PRIVACY POLICY

1 Preface

Data protection is of very great importance to DSC Software AG.

This data privacy statement explains the method, extent and aim of the processing of personal data in our online offer and related websites, functions and contents (in the following referred to jointly as “online offer” or “website”). The data privacy statement applies independently of domains, systems, platforms and devices (e.g. desktop or mobile) on which the online offer is executed.

2 Person responsible

The party responsible in the sense of the General Data Protection Regulation (GDPR), plus other data protection laws applicable in the member states of the European Union and other regulations with data protection character is:

DSC Software AG
Am Sandfeld 17
76149 Karlsruhe
Germany

Tel.: +49 721 9774 100
E-mail: info@dscsag.com
Website: www.dscsag.com

3 Data protection officer

The data protection officer of the party responsible is:

ah-consulting GmbH
Am Sandfeld 17a
76149 Karlsruhe
Phone: +49 721 75 40 88 40
E-Mail: datenschutz@ah-consulting.gmbh
Website: www.ah-consulting.gmbh

In the event of questions and suggestions on the subject of data protection, anybody concerned can apply to our data protection officer.

4 Definition

4.1. Our data privacy statement is based on the terminology used by the European Regulator in the adoption of the General Data Protection Regulation (GDPR). Our data privacy statement is intended to be easy to read and understand by the public, our customers, and our business partners.

4.2. In order to ensure this, we wish to explain the terminology used in advance. Terms used (such as “personal data” or its “processing”) are defined in Art. 4 of the General Data Protection Regulation (GDPR).

4.3. In this data privacy statement, we use (among others) the following terms:

4.3.1. Personal data

Personal data consists of all information referring to an identified or identifiable natural person (in the following referred to as the “person concerned”). An identifiable person is a natural person who can be identified directly or indirectly, in particular by means of an assignment to a label such as a name, to an ID number, to location data, to an online ID or to one or more special features that are an expression of the physical, physiological, genetic, psychic, economic, cultural or social identity of this natural person.

4.3.2. Person concerned

The person concerned is any identified or identifiable natural person whose personal data is processed by persons responsible for the processing.

4.3.3. Processing

Processing is any process or operation carried out with or without the help of automatic procedures or any such series of operations in connection with personal data, for example: collecting, recording, organizing, ordering, storing, adapting or changing, reading, retrieving, using, disclosing through transmission, dissemination or other form of provision, comparing or linking, restricting, deleting, or destroying.

4.3.4. Restricting processing

Restricting processing is the marking of stored personal data with the aim of restricting its future processing.

4.3.5. Profiling

Profiling is any kind of automatic processing of personal data that consists in using such personal data in order to evaluate personal aspects referring to a natural person, in particular to analyze or predict aspects regarding job performance, economic situation, health, personal preference, interests, reliability, conduct, abode or change of abode of this natural person.

4.3.6. Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific person concerned without additional information so long as this additional information is stored separately and is subject to technical and organizational measures that ensure that the personal data cannot be assigned to an identified or identifiable natural person.

4.3.7. Responsibility (including for processing)

The party responsible (including for processing) is the natural or legal person, authority, installation or other entity that decides, either alone or with others, on the aims and means of the processing of personal data. If the aims and means of this processing are controlled by EU law or the laws of EU member states, the party responsible – or the specific criteria of its nomination – can be so provided for according to EU law or the laws of EU member states.

4.3.8. Processor

The processor is a natural or legal person, authority, installation or other entity that processes personal data on behalf of those responsible.

4.3.9. Recipient

The recipient is a natural or legal person, authority, installation or other entity to whom personal data is disclosed, regardless of whether this was a third party or not. However, authorities that receive personal data in the course of a particular inquiry in accordance with EU law or the laws of EU member states are not considered as recipients.

4.3.10. Third party

A third party is a natural or legal person, authority, installation or other entity (other than the person concerned, the person responsible, the processor and the persons who are authorized to process the personal data under the direct responsibility of the person responsible or the processor) that is authorized to process the personal data.

4.3.11. Consent

Consent is any expression of willingness issued freely for the specific case in an informed manner and unambiguously by the person concerned in the form of a declaration or any other clearly affirmative act, with which the person concerned makes it quite clear that he or she agrees with the processing of the personal data concerned.

