To withdraw consent and object to storage, the user is required to make a declaration to the controller named above using one of the communication channels provided by the controller.

 

All personal data that was stored during contact will be erased in this case.

IX.          Web analysis by Google Analytics

1.    Scope of the processing of personal data

On our website, we use Google Analytics, a web analysis service of Google Inc. (“Google”) to analyse the browsing behaviour of our users. This software writes a cookie onto the user’s computer (see above regarding cookies).

The information generated by the cookie about your use of this website will generally be transferred to a Google server in the USA and stored there. If IP anonymisation has been activated on this website, your IP address will be truncated by Google within the member states of the European Union or in other states party to the Agreement on the European Economic Area before transfer. Only in exceptional cases, the full IP address only be transferred to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports about website activity and to perform other services associated with website use and internet use for the website operator.

The IP address transmitted by your browser through the use of Google Analytics will not be linked with other data held by Google.

You can prevent the installation of cookies by changing the settings of your browser software accordingly; however, we inform you that in this case it may not be possible to use all features of this website to their full extent. You can also prevent the collection of the data generated by the cookie concerning your use of this website (incl. your IP address) as well as the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de).

This software runs exclusively on our website servers. The personal data of users will only be stored there. No data will be forwarded to third parties.

2.    Legal basis for the processing of personal data

The legal basis for processing the personal data of users is Art. 6 (1) Sentence 1 (f) GDPR.

3.    Purpose of data processing

Processing the personal data of users enables us to analyse the browsing behaviour of our users. By analysing the acquired data, we are able to compile information about the use of individual components of our website. This helps us to continually improve our website and make it more user-friendly. These purposes also establish our legitimate interest in the processing of data pursuant to Art. 6 (1)(f) GDPR. By anonymising the IP address, the user’s interest in the protection of his or her personal data is given due consideration. For exceptional cases where personal data is transferred to the USA, Google has committed to the EU-US Privacy Shield agreement, https://www.privacyshield.gov/EU-US-Framework.

4.    Duration of storage

This website uses Google Analytics with the extension “_anonymizeIp()”. This extension allows IP addresses to be further processed in truncated form, preventing personal identification. Insofar as data collected concerning you can be connected with your personal identity, this will be immediately excluded and the personal data will be promptly erased.

Data will be erased as soon as it is no longer required for our record-keeping purposes.

5.    Option of objection and elimination

Cookies are stored on the user’s computer and transmitted by this computer to our website. For this reason, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be accomplished using automated methods. If cookies are deactivated for our website, you may not be able to use all features of their website to their full extent.

6.    Information about the third-party provider

Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: + 353 (1) 436 1001, Terms of use: http://www.google.com/analytics/terms/de.html, Overview of privacy: http://google.com/intl/de/analytics/learn/privacy.html, as well as Privacy policy: http://www.google.de/intl/de/policies/privacy.

X.     Use of social media plugins

1.    Scope of the processing of personal data

We currently use the following social media plugins: Facebook, Google+, Twitter, Xing, LinkedIn, Instagram, YouTube. In this regard, we use the so-called two-click solution. This means that when you visit our website, no personal data will generally be forwarded to the plugin provider at first. You can identify the plugin provider by the label in the box above its initial or the logo. We allow you the option of communicating directly with the plugin provider using the button. The plugin provider will only be informed that you have accessed the page in question on our web-site if you click the marked field and activate it. Additionally, the data listed under section IV. of this policy will be transmitted. In the case of Facebook and Xing, according to their respective providers in Germany, the IP address will be anonymised immediately after collection. By activating the plugin, therefore, you transmit personal data to the respective plugin provider, which will be stored there (in the USA for US providers). Since the plugin provider accomplishes the collection of data using cookies in particular, we recommend you to use your browser’s security settings to delete all cookies before clicking on the greyed-out box.

