With this data protection information, we inform you (in the following text also addressed as "user" or "data subject") in a general way about the data processing in our company and in a special way about the data processing in the context of visiting our website www.digitale-gruendung.de and our products offered there.
Name and address of the person responsible
The responsible party within the meaning of the General Data Protection Regulation and other data protection regulations is:
KLP Digitale Produkte GmbH
Mariendorfer Damm 112099 Berlin, Germany
General information on data processing
2.1 Categories of personal data
We process the following categories of personal data:
Inventory data (e.g. names, addresses, functions, organizational affiliation, etc.);
Contact data (e.g. e-mail, telephone/fax numbers, etc.);
Content data (e.g., text entries, image files, videos, etc.);
Usage data (e.g. access data);
Meta/communication data (e.g. IP addresses).
2.2 Recipients or categories of recipients of personal data
If, in the course of our processing, we disclose data to other persons and companies such as web hosts, order processors or third parties, transmit it to them or otherwise grant them access to the data, this is done on the basis of a legal permission (e.g. if a transmission of data to third parties is required for the performance of a contract pursuant to Art. 6 (1) lit. b DSGVO), if the data subjects have consented or if a legal obligation provides for this.
2.3 Duration of storage of personal data
The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data will be deleted if they are no longer required to achieve the purpose, fulfill the contract or initiate the contract.
2.4 Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing, or transferring data to third parties, this will only occur if it is done to fulfill our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have data processed in a third country only if the special requirements of Art. 44 et seq. DSGVO, i.e. the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to the EU or compliance with officially recognized special contractual obligations (so-called "EU standard contractual clauses").
Data processing in the course of visiting our website www.digitale-gruendung.de
3.1 Log files
Each time a data subject accesses our website, general data and information are stored in the log files of our system:
Date and time of the retrieval (timestamp);
Request details and destination address (protocol version, HTTP method, referer, UserAgent string);
Name of the retrieved file and transferred data volume (requested URL incl. query string, size in bytes);
Message whether the retrieval was successful (HTTP status code).
When using this general data and information, we do not draw any conclusions about the data subject. There is no personal evaluation or evaluation of the data for marketing purposes or profiling. The IP address is not stored in this context.
The legal basis for the temporary storage of the data is Art. 6 para. 1 lit. f DSGVO. The collection of data for the provision of the website and the storage of the data in log files is mandatory for the secure operation of our website. Consequently, there is no possibility for the data subject to object.
3.2 Malware detection and log data evaluation
We collect log data that is generated during the operation of our office's communication technology and evaluate it automatically, insofar as this is necessary to detect, limit or eliminate malfunctions or errors in the communication technology or to defend against attacks on our information technology or to detect and defend against malware.
The legal basis for the temporary storage and evaluation of the data is Art. 6 para. 1 lit. f DSGVO. The storage and evaluation of the data is absolutely necessary for the provision of the website and for its secure operation. Consequently, there is no possibility for the data subject to object.
The legal basis for the processing of personal data using cookies is Art. 6 (1) lit. f DSGVO.
The hosting services used by us serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services, which we use for the purpose of operating our website.
In this context, we or our contract processor process inventory data, contact data, content data, contract data, usage data, meta data and communication data of users of our website on the basis of our legitimate interests in an efficient and secure provision of this online offer pursuant to Art. 6 (1) lit. f DSGVO in conjunction with Art. 28 DSGVO (conclusion of a contract for the processing of orders).
3.5 Use of Google Analytics and Google Tag Manager (Consent TOOL!)
(1) This website uses Google Analytics, a web analytics service provided by Google Inc ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. In the event that IP anonymization is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.
(2) The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.
(4) This website uses Google Analytics with the extension "_anonymizeIp()". This means that IP addresses are processed in abbreviated form, thus excluding the possibility of personal references. Insofar as the data collected about you is related to a person, this is therefore immediately excluded and the personal data is thus immediately deleted.
(5) We use Google Analytics to analyze and regularly improve the use of our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user.