5 General notes on data processing

5.1 Extent of processing of personal data

Basically, we collect and use personal data of our users only if this is necessary for a functioning website as well as for our contents and services. The collection and use of personal data of our users takes place regularly only after consent has been granted by the user. An exception applies in cases where it is impossible to obtain consent in advance and the processing of the data is permitted by legal regulations.

5.2 Legal framework for processing personal data

5.2.1. If we obtain the consent of the person concerned for the processing of personal data, Art. 6 Sec. 1 lit. a EU General Data Protection Regulation serves as the legal basis.

5.2.2. In the processing of personal data that is required for fulfilling a contract of which the person concerned is a contractual party, Art. 6 Sec. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations required for the implementation of pre-contractual measures.

5.2.3. If the processing of personal data is required for meeting a legal obligation to which our company is subject, Art. 6 Sec. 1 lit. c GDPR serves as the legal basis.

5.2.4. In the event that vital interests of the person concerned or of another natural person necessitate the processing of personal data, Art. 6 Abs. 1 lit. d GDPR serves as the legal basis.

5.2.5. If processing is required for safeguarding a justified interest of our company or a third party, and if the die interests, basic rights and fundamental freedoms of the person concerned do not outweigh the first-named interest, Art. 6 Abs. 1 lit. f GDPR serves as the legal basis for the processing.

5.3 Data deletion and storage duration

5.3.1. The personal data of the person concerned is deleted or locked as soon as the purpose of the storage is no longer valid. Storage can also take place if provided for by European or national legislation in EU regulations, laws or other rules to which the party responsible is subject.

5.3.2. The data can also be locked or deleted if a storage period prescribed by the named standards expires – unless it is necessary to store the data for the purposes of the conclusion or fulfillment of a contract.

6 Provision of website and creation of log files

6.1 Description and extent of data processing

6.1.1. Every time our website is called, our system automatically records data and information of the computer system of the calling computer.

6.1.2. The following data is collected:

  • Information about the browser type and the version used
  • User’s operating system
  • User’s IP address
  • Date and time of access
  • Websites from which the user’s system reaches our website
  • Session cookie for identifying the logged-in user
  • Date and time of the user log-in
  • Storage of failed log-in attempts
  • Date and time of the creation of the user
  • Storage of denied accesses (403)
  • Storage of sites not found (404)
  • Acceptance of cookie policies
  • Store whether the user has activated JavaScript

6.1.3. The data is saved in the log files of the system. This data is not saved together with other personal data of the user.

7 Legal framework for data processing

7.1. The legal framework for the temporary storage of data and log files is Art. 6 Sec. 1 lit. f GDPR.

8 Purpose of data processing

8.1. The temporary storage of the IP address by the system is necessary to enable the website to be sent to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

8.2. Data is stored in log files in order to ensure the correct functioning of the website. The data also serves to optimize the website and ensure the security of our information-technical systems. In this context, there is no evaluation of the data for marketing purposes.

8.3. These aims also include our justified interest in data processing according to Art. 6 Sec. 1 lit. f GDPR.

9 Duration of storage

9.1. The data is deleted as soon as it is no longer required for achieving the purpose of its collection. Where data is recorded for providing the website, this applies when the respective session is ended.

9.2. If the data is stored in log files, this applies after a maximum of 14 days. Longer storage is possible. In this case, the user’s IP addresses are deleted or distorted so that the calling client can no longer be identified.

10 Appeal and disposal possibility

The recording of data for providing the website and the storage of the data in log files is mandatory for the operation of the website. The user therefore has no possibility of appeal against this.

11 Use of cookies

11.1 Description and extent of data processing

11.1.1. Due to our justified interest, we use so-called cookies on this website. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. If a user calls a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string that enables a unique identification of the browser when the website is called again.

11.1.2. We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can still be identified following a website change.

11.1.3. The following data is stored and transmitted in the cookies:

  • Technical cookies or system cookies (Session, JavaScript)
  • Cookies for improving usability (status of pop-up menus)
  • Analysis cookies for analyzing and improving site accesses

11.1.4. Furthermore, on www.sapectrforum.com: we use cookies that enable an analysis of the user’s surfing behavior.

11.1.5. In this way, the following data can be transmitted on www.sapectrforum.com:

  • Entered search terms
  • Frequency of site calls
  • Use of website functions

11.1.6. User data collected in this way is pseudonymized by technical measures. Thus an assignment of the data to the calling user is no longer possible. The data is not stored together with other personal data of the user.