The forwarding of data occurs regardless of whether you have an account with the plugin provider and are logged in to that service. If you are logged in to your account with the plugin provider, the data we collect will be directly associated with your existing account with the plugin provider. If you click the activated button and link the page, for instance, the plugin provider will also store this information in your user account and publicly communicate this to your contacts. We recommend that you regularly log out after using social networks, particularly before activating the button, in order to prevent the plugin provider from associating this use with your profile.

2.    Legal basis for the processing of personal data

The legal basis for the use of plugins is Art. 6 (1) Sentence 1 (f) GDPR.

3.    Purpose and duration of data processing

With these plugins, we offer you the option of interacting with social networks and other users to improve our services and configure them in a more compelling way for you as a user. The plugin provider stores the data collected about you as a usage profile and uses this profile for the purposes of advertising, market research and/or needs-oriented design of its website. Such analysis is conducted especially (even for users who are not logged in) to display targeted advertising and to inform other users of the social network regarding your activities on our website.

We have no influence over the data collected and data processing operations, nor do we have knowledge of the full scope of data collection, the purposes of processing or the duration of storage. We do not have any information about the deletion of collected data by the plugin provider either.

For more information regarding the purpose and scope of data collection and its processing by the plugin provider, please see the privacy policies of these providers outlined in the following. Here you will also obtain more information regarding your rights in this respect and configuration options to protect your privacy.

Addresses of the respective plugin providers and URLs with their privacy policies:

a)      Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information about data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications as well as http://www.facebook.com/about/privacy/your-info#everyoneinfo.
Facebook has committed to the EU-US Privacy Shield agreement, https://www.privacyshield.gov/EU-US-Framework.

  1. Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de. Google has committed to the EU-US Privacy Shield agreement, https://www.privacyshield.gov/EU-US-Framework.
  2. Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter has committed to the EU-US Privacy Shield agreement, https://www.privacyshield.gov/EU-US-Framework.
  3. Xing AG, Gänsemarkt 43, 20354 Hamburg, DE; http://www.xing.com/privacy.
  4. LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn has committed to the EU-US Privacy Shield agreement, https://www.privacyshield.gov/EU-US-Framework.
  5. Instagram

Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA; https://help.instagram.com/155833707900388

4.    Option of objection and elimination

You have the right to object against the formation of this profile; to exercise this right, you must contact the respective plugin provider.

XI.          Embedded YouTube videos

1.    Scope of the processing of personal data

We embed YouTube videos on some of our websites. These videos are stored on http://www.YouTube.com and can be directly played from our website. This are all embedded in “extended privacy mode”, which means that no data about you as a user will be transmitted to YouTube if you do not play the videos. Your data will only be transmitted once the videos are played. We have no influence over this transmission of data.

When you visit the website, YouTube will receive the information that you accessed the corresponding page on our website. Additionally, the data named in Section IV. of this declaration will be transferred. This occurs regardless of whether you are logged in to a YouTube user account or whether there is no user account involved. If you are logged in to Google, your data will be directly associated with your account. If you do not want data to be associated with your YouTube profile, you must log out before clicking the button.

2.    Legal basis for the processing of personal data

The legal basis for this use is Art. 6 (1) Sentence 1 (f) GDPR.

3.    Purpose and duration of data processing

YouTube stores your data as a usage profile and uses this for the purposes of advertising, market research and/or needs-oriented design of its website. Such analysis is conducted especially (even for users who are not logged in) to display targeted advertising and to inform other users of the social network regarding your activities on our website.

For more information regarding the purpose and scope of data collection and its processing by YouTube, please consult the relevant privacy policy. Here you will also obtain more information regarding your rights in this respect and configuration options to protect your privacy: https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and has committed to the EU-US Privacy Shield agreement, https://www.privacyshield.gov/EU-US-Framework.

4.    Option of objection and elimination

You have the right to object against the formation of this profile; to exercise this right, you must contact YouTube.