(6) Information of the third party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. User conditions: http://www.google.com/analytics/terms/de.html, overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, as well as the data protection declaration: http://www.google.de/intl/de/policies/privacy.
(7) This website also uses Google Analytics for a cross-device analysis of visitor flows, which is carried out via a user ID. You can deactivate the cross-device analysis of your usage in your customer account under "My Data", "Personal Data".
(8) Use of the Google Tag Manager application: The Google Tag Manager is an application that can be used to manage website tags via an interface. The Google Tag Manager application itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The application takes care of triggering other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at cookie or domain level, this remains in place for all tracking tags implemented with Google Tag Manager. http://www.google.de/tagmanager/use-policy.html
The legal basis for the processing of personal data using Google Analytics and Google Tag Manager is Art. 6 (1) lit. a DSGVO.
3.6 Use of Google Fonts
Our website uses so-called Google Fonts, which are provided by Google Inc. for the uniform display of texts and fonts. When a page is called up, your Internet browser loads the required fonts into your browser cache in order to display texts and fonts correctly. For this purpose, your browser must establish a connection to the servers of Google Inc. In this way, Google Inc. obtains knowledge that our website has been accessed via your IP address. The use of Google Fonts serves our interest in a uniform and visually appealing presentation of our online offer. This represents a so-called legitimate interest within the meaning of Art. 6 para. 1 lit. a. DSGVO.
If your browser does not support Google Fonts, a standard font from your PC will be used.
3.7 Conversion measurement with the Facebook conversion pixel
We use the visitor action pixel of Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA ("hereinafter: Facebook"). By calling up this pixel from your browser, Facebook can recognize whether one of its own advertisements was successful. For this purpose, we receive from Facebook exclusively statistical data without reference to a specific person. Thus, we can record the effectiveness of the Facebook ads for statistical and evaluation purposes. By the way, we refer to the Facebook privacy information.
Please go to https://www.facebook.com/ads/preferences/ if you wish to revoke your consent to Conversion Pixel.
3.8 Use of Google Analytics Remarketing
Google Analytics Remarketing makes it possible to link the advertising target groups created with the cross-device functions of Google Ads and Google Campaign Manager. In this way, user-specific, personalized advertising that has been adapted on one end device depending on the previous usage and surfing behavior of the homepage visitor can also be displayed on another end device of the homepage visitor. This requires that the homepage visitor has given Google the corresponding consent. If this is given, Google links the browsing history with the personal Google account for this purpose.
To support this function, Google Analytics collects Google-authenticated IDs of homepage visitors, which are temporarily linked with Google Analytics data to define and create target groups for cross-device advertising.
Homepage visitors who use a Google account can permanently object to cross-device remarketing by deactivating personalized advertising in their Google account (https://www.google.com/settings/ads/onweb/).
3.9 Use of Google Ads
This homepage uses the so-called conversion tracking within the framework of Google Ads. As soon as the homepage visitor clicks on an ad placed by Google, a so-called cookie is set for conversion tracking. These cookies lose their validity after 30 days and are not used to personally identify the homepage visitor. If the homepage user visits certain pages of this website and the cookie has not yet expired, we can recognize that the user clicked on the ad and was redirected to this page. The information collected using the conversion cookie is used to create conversion statistics for us as AdWords customers. We thereby learn the total number of website visitors who clicked on an ad we placed and were redirected to a page tagged with a conversion tracking tag. However, we do not receive any information that can be used to personally identify website visitors.
3.10 Use of Facebook Custom Audiences and Facebook Pixel
On this homepage, the service "Facebook Custom Audiences" is used. Facebook Pixel is used for this service. These services are operated by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin, D02, Ireland. Facebook Custom Audiences allows us to target the user with interest-based advertising on the social network - Facebook. To make this possible, we have implemented the Facebook Remarketing tag on our homepage. This tag establishes a direct connection with Facebook servers when the website is visited. Facebook thereby receives information about the pages you have visited on our site. Facebook then matches this information with your Facebook user account. The next time you visit Facebook, you will then be shown personalized, interest-based advertisements (Facebook Ads). In addition, Custom Audiences is used to personalize and optimize the website.