11.1.7. When our website is called, the user is informed by an info banner about the use of cookies for analysis purposes and is referred to this data privacy statement.

11.1.8. When our website is called, the user is informed about the use of cookies for analysis purposes. In this context, information is displayed referring to this data privacy statement.

11.2 Legal framework for data processing

11.2.1. The legal framework for the processing of personal data with the use of cookies is Art. 6 Sec. 1 lit. f GDPR.

11.2.2. The legal framework for the processing of personal data with the use of technically necessary cookies is Art. 6 Sec. 1 lit. f GDPR.

11.3 Purpose of data processing

11.3.1. The purpose of using technically necessary cookies is to simplify the use of websites for users. Some of the functions of our website cannot be offered without the use of cookies. For these it is necessary that the user be recognized following a change of website.

11.3.2. User data collected by technically necessary cookies is not use on www.sapectrforum.com for the creation of user profiles.

11.3.3. We need cookies for the following applications:

11.3.3.1.  www.sapectrforum.com

  1. JavaScript activated
  2. Assent for cookie disclaimer
  3. Authentication of user in logged-in state to the website
  4. Request limitation
  5. Tracker version
  6. User identification

11.4 Duration of storage, appeal and disposal possibility

11.4.1. Cookies are stored on the user’s computer and transferred by that computer to us. As user, you therefore have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transfer of cookies. Stored cookies can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, it is possible that not all features of the website can be used fully.

11.4.2. The transfer of flash cookies cannot be prevented with the settings of the browsers but rather by changing the settings of the flash player.

12 Registration

12.1 Description and extent of data processing

12.1.1. On the basis of our justified interests, we offer users on this website the possibility of registering by entering personal data. The data is entered in an input mask and transferred to us and stored. The data is not passed on to any third parties.

12.1.2. The following data is collected in the registration process:

12.1.2.1. This data is entered in these mandatory fields:

  • Salutation
  • First and last name
  • Postion
  • Company
  • Company Address
  • Email Address
  • Country

12.1.2.2. All other entries that are not mandatory are also transmitted and stored.

12.1.3. The following data is also stored with the time of registration:

  • IP address of the calling computer
  • Date and time of registration

12.1.4. As part of the registration process, the user’s consent to the processing of the data is obtained.

12.2 Legal framework for data processing

12.2.1. The legal framework for the processing of the data if the user consents is Art. 6 Sec. 1 lit. a GDPR.

12.2.2. If the registration serves the fulfillment of a contract where the user is a contractual party, or the implementation of pre-contractual measures, an additional legal framework for the processing of the data is Art. 6 Sec. 1 lit. b GDPR.

12.3 Purpose of data processing

12.3.1. User registration is required for keeping specific contents and services ready on our website.

Contents and services in detail:

  • Manuals
  • Datasheets
  • Software
  • Updates
  • Information material

A closer identification of the user is necessary to enable an assignment of the acquired product and thus also the provision of the right documents and software updates.

12.4 Duration of storage

12.4.1. The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

12.5 Appeal and disposal possibility

12.5.1. At all times, users can withdraw their consent to the processing of their personal data. If users contact us by e-mail, they can forbid the storage of their personal data at any time. In such a situation, the conversation cannot be continued.

12.5.2. The withdrawal of consent and the forbidding of storage must be sent in writing to the data protection officer.

12.5.3. In this case, all personal data stored during the contact is deleted.

13  Contact form and e-mail contact

13.1 Description and extent of data processing

13.1.1. On the basis of our justified interests, we use on this website a contact form that can be used for the electronic first contact. If a user uses this form, the data entered in the input mask is transmitted to us and stored.

13.1.2. This data is entered in these mandatory fields:

  • Salutation
  • First and last name
  • Postion
  • Company
  • Company Address
  • Email Address
  • Country

13.1.3. All other entries that are not mandatory are also transmitted and stored.

13.1.4. The following data is also stored with the time of registration:

  • IP address of the calling computer
  • Date and time of registration

13.1.5. During this process, your consent is obtained and you are referred to this data privacy statement.

13.1.6. Alternatively, an initial contact is possible by means of the e-mail address provided. In this case, the user’s personal data sent with the e-mail is stored.

13.1.7. In this context, no data is passed on to third parties. The data is used exclusively for processing the conversation.