XII.         Use of Google AdWords

1.    Scope of the processing of personal data

We use the Google AdWords service. This advertising tool is delivered by Google via so-called “ad servers”. To this end, we use ad server cookies to measure specific parameters for performance tracking, such as the display of ads or clicks made by the user. If you are redirected to our website from a Google ad, Google AdWords will write a cookie on your PC. These cookies generally expire after 30 days and cannot be used to identify you personally. The values stored in this cookie for analysis include the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) as well as opt-out information (indication that the user does not wish to receive any more ads).

These cookies enable Google to recognise your internet browser. If the user visits particular pages of the website of an AdWords client and the cookie has not yet expired, Google and the client can see that the user clicked on the ad and was forwarded to this website. Every AdWords client receives a different cookie. As a result, cookies cannot be traced across the websites of AdWords clients. We do not collect and process any personal data ourselves through the advertising described above. Google solely provides us with statistical analysis. Using this analysis, we can identify which of the implemented advertising activities are particularly effective. We do not receive any more extensive data from the use of these ad tools; in particular, we cannot identify users by this information.

2.    Legal basis for the processing of personal data

The legal basis for processing your data is Art. 6 (1) Sentence 1 (f) GDPR. For more information about privacy at Google, please consult: http://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at http://www.networkadvertising.org. Google has committed to the EU-US Privacy Shield agreement, https://www.privacyshield.gov/EU-US-Framework.

3.    Purpose and duration of data processing

We use the Google AdWords service, to draw attention to our attractive offers on external websites using advertising tools (so-called Google AdWords). Using the data from the ad campaigns, we can determine how successful the individual marketing activities are. In doing so, we are pursuing the interest of showing you advertisements that are of interest to you in order to configure our website in a more compelling way for you and to achieve a fair calculation of advertising costs.

Based on the implemented marketing tools, your browser automatically establishes a direct connection with the server of Google. We have no influence over the scope and further use of the data collected by Google using this tool, and therefore inform you that, to the best of our knowledge: Through the integration of AdWords Conversion, Google is informed that you have accessed the corresponding section of our website or that you have clicked on one of our ads. If you are registered for one of Google’s services, Google can associate the visit with your account. Even if you are not registered with Google or not logged in, it is possible that the provider will learn and store your IP address.

4.    Option of objection and elimination

You can prevent this tracking procedure in various ways: a) Changing the settings of your browser software accordingly; in particular, suppressing third-party cookies means that you will not be shown any ads from third-party providers; b) Deactivating cookies for conversion tracking by changing your browser settings to block cookies from the domain “www.googleadservices.com”, https://www.google.de/settings/ads, please note that this setting will be erased if you delete your cookies; c) Deactivating the provider’s interest-related ads that are part of the self-regulation campaign “About Ads” by following the link http://www.aboutads.info/choices, please note that this setting will be erased if you delete your cookies; d) Permanently deactivating the procedure in your browser, for Firefox, Internet Explorer or Google Chrome by following the link http://www.google.com/settings/ads/plugin. We inform you that in this case it may not be possible to use all features of this service to their full extent.

XIII.        Privacy for applications and application procedures

The controller collects and processes the personal data of applicants for the purpose of handling the application procedure. Processing can also occur electronically. This is particularly the case if an applicant sends corresponding application documents to the controller electronically, for instance via email or an online form located on the website. If the controller concludes an employment contract with an applicant, the data provided will be stored for the purposes of handling the employment relationships, in compliance with statutory regulations. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically erased two months after announcement of the rejection decision unless erasure is opposed by other legitimate interests of the controller. Other legitimate interests in this context include, for instance, a burden of proof in proceedings based on the General Equal Treatment Act (AGG).

XIV.        Rights of the data subject

If your personal data is processed, you are considered a data subject under the definition of the GDPR and you are entitled to the following rights with respect to the controller:

1.    Right of access

You have the right to obtain confirmation from the controller as to whether or not we are processing personal data concerning you.