With the help of Facebook Custom Audiences, the following data is collected and processed:
Facebook user ID
Non-sensitive custom data
Facebook cookie information
Pixel specific data
Social media friend network
Usage data/user behavior
Views and interactions with content and ads and services
Marketing campaign success
Device operating system
Information from third-party sources
The legal basis of the processing is your consent pursuant to Art. 6 (1) lit. a DSGVO. If you do not want the aforementioned data to be collected and processed via Facebook Custom Audiences, you can refuse your consent or revoke it at any time with effect for the future.
The personal data will be retained for as long as it is required to fulfill the purpose of the processing. The data will be deleted as soon as they are no longer required to achieve the purpose.
3.13 Use of Instagram Ads
We also use Instagram Ads on our homepage. With the help of the advertising media of this tool (so-called Instagram Ads), we can draw attention to our attractive offers in the social network of this provider. We can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. In this way, we pursue the interest of showing you advertising that is of interest to you, making our website more interesting for you and achieving a fair calculation of advertising costs.
These advertisements are delivered by the provider. If you access our homepage via an advertisement presented to you by this provider, a cookie will be stored in your PC by the tool. These cookies are not intended to identify you personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie.
Due to the tool used, your browser automatically establishes a direct connection with the server of this provider. We have no influence on the scope and further use of the data collected through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of the advertising material of this tool, the provider receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered with a service of this provider, he can assign the visit to your account. Even if you are not registered with this provider or have not logged in, there is a possibility that the provider will obtain and store your IP address.
You can prevent participation in this tracking process in various ways:
by adjusting your browser software accordingly; in particular, the suppression of third-party cookies will result in you not receiving ads from third-party providers;
by deactivating cookies
You can find more information on how this works and the associated data processing here: https://business.instagram.com/advertising/.
The legal basis of the processing is your consent pursuant to Art. 6 (1) lit. a DSGVO.
3.14 Use of Cloudfare
We use the Content Delivery Network (CDN) of Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich Germany (Cloudflare) to increase the security and delivery speed of our website. This corresponds to our legitimate interest (Art. 6 para. 1 lit. f DSGVO). A CDN is a network of [globally] distributed servers that is able to deliver optimized content to the website user. For this purpose, personal data may be processed in server log files by Cloudflare. Please compare the explanations under "Hosting".
Cloudflare is a recipient of your personal data and acts as a processor for us. This corresponds to our legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f DSGVO not to operate a content delivery network ourselves. You have the right to object to the processing. Whether the objection is successful is to be determined as part of a balancing of interests. The processing of the data provided under this section is not required by law or contract. The functionality of the website is not guaranteed without the processing. Your personal data will be stored by Cloudflare for as long as necessary for the purposes described.
Cloudflare has implemented compliance measures for international data transfers. These apply to all global activities where Cloudflare processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://www.cloudflare.com/cloudflare_customer_SCCs-German.pdf.
3.15 Use of Sanity
3.16 Use of Matomo
(1) This website uses the web analytics service Matomo to analyze and regularly improve the use of our website. The statistics obtained allow us to improve our offer and make it more interesting for you as a user. The legal basis for the use of Matomo is Art. 6 para. 1 p. 1 lit. f DSGVO.
(2) Cookies are stored on your computer for this evaluation. You can set the evaluation by deleting existing cookies and preventing the storage of cookies. If you prevent the storage of cookies, we point out that you may not be able to use this website in full. Preventing the storage of cookies is possible through the setting in your browser.
(3) This website uses Matomo with the extension "AnonymizeIP". This means that IP addresses are processed in abbreviated form, which means that they cannot be directly linked to a specific person. The IP address transmitted by your browser via Matomo will not be merged with other data collected by us.
(4) The Matomo program is an open source project. Information from the third-party provider on data protection is available at https://matomo.org/privacy-policy/.
4 Data processing in the context of contacting us
4.1 Contacting by e-mail
Contacting our law firm by e-mail is possible via the e-mail addresses published on our website.