13.2 Legal framework for data processing

13.2.1. The legal framework for the processing of the data if the user consents is Art. 6 Sec. 1 lit. a GDPR.

13.2.2. The legal framework for the processing of the data transmitted with an e-mail is Art. 6 Sec. 1 lit. f GDPR. If the aim of the e-mail contact is to conclude a contract, an additional legal framework for the processing is Art. 6 Sec. 1 lit. b GDPR.

13.3 Purpose of data processing

13.3.1. We need to process personal data from the input mask only for dealing with the initial contact. If contact is made by e-mail, there is also a justified interest in the processing of the data.

13.3.2. The other data processed during the transmission procedure serves to prevent a misuse of the contact form and ensure the security of our informationtechnical systems.

13.4 Duration of storage

13.4.1. The data is deleted as soon as it is no longer required for achieving the purpose of its collection. For the personal data from the input mask of the contact form and the data sent by e-mail, this is the case when the respective conversation with the user ends. The conversation ends when it can be inferred from circumstances that the situation concerned has finally been clarified.

13.4.2. The extra data collected during the send process is deleted after a period of 14 days at the latest.

13.5 Appeal and disposal possibility

13.5.1. At all times, users can withdraw their consent to the processing of their personal data. If users contact us by e-mail, they can forbid the storage of their personal data at any time. In such a situation, the conversation cannot be continued.

13.5.2. The withdrawal of consent and the forbidding of storage must be sent in writing to the data protection officer.

13.5.3. In this case, all personal data stored during the contact is deleted.

14 Google Fonts

14.1 Extent of processing of personal data

14.1.1. On the basis of our justified interests, we use the Google Fonts service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).

14.1.2. Google Fonts provides an intuitive and robust directory of open-source designer web fonts. With a comprehensive catalogue, typography can be integrated seamlessly in any design project.

14.1.3. This service is used to integrate web fonts in our websites. The integration of the Google fonts takes place with a server call to Google, regularly via the URL https://fonts.google.com. The fonts are supplied by various designers and are open-source.

14.1.4. When a user calls our online offer, a request is usually transmitted to a Google server in the USA, where it is stored and processed.

14.1.5. Technically, the fonts embedded in our website are stored on a Google server and loaded from there when the site is called. Through the use of the Google Fonts, the Google server sends a corresponding file to each user, based on the technologies supported by the user’s browser.

14.1.6. Google is certified under the Privacy Shield Agreement, which means it offers a guarantee to comply with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

14.1.7. The connection to Google Fonts is not authenticated. During a visit to our online offer, no cookies or log-in information is sent to Google. Corresponding queries to Google Fonts servers are sent to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com, so that requirements for fonts are basically separated from log-in information, which otherwise is sent to Google domains such as google.com or google.de, where it can be authenticated.

14.1.8. Google Fonts logs records of the CSS and the font file requirements. For statistical purposes, Google assigns aggregated usage numbers showing how popular font families are, and publishes these results on an Analytics website (https://fonts.google.com/analytics).

14.1.9. For further information on the Google Fonts service, see https://developers.google.com/fonts/faq.

14.2 Legal framework for processing personal data

The legal framework for the processing of users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

14.3 Purpose of data processing

14.3.1. Data is processed out of interest in the analysis, optimization and economic operation of the online offer in order to integrate content or service offers from third parties or their contents and services.

14.3.2. We use Google Fonts to make our website independent of the fonts installed by the user, the so-called system fonts, and to ensure a consistent display on different systems.

14.3.3. The purpose and extent of data collection and the further processing and use of the data by Google can be seen in the Google data privacy statement under https://policies.google.com/privacy?hl=de.

14.4 Duration of storage

14.4.1. The data is deleted as soon as it is no longer required for our recording purposes.

14.5 Appeal and disposal possibility

14.5.1. For further information on Google’s use of data and setting and appeal options, see the following Google websites: (“How Google uses information from sites or apps that use our services”), http://www.google.com/policies/technologies/ads (“How Google uses cookies in advertising”), http://www.google.de/settings/ads (managing information used by Google to display advertising).

15 YouTube

15.1 Description and extent of data processing

15.1.1. On the basis of our justified interests, we use components of the YouTube service, which is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”).

15.1.2. YouTube is an internet video portal that enables video publishers to post video clips free of charge on the internet and other users to view, evaluate and comment on these, also free of charge. YouTube permits the publication of all types of videos, which is why not only complete film and TV programs but also music videos, trailers or users’ own home-made videos can be called via this internet portal.