If such processing is taking place, you can request access to the following information from the controller:

  1. The purposes for which the personal data is processed;
  2. The categories of personal data concerned;
  3. The recipients or categories of recipient to whom the relevant personal data has been or will be disclosed;
  4. The envisaged period for which the relevant personal data will be stored, or, if no concrete statement is possible in this regard, the criteria used to determine the period of storage;
  5. The existence of the right to request the controller to rectify or erase personal data and the right to restrict the processing of your personal data or to object to such processing;
  6. The right to lodge a complaint with a supervisory authority;
  7. Any available information as to the source of the data, if the personal data is not collected from the data subject;
  8. The existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether personal data is transferred to a third country or to an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

2.    Right to rectification

You have the right to request rectification and/or completion from the controller for inaccurate or incomplete personal data concerning you. The controller must undertake this rectification without undue delay.

3.    Right to restriction of processing

Under the following conditions, you may request a restriction of processing for personal data concerning you:

  1. If you contest the accuracy of your personal data for a period enabling the controller to verify the accuracy of the personal data;
  2. If the processing is unlawful and you oppose the erasure of the personal data and request that the use of the personal data be restricted instead;
  3. If the controller no longer needs the personal data for the purposes of processing, but you require the data for the assertion, exercise or defence of legal claims, or
  4. If you have objected to processing pursuant to Art. 21 (1) GDPR pending verification as to whether the legitimate grounds of the controller override your interests.

Where the processing of your personal data has been restricted, this data shall, with the exception of storage, only be processed with your consent or for the assertion, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted according to the above conditions, you will be informed by the controller before the restriction is lifted.

4.    Right to erasure

a)    Obligation of erasure

You may request the controller to erase personal data concerning you without undue delay, and the controller is obligated to erase this data without undue delay as long as one of the following grounds applies:

(1) Your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

(2) You withdraw the consent on which the processing is based according to Art. 6 (1)(a) or Art. 9 (2)(a) GDPR, and there is no other legal basis for the processing.

(3) You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.

(4) Your personal data has been unlawfully processed.

(5) Your personal data has to be erased to ensure compliance with a legal obligation in Union or Member State law to which the controller is subject.

(6) Your personal data has been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

b)    Granting information to third parties

If the controller has made your personal data public and is obligated pursuant to Art. 17 (1) GDPR to erase this data, taking account of available technology and the cost of implementation, the controller must take reasonable steps, including technical measures, to inform any controllers engaged in processing the personal data that you have requested them to erase any links to, or copies or replications of, this personal data.

c)    Exceptions

The right to erasure does not apply insofar as processing is required

(1) For exercising the right to freedom of expression and information;

(2) For compliance with a legal obligation that requires processing under a Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) For reasons of public interest in the area of public health in accordance with Art. 9 (2)(h) and (i) as well as Art. 9 (3) GDPR;

(4) For reasons of public interest relating to archiving purposes, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to under paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or

(5) For the assertion, exercise or defence of legal claims.

5.    Right to notification

If you have asserted the right to rectification, erasure or restriction of processing with respect to the controller, the controller is obligated to communicate this rectification or erasure of data or restriction of processing to each recipient to whom your personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to request the controller to inform you about these recipients.

6.    Right to data portability

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, as long as

  1. The processing is based on consent pursuant to Art. 6 (1)(a) GDPR or Art. 9 (2)(a) GDPR or on a contract pursuant to Art. 6 (1)(b) GDPR and
  2. he processing is carried out by automated means.

When exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected.

The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.    Right to object

You have the right to object at any time, on grounds relating to your particular situation, to pro-cessing of your personal data which is based on Art. 6 (1) (e) or (f) GDPR, including profiling based on those provisions.

The controller will not continue to process your personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the assertion, exercise or defence of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means using technical specifications.

8.    Right to withdraw consent under data privacy law

You have the right to withdraw your consent under data privacy law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9.    Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly affects you in a significant way. This does not apply if the decision

  1. is necessary for entering into, or performance of, a contract between you and the controller;
  2. is authorised by Union or Member State law to which the controller is subjected and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
  3. is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and suitable measures have been taken to safeguard your rights and freedoms and legitimate interests.

With respect to the cases named in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10.  The right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.