If you use this contact method, the data you provide (e.g. name, first name, address), but at least the e-mail address, as well as the information contained in the e-mail, together with any personal data you may have provided, will be stored for the purpose of contacting you and processing your request. In addition, the following data is collected by our system:
IP address of the calling computer;
Date and time of the e-mail.
The legal basis for the processing of personal data within the scope of e-mails transmitted to us is Art. 6 Para. 1 lit. b or lit. f DSGVO.
4.2 Contact via website contact form
Insofar as you use the contact form provided on our website for communication, it is necessary to provide your name and first name as well as your e-mail address. Without this data, your request transmitted via the contact form cannot be processed. The specification of the address is optional and allows us, if desired by you, to process your request by mail.
In addition, the following data is collected by our system:
IP address of the calling computer;
Date and time of registration.
The legal basis for the processing of personal data within the scope of e-mails transmitted to us is Art. 6 Para. 1 lit. b or lit. f DSGVO.
4.3 Contact by letter and fax
If you send us a letter or a fax, the data transmitted by you (e.g. name, first name, address) and the information contained in the letter or fax together with any personal data transmitted by you will be stored for the purpose of contacting you and processing your request.
The legal basis for the processing of personal data within the scope of letters and faxes transmitted to us is Art. 6 Para. 1 lit. b or lit. f DSGVO.
5. data processing when subscribing to our newsletter
If you register on our newsletter distribution list, your e-mail address and the newsletter you have selected will be stored by us on a server.
In addition, the following data is collected by the system during registration:
IP address of the calling computer;
Date and time of registration.
We use this data exclusively for sending the newsletter. The registration system with an additional confirmation message containing a link to the final registration (double opt-in) ensures that the newsletter was requested by you and not by a third party. During registration, your data is stored on our servers and a confirmation message with a link to the final registration is generated to the specified e-mail address. Only by confirming the link in the e-mail will your data be stored for newsletter distribution for the duration of the use of our offer.
If you no longer agree to the storage of data for this purpose and thus no longer wish to use our offer, you can unsubscribe from our newslet-ter at any time. For this purpose, you will find a corresponding link in each newsletter. The personal data you provided for the newsletter subscription will then be deleted.
Use of the German dispatch service provider "Sendinblue" (formerly Newsletter2Go)
Our newsletter is sent using "Sendinblue", an application of the German Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin. The e-mail addresses of the recipients of our newsletter, as well as their other data described in this data protection notice, are stored on the servers of Sendinblue GmbH. Sendinblue uses this information to send and evaluate the newsletter on our behalf. Sendinblue provides information on the functions used here: https://de.sendinblue.com/funktionen/.
The legal basis for the processing of personal data in the context of the described newsletter dispatch via Sendinblue including performance measurement is Art. 6 para. 1 lit. a), Art. 7 DSGVO in conjunction with § 7 para. 2 No. 3 UWG or, in the event that consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Art. 6 para. 1 lt. f) DSGVO in conjunction with. § Section 7 (3) UWG.
We have concluded an order processing agreement with Sendinblue in accordance with Art. 28 DSGVO, in which Sendinblue undertakes to protect the data of our users, to process it on our behalf in accordance with the applicable data protection provisions and in particular not to pass it on to third parties. This agreement can be viewed at the following link: https://de.sendinblue.com/wp-content/uploads/sites/3/2020/10/AV_Muster_DE-aktuell.pdf.
Unsubscribing from the newsletter
You can unsubscribe from our newsletter at any time. At the same time, your consent to the sending of the newsletter via Sendinblue and the statistical analyses will expire. A separate cancellation of the sending via Sendinblue or the statistical analysis is not possible. You will find a link to cancel the newsletter at the end of each newsletter. On the basis of our legitimate interests, we retain the deleted email addresses for up to three years before they are deleted, also in order to be able to prove the previously granted consent to receive the newsletter.