15.1.3. Every call of a page of this website, which is operated by the person responsible for processing and on which a YouTube component (YouTube video) is integrated, automatically causes (due to the respective YouTube component) the internet browser on the IT system of the person concerned to download a display of the corresponding YouTube component from YouTube. For further information on YouTube, see under https://www.youtube.com/yt/about/de/. During this technical procedure, YouTube and Google receive knowledge about the actual subpage of our website that is visited by the person concerned.

15.1.4. If the person concerned is simultaneously logged into YouTube, YouTube recognizes with the call of the subpage exactly which subpage of our website is visited by the person concerned. This information is collected by YouTube and Google and assigned to the respective YouTube account of the person concerned.

15.1.5. By means of the YouTube component, YouTube and Google always receive information that the person concerned has visited our website if the person concerned is simultaneously logged into YouTube; this takes place independently of whether the person concerned clicks a YouTube video or not. If the person concerned does not want this information to be transmitted to YouTube and Google, he or she can prevent it by logging off from the You Tube account before calling our website.

15.2 Legal framework for data processing

The legal framework for the processing of users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

15.3 Purpose of data processing

15.3.1. Data is processed out of interest in the analysis, optimization and economic operation of the online offer.

15.3.2. The purpose and extent of data collection and the further processing and use of the data by YouTube can be seen in the data privacy statement of YouTube under https://www.google.de/intl/de/policies/privacy/.

15.4 Duration of storage

15.4.1. The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

15.5 Appeal and disposal possibility

15.5.1. If a user is simultaneously using the services of YouTube and doesn’t want YouTube to collect data about this online offer and link it to the user data stored with YouTube, he or she should log off from YouTube and delete all related cookies before using our online offer.

15.5.2. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. It may therefore be necessary that the user logs off from any possible Google user account and delete all related cookies.

15.5.3. Under https://www.google.de/settings/ads/authenticated, YouTube offers the option of forbidding targeted advertising.

16 Newsletter

16.1 Description and scope of data processing

On the basis of our justified interests, we offer our users on this website the possibility of subscribing to a free newsletter.

We send newsletters, e-mails and other electronic notifications with promotional information (referred to in the following as “newsletter”) only with the recipient’s consent or a statutory license. In this case, the data from the input screen is transmitted to us if a user registers for the Newsletter.

Insofar as the contents of a newsletter are precisely described during a registration for the newsletter, they are relevant for the user’s consent. Our newsletters also contain information on our products, offers, actions, and our company.

The following user data is collected:

  • E-mail address
  • First and last name
  • Title (optional)
  • Company
  • Position (optional)

The following data is collected during registration:

  • IP address of the calling computer
  • Date and time of registration

As part of the login procedure, the user’s consent is secured and the user is referred to this data privacy statement.

Registration for our newsletter takes place in a so-called double opt-in procedure – i.e., following registration, you receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with another e-mail address. The newsletter registrations are logged to provide proof that the registration process took place according to legal requirements. This includes the storage of the registration and confirmation times and also the IP address. Changes to your data stored by the delivery service provider are also logged.

If you order goods or services on our website and enter your e-mail address, this can later be used by us to send you the newsletter. In such a case, only direct advertising for similar goods or services from us is sent via the newsletter.

In connection with data processing for sending newsletters, no data is passed on to third parties. The data is used exclusively for sending the newsletter.

16.2 Legal basis for data processing

The legal basis for the processing of data following registration for the newsletter by the user and the existence of the user’s consent is Art. 6 Sec. 1 lit. a GDPR.

The legal basis for sending the newsletter following the sale of goods or services is § 7 Sec. 3 UWG (the German Fair Trade Practices Act).

16.3 Purpose of data processing

To register for the newsletter, you merely have to specify your e-mail address and your first and last names. Your e-mail address is needed so that we can send you the newsletter. We may also ask you to specify other data for the purpose of personal address in the newsletter.

If we ask for other personal data during the registration procedure, this is to prevent a misuse of services or of the e-mail address used.

16.4 Duration of storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection. The user’s e-mail address is stored as long as the subscription to the newsletter is active.

Other personal data collected during the registration procedure is normally deleted after 14 days.

16.5 Appeal and disposal possibility

A subscription to the newsletter can be cancelled at any time by the user concerned. A corresponding link is specified for this purpose in every newsletter.

