As a person affected by data processing, in accordance with the GDPR, you have, among others, the following rights (hereafter referred to as “rights of the persons affected”):
Right to information (Article 15 GDPR)
You have the right to request information as to whether or not we process personal data about you. The first copy is free of charge. For further copies, a reasonable fee may be charged. A copy can only be provided if as the rights of other persons are not affected by this.
Right to rectification of data (Article 16 GDPR)
You have the right to request us to rectify your data when these are incorrect, incomplete, or both. This right also includes the right of completion through supplementary explanations or statements.
Right to erasure of personal data (Article 17 GDPR)
You have the right to request the erasure of your personal data when:
- The personal data are no longer necessary for the purposes for which they were collected and processed.
- The data processing is based on consent given by you and you have revoked the consent. This does not apply, however, if another legal permission for the data processing exists.
- You have filed an objection to data processing, the legal permission of which lies in the so-called “legitimate interest” (according to Article 6 Section 1 Letter e or f GDPR). However, erasure need not take place if there are overriding legitimate reasons for further processing.
- You have filed an objection to processing for the purpose of direct marketing.
- Your personal data have been processed unlawfully.
- It is data of a child collected for information society services (= electronic service) on the basis of consent (according to Article 8 Section 1 GDPR).
A right to erasure of personal data does not exist when:
- The right to freedom of expression and information precludes the request for erasure.
- The processing of personal data is necessary to fulfil a legal obligation (for example, legal obligations to preserve business records).
- The processing of personal data is necessary to carry out public functions and interests in accordance with applicable law (this also includes “public health”).
- The processing of personal data is necessary for the purposes of archiving, research, or both.
- The personal data are necessary to assert, exercise, or defend legal claims.
If personal data have been made public by us (e.g., on the Internet), we must, to the extent technically feasible and reasonable, ensure that other data processors are also informed of the request for erasure, including the erasure of links, copies, and/or replications.
Right to restriction of data processing (Article 18 GDPR)
You have the right to have the processing of your personal data restricted in the following cases:
- If you have disputed the accuracy of your personal data, you can request that we do not use your data for other purposes for the duration of the verification and thus limit their processing.
- In the case of unlawful data processing, instead of erasure of the data, you can request the restriction of the use of the data.
- If you need your personal data to assert, exercise, or defend legal claims, but we no longer need your personal data, you can request us to restrict processing to the purposes of legal proceedings.
- If you have objected to data processing (pursuant to Article 21 Section 1 GDPR) and it has not yet been determined whether our interests in processing override your interests, you can request that your data are not used for other purposes during the duration of the verification and thus limit their processing.
Personal data, the processing of which has been restricted at your request, may, provided that they are stored, only be processed – with your consent, for the assertion, exercise, or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest. Should a processing restriction be revoked, you will be informed of this in advance.
Right to data portability (according to Article 20 GDPR)
You have the right to request the data which you have provided to us in a commonly used electronic format (e.g., as a PDF or Excel document). You can also request that these data are transmitted by us directly to another company (determined by you) provided that this is technically feasible for us. The prerequisite that you have this right is that:
- The processing is carried out on the basis of consent or for the execution of a contract and is carried out by means of automated procedures.
- The exercise of the right of data portability does not infringe on the rights and freedoms of other persons.
When you exercise the right of data portability, you also continue to have the right to the erasure of data pursuant to Article 17 GDPR.
Exercise of the rights of the persons affected
To exercise your rights of the persons affected, please contact the above office. Requests that are submitted electronically will as a rule be answered electronically. The information, notifications, and measures to be made available under the GDPR, including “the exercise of the rights of the persons affected”, are generally provided free of charge. Only in the case of manifestly unfounded or excessive requests are we entitled to charge an appropriate fee for processing or to refrain from taking action (pursuant to Article 12 Section 5 GDPR).
Should reasonable doubts as to your identity exist, we are permitted for the purpose of identification to request additional information from you. If an identification is not possible for us, we have the right to deny the processing your request. We will as far as possible inform you separately of a missing possibility for identification (see Article 12 Section 6 and Article 11 GDPR).
Requests for information are usually processed immediately, within one month of the receipt of the request. The period may be extended by an additional two months as long as this is necessary given the complexity and/or the number of requests. In the event of an extension, we will inform you of the reasons for the delay within one month of receipt of your request. If we do not act on a request, we will inform you immediately within one month of receipt of the request of the reasons for this and inform you of the possibility of lodging a complaint with a supervisory authority or seeking legal redress. (See Article 12 Section 3 and Section 4 GDPR).
Please note that you may exercise your rights as an affected person only within the framework of restrictions and limitations provided for by the Union or one of its member states (Article 23 GDPR).