6. data processing during Zoom videoconferences
We use the "Zoom" tool to conduct video conferences, telephone conferences, online meetings, and/or web seminars (hereinafter: "video conferences"). "Zoom" is a service provided by Zoom Video Communications, Inc. based in the United States. When using "Zoom", the types of data listed below are processed. The scope of the data processing depends, among other things, on the personal data you provide before or during participation in a video conference.
The following personal data are subject to processing:
User details: first name, last name, telephone (optional), e-mail address, password (if "single sign-on" is not used), profile picture (optional), department (optional).
Conference metadata: Topic, description (optional), participant IP addresses, device/hardware information.
For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of online meeting chat.
For telephone dial-in: Information on incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.
Text, audio and video data: You may have the opportunity to use the chat, question or survey functions in a video conference. To this extent, the text entries you make are processed in order to display them in the video conference and, if necessary, to log them. To enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the "Zoom" applications.
In order to participate in an "online meeting" or to enter the "meeting room", you must at least provide information about your name.
Scope of Processing:
If we want to record video conferences, we will transparently inform you in advance and - if necessary - ask for consent. The fact of the recording will also be displayed to you in the "Zoom" app. If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will usually not be the case. In the case of web seminars, we may also process questions asked by seminar participants for purposes of recording and following up on webinars. If you are registered as a user with "Zoom", then reports on video conferences (metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) may be stored by "Zoom" for up to one month. Automated decision-making within the meaning of Art. 22 DSGVO is not used.
"Zoom" is a service provided by a provider from the USA. A processing of personal data therefore also takes place in a third country (USA). We have concluded an order processing agreement with Zoom Video Communications, Inc. that meets the requirements of Art. 28 DSGVO.
An adequate level of data protection is guaranteed by the conclusion of the so-called EU standard contractual clauses.
The legal basis for data processing when conducting video conferences is Art. 6 (1) (b) DSGVO, insofar as the meetings are conducted in the context of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) (f) DSGVO. Here, too, our interest is in the effective implementation of video conferences.
7. payment service provider
7.1 Use of PayPal
We offer the option of processing the payment transaction via the payment service provider PayPal (PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg). This is in line with our legitimate interest in offering an efficient and secure payment method (Art. 6 para. 1 lit. f DSGVO). In this context, we share the following data with PayPal to the extent necessary for the performance of the contract (Art. 6 para. 1 lit b. DSGVO).
The processing of the data provided under this section is not required by law or contract. Without the transmission of your personal data, we cannot make a payment via PayPal. It is possible for you to choose another payment method. PayPal carries out a credit check for various services such as payment by direct debit in order to ensure your willingness and ability to pay. This corresponds to the legitimate interest of PayPal (according to Art. 6 para. 1 lit. f DSGVO) and serves the execution of the contract (according to Art. 6 para. 1 lit. b DSGVO). For this purpose, your data (name, address and date of birth, bank account details) will be passed on to credit agencies. We have no influence on this process and only receive the result of whether the payment has been made or rejected or a check is pending.
For more information on objection and removal options vis-à-vis PayPal, please visit: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Your data will be stored until the completion of the payment processing. This includes the period required for processing refunds, claims management and fraud prevention. A statutory retention period of 10 years applies to us in accordance with [§ 147 AO / § 257 HGB].
7.2 Use of Stripe
We offer the option of processing the payment transaction via the payment service provider Stripe, ℅ Legal Process, 510,Townsend St., San Francisco, CA 94103 (Stripe). This is in line with our legitimate interest in offering an efficient and secure payment method (Art. 6 para. 1 lit. f DSGVO). In this context, we share the following data with Stripe to the extent necessary for the performance of the contract (Art. 6 para. 1 lit b. DSGVO).
Name of the cardholder
Credit card data
Credit card validity period
Credit card verification number (CVC)
Date and time of transaction
Name of the provider
Processing of the data provided under this section is not required by law or contract. We cannot process a payment via Stripe without the submission of your personal data. [You have the option to choose a different payment method].