This also enables a withdrawal of consent to the storage of personal data collected during the registration procedure.

If users are registered only for the newsletter and cancel this registration, their personal data is deleted.

17 Rights of the person concerned

If your personal data is being processed, you are the person concerned in the sense of GDPR and you have the following rights vis-à-vis the person responsible:

17.1 Right to information

17.1.1. From the person responsible, you can demand confirmation about whether personal data concerning you is processed by us.

17.1.2. If your data is being processed, you can demand information from the person responsible about the following:

  1. The reason why the personal data is being processed
  2. The categories of personal data that are being processed
  3. The recipients or categories of recipients to whom your personal data has been or will be disclosed
  4. The planned duration of storage of your personal data or, if nothing concrete can be specified here, criteria for defining the duration of storage
  5. A right to correct or delete your personal data, a right to restrict processing by those responsible, or a right of appeal against this processing
  6. The right to appeal to a supervisory authority
  7. All available information about the origin of the data if the personal data is not collected for the person concerned
  8. The right to an automatic decision-making including profiling in accordance with Art. 22 Sec. 1 and 4 GDPR and – in these cases at least – meaningful information about the logic involved as well as the scope and the intended effects of such processing for the person concerned.

17.1.3. You have the right to demand information about whether your personal data is transmitted to a third country or an international organization. In this context, you can demand to be informed about suitable guarantees acc. to Art. 46 GDPR in connection with the transmission.

17.1.4. This right to information can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

17.2 Right to correction

17.2.1. You have a right to correction and/or completion vis-à-vis the person responsible if your processed personal data is incorrect or incomplete. The person responsible has to make the correction immediately.

17.2.2. Your right to correction can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

17.3 Right to restriction of processing

17.3.1. You can demand restriction of processing of your personal data under the following conditions:

  1. You dispute the correctness of your personal data for a duration that enables the person responsible to check the correctness of your personal data
  2. Processing is illegal and you reject the deletion of your personal data and instead demand the restriction of the use of your personal data
  3. The person responsible no longer requires the personal data for purposes of processing, but you require it for the assertion, enforcement or defense of your legal rights
  4. You have appealed against processing in accordance with Art. 21 Sec. 1 GDPR and it is not yet certain whether the justified reasons of the person responsible outweigh your reasons.

17.3.2. If processing of your personal data has been restricted, this data – apart from its storage – may only be processed with your consent or for the assertion, enforcement or defense of your legal rights or to protect the rights of another natural or legal person or for reasons of an important public interest of the EU or a member state.

17.3.3. If restriction of processing is limited to the conditions listed above, you will be informed of this by the person responsible before the restriction is lifted.

17.3.4. Your right to restriction of processing can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

17.4 Right to deletion

17.4.1. You can demand from the person responsible that your personal data be deleted immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:

  1. Your personal data is no longer required for the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent on the basis of which processing was carried out in accordance with Art. 6 Sec. 1 lit. a or Art. 9 Sec. 2 lit. a GDPR, and there exists no other legal basis for processing.
  3. You appeal against processing in accordance with Art. 21 Sec. 1 GDPR and there exist no overriding justified reasons for processing, or you appeal against processing in accordance with Art. 21 Sec. 2 GDPR.
  4. Your personal data concerned was unlawfully processed.
  5. The deletion of your personal data is necessary for the fulfillment of a legal obligation according to EU law or the laws of a member state to which the person responsible is subject.
  6. Your personal data was collected with regard to services offered by information society in accordance with Art. 8 Sec. 1 GDPR.

17.5 Information to third parties

If the person responsible has published your personal data and is legally obliged to delete it in accordance with Art. 17 Sec. 1 GDPR, he or she must take appropriate (including technical) measures, having regard to the available technology and the implementation costs, to inform those responsible for data processing who also process your personal data that you as the person concerned have demanded the deletion of all links to this personal data or of copies or replications of this personal data.

