If personal data concerning you are being processed, you are considered a data subject as defined by the General Data Protection Regulation (GDPR), and you are entitled to the following rights against the data controller:
1. Right to information
You have the right to obtain confirmation from the data controller as to whether or not personal data concerning you are being processed by us.
If such processing is taking place, you have the right to request the following information from the data controller:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of storage of the personal data concerning you, or, where no specific information is available in this regard, the criteria for determining the duration of storage;
(5) the existence of a right to have the personal data concerning you rectified or deleted or to have the data controller restrict or object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) all available information on the origin of the data, if the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) of the General Data Protection Regulation (GDPR) and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.
You have the right to request information as to whether the personal data concerning you will be transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate guarantees provided for in Art. 46 of the General Data Protection Regulation (GDPR) in connection with the transfer.
2. The right to rectification
You have the right to have your personal data rectified and/or completed by the data controller if the processed personal data concerning you are inaccurate or incomplete. The data controller has an obligation to perform such rectification immediately.
3. The right to restrict processing
Under the following conditions, you may request that the processing of your personal data be restricted:
(1) if you contest the accuracy of the personal data concerning you for a period of time allowing the data controller to verify the accuracy of the personal data;
(2) if the processing is unlawful and if you refuse the erasure of the personal data and instead request a restriction on the use of the personal data;
(3) if the data controller no longer needs the personal data for the purposes of processing, but if the data subject needs them for the purpose of asserting, exercising or defending legal claims, or
(4) if you have lodged an objection against the processing pursuant to Art. 21 (1) of the General Data Protection Regulation (GDPR) and if it has not yet been determined whether the data controller’s justified reasons outweigh your reasons. Where the processing of the personal data concerning you has been restricted in accordance with the above conditions, such personal data shall only be processed – apart from being stored – with the consent of the data subject or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or of a Member State. If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the data controller before the restriction is lifted.
4. The right to erasure
a) Duty of erasure
You may request the data controller to immediately erase the personal data concerning you, and the data controller will be obliged to erase these data immediately if one of the following grounds applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You revoke your consent on which the processing pursuant to Art. 6(1) lit. a or Art. 9(2) lit. a of the General Data Protection Regulation (GDPR) was based, and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Art. 21 (1) of the General Data Protection Regulation (GDPR) and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 (2) of the General Data Protection Regulation (GDPR).
(4) The personal data concerning you have been processed unlawfully.
(5) The erasure of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the data controller is subject.
(6) The personal data concerning you have been collected in relation to the provision of information society services pursuant to Art. 81 of the General Data Protection Regulation (GDPR).
b) Disclosure of information to third parties
If the data controller has made the personal data concerning you publicly available and if he/she is obliged to erase them in accordance with Art. Art. 17(1) of the General Data Protection Regulation (GDPR), he/she shall take appropriate measures, including technical measures, taking into account the available technology and implementation costs, to inform data processors who process the personal data that a data subject has requested them to erasure all links to such personal data or copies or replications of such personal data.
c) Exemptions
The right to erasure does not exist in cases where the processing is necessary
(1) to exercise the right of freedom of expression and information;
(2) for the performance of a legal obligation required for processing under the law of the Union or of the Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
(3) for reasons of public interest in the field of public health pursuant to Art. 9(2) lit. h and i and Art. 9(3) of the General Data Protection Regulation (GDPR);
(4) for archive purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) of the General Data Protection Regulation (GDPR), to the extent that the law referred to in paragraph (a) is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or for the assertion, exercise or defense of legal claims.
(5) for asserting, exercising or defending legal claims.
5. Right to information
If you have exercised your right to rectify, erase or restrict the processing of your personal data against the data controller, the latter shall be obliged to notify all recipients to whom the personal data concerning you have been disclosed of such rectification, cancellation or limitation, unless this proves impossible or involves a disproportionate effort.
They shall have the right to be informed of such recipients by the data controller.
6. The right to data portability
You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to communicate these data to another data controller without being hindered by the controller to whom the personal data were provided, provided that
(1) the processing is based on a consent in accordance with Art. 6(1) lit. a General Data Protection Regulation (GDPR) or Art. 9(2) lit. a General Data Protection Regulation (GDPR) or on a contract in accordance with Art. 6(1) lit. b of the General Data Protection Regulation (GDPR) and
(2) the processing is carried out using automated methods.
In exercising this right, you also have the right to request that the personal data concerning you be transmitted directly by one data controller to another controller, insofar as this is technically feasible. The exercise of this right must not affect the freedoms and rights of other persons.
7. The right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on paragraph (e) or (f) of Art. 6(1) lit. e or f of the General Data Protection Regulation (GDPR); this also applies to profiling based on these provisions. The data controller no longer processes the personal data unless he/she can prove compelling justifiable grounds for the processing which outweigh the interests, rights and freedoms of the data subject, or if the processing serves for the assertion, exercise or defense of legal claims. If the personal data concerning you are processed for the purpose of direct advertising, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling in so far as it is connected with such direct advertising. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. In connection with the use of Information Society services, notwithstanding Directive 2002/58/EC, you may exercise your right of opposition by means of automated procedures using technical specifications.
8. The right to revocation of the declaration of consent under data privacy law
You have the right to revoke your declaration of consent under data privacy law at any time. Your revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until the date of revocation.
9. Automated decision in individual cases including profiling
You have the right not to be subjected to any decisions based solely on automated processing, including profiling, which may have any legal effects on you or affect you in a similar, significant way.
This shall not apply where the decision
(1) is necessary for the conclusion or performance of a contract between yourself and the data controller,
(2) is admissible by law of the Union or of the Member States to which the data controller is subject and that law contains appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject; or
(3) is made with your express consent.
However, these decisions shall not be based on special categories of personal data according to Art. 9 (1) of the General Data Protection Regulation (GDPR), unless Art. 9(2) lit. a or g applies and appropriate measures have been taken to protect the rights and freedoms
as well as your legitimate interests.
With regard to the cases referred to in (1) and (3), the data controller shall take appropriate
measures to safeguard the rights and freedoms and your legitimate interests,
which includes at least the right to obtain the intervention of a person on behalf of the
data controller, to state his or her point of view, and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you believe that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy provided for in Art. 78 of the General Data Protection Regulation (GDPR).