Stripe has a dual role in data processing activities as a controller and processor. As a controller, Stripe uses your submitted data to comply with regulatory obligations. This is in accordance with Stripe's legitimate interest (pursuant to Art. 6 (1) lit. f DSGVO) and serves the performance of the contract (pursuant to Art. 6 (1) lit. b DSGVO). We have no influence on this process.
Stripe acts as an order processor in order to be able to complete transactions within the payment networks. Within the scope of the order processing relationship, Stripe acts exclusively according to our instructions and has been contractually obligated within the meaning of Art. 28 DSGVO to comply with the provisions of data protection law.
Stripe has implemented compliance measures for international data transfers. These apply to all global activities where Stripe processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs).
For more information about opting out and opting in with Stripe, please visit: https://stripe.com/privacy-center/legal.
Your data will be stored by us until the payment processing is completed. This also includes the period required for processing refunds, receivables management and fraud prevention. According to [§ 147 AO / § 257 HGB], a statutory retention period of 10 years applies to us.
8. your rights
As a data subject, you are entitled to the following rights in connection with the processing of your personal data:
8.1 Right to information
(1) The data subject shall have the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed; if this is the case, he or she shall have the right to obtain information on such personal data and on the following:
(a)the purposes of processing;
b)the categories of personal data processed;
c)the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;
d)if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
e)the existence of a right to obtain the rectification or erasure of personal data concerning him or her, or the restriction of processing by the controller, or a right to object to such processing;
f)the existence of a right of appeal to a supervisory authority;
g)if the personal data are not collected from the data subject, any available information on the origin of the data;
h)the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
(2) If personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed about the appropriate safeguards pursuant to Article 46 DSGVO in connection with the transfer.
8.2 Right to rectification
The data subject has the right to obtain from the controller the rectification without undue delay of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to request that incomplete personal data be completed, including by means of a supplementary declaration.
8.3 Right to erasure
(1) The data subject shall have the right to obtain from the controller the erasure without delay of personal data concerning him or her, and the controller shall be obliged to erase personal data without delay, if one of the following reasons applies:
(a)The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
b)The data subject revokes the consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) DSGVO and there is no other legal basis for the processing.
c)The data subject objects to the processing pursuant to Art. 21 (1) DSGVO and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) DSGVO.
d)The personal data have been processed unlawfully.
e)The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
f)The personal data has been collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.
(2) If the controller has made the personal data public and is obliged to erase it pursuant to paragraph 1, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that a data subject has requested that they erase all links to, or copies or replications of, that personal data.
(3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary
a)for the exercise of the right to freedom of expression and information;
(b)for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c)for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) and Art. 9(3) DSGVO;
d)for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1), where the right referred to in paragraph 1 is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
e)for the assertion, exercise or defense of legal claims.
8.4 Right to restriction of processing
(1) The data subject shall have the right to obtain from the controller the restriction of processing if one of the following conditions is met:
(a)the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data,
b)the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data;
c)the controller no longer needs the personal data for the purposes of the processing, but the data subject needs it for the establishment, exercise or defense of legal claims; or
d)the data subject has objected to the processing pursuant to Article 21(1) of the GDPR, as long as it has not yet been determined whether the legitimate grounds of the controller override those of the data subject.
(Where processing has been restricted pursuant to paragraph 1, such personal data may be processed - apart from being stored - only with the consent of the data subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
8.5 Right to data portability
(1) The data subject shall have the right to obtain personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format, and shall have the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that
a)the processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) DSGVO or on a contract pursuant to Art. 6(1)(b) DSGVO and
(b)the processing is carried out with the aid of automated procedures.
(2) When exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to obtain that the personal data be transferred directly from one controller to another controller, where technically feasible.
The right under paragraph 1 shall not affect the rights and freedoms of other persons.
This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
8.6 Right to object
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) of the DSGVO; this also applies to profiling based on these provisions. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
In connection with the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by means of automated procedures using technical specifications.
8.7 Right of withdrawal
The data subject has the right to revoke his/her declaration of consent under data protection law at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
8.8 Right to lodge a complaint with a supervisory authority.
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.