17.6 Exceptions

The right to deletion does not exist if processing is necessary for the following:

  1. Exercising the right to freedom of expression and information
  2. Fulfilling a legal obligation that requires processing according to EU law or the laws of the member states to which the person responsible is subject, or performing a task that is in the public interest or in the exercise of official authority that is assigned to the person responsible
  3. For reasons of public interest in the area of public health in accordance with Art. 9 Sec. 2 lit. h and i as well as Art. 9 Sec. 3 GDPR
  4. For archive purposes in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with Art. 89 Sec. 1 GDPR, provided the right named under Section a) will foreseeably make the realization of the aims of processing impossible or extremely difficult
  5. For the assertion, enforcement or defense of legal rights

17.7 Right to information

17.7.1. If you have enforced you right to correction, deletion or restriction vis-àvis the person responsible, this person is legally obliged to inform all recipients to whom your personal data was disclosed about this correction or deletion of the data or restriction of processing unless this proves to be impossible or is connected with disproportionate effort.

17.7.2. You have the right vis-à-vis the person responsible to be informed about these recipients.

17.8 Right to data portability

17.8.1. You have the right to receive the personal data that you have provided to the person responsible in a structured, common and machine-readable format. You also have the right to transfer this data to another person responsible without hindrance by the person responsible to whom the personal data was provided, if:

  1. Processing is based on consent in accordance with Art. 6 Sec. 1 lit. a GDPR or Art. 9 Sec. 2 lit. a GDPR or on a contract in accordance with Art. 6 Sec. 1 lit. b GDPR and
  2. Processing takes place with the aid of automatic procedures.

17.8.2. In enforcing this right, you also have the right to ensure that your personal data is transferred directly from one person responsible to another person responsible as far as this is technically possible. The freedoms and rights of other persons many not be impaired by this.

17.8.3. The right to data portability does not apply to the processing of personal data that is required for performing a task that is in the public interest or in the exercise of official authority that is assigned to the person responsible.

18 Right of appeal

18.1. You have the right for reasons applying to your particular situation to appeal at any time against the processing of your personal data that takes place on the basis of Art. 6 Sec. 1 lit. e or f GDPR; this also applies to profiling based on these regulations.

18.2. The person responsible no longer processes your personal data unless he or she can provide compelling legitimate reasons for processing that outweigh your interest, rights and freedoms, or the processing serves the assertion, enforcement or defense of your legal rights.

18.3. If your personal data is processed to pursue direct advertising, you have the right to appeal at any time against the processing of your personal data for the purposes of such advertising; this also applies to profiling if this is in connection with such direct advertising.

18.4. If you appeal against processing for the purposes of direct advertising, your personal data is no longer processed for these purposes.

180.5. In connection with the use of services of the information society – irrespective of Regulation 2002/58/EG – you can exercise your right to appeal using automatic procedures for which technical specifications are used.

18.6. You also have the right for reasons applying to your particular situation to appeal against the processing of your personal data conducted for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 Sec. 1 GDPR.

18.7. Your right to appeal can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

19 Right to withdraw declaration of consent concerning data privacy

You have the right at any time to withdraw your consent concerning data privacy. Through the withdrawal of consent, the legitimacy of the processing carried out on the basis of your consent up to its withdrawal is not affected.

20 Automatic decision case by case including profiling

You have the right not to be subjected to a decision based exclusively on automatic processing including profiling, a decision that evolves a legal effect on you or that considerably adversely affects you. This does not apply if the decision:

  1. is necessary for the conclusion or fulfillment of a contract between you and the person responsible
  2. is permissible on the basis of legal regulations of the EU or the member states to which the person responsible is subject and these legal regulations include appropriate measures for preserving your rights and freedoms as well as your justified interests, or
  3. is made with your express consent.

20.1. However, these decisions may not be based on special categories of personal data in accordance with Art. 9 Sec. 1 GDPR, as long as Art. 9 Sec. 2 lit. a or g GDPR does not apply and appropriate measures have been taken to protect your rights and freedoms as well as your justified interests.

20.2. With regard to the cases named in (1) and (3), the person responsible takes appropriate measures to protect your rights and freedoms as well as your justified interests, to which at least belongs the right to obtain the intervention of a person on the part of the person responsible, to present one’s own position, and to challenge the decision.

21 Right to complain to a supervisory authority

21.1. Irrespective of any other regulatory or legal remedy, you have the right to complain to a supervisory authority, in particular in the member state of your whereabouts, your workplace, or the place of the presumed infringement if you are of the opinion that the processing of your personal data violates the General Data Protection Regulation.

21.2. The supervisory authority to which the complaint is submitted informs the complainant about the state and results of the complaint including the possibility of a legal remedy in accordance with Art. 78 of the General Data Protection Regulation.