Data Protection Notice Evoqua Water Technologies GmbH
Protecting your data is a top priority for us and is taken into account in all of our business processes. If and insofar as you share personal data with us, these are processed in accordance with the provisions of the EU General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, and with the statutory data protection regulations of the German Data Protection Act (BDSG).
The following privacy policy will provide you with a detailed overview of how your personal data are processed by us. Personal data means any information relating to an identified or identifiable natural person. By means of this privacy policy we would like to inform you about the nature, scope and purposes of the collection of your personal data and how we handle this data. You will also learn what rights you have in connection with the processing of your personal data.
1. Scope of this data protection notice
1.1. Basic principle
This data protection notice applies for all customers, interested parties and sales partners for the products, work and services provided by Evoqua Water Technologies GmbH (hereinafter referred to as: Evoqua GmbH) and for any other natural persons who contact us in connection with these products, work or services.
1.2. Additional validity of particular regulations for particular services
Additional data protection notices which supplement this general data protection notice may apply for certain services and products provided by Evoqua GmbH.
2. Contact details for the data controller and the data protection officer
2.1. Name and address of the data controller
The data controller in the meaning intended in the General Data Protection Regulation and other national data protection acts in Member States and other data protection regulations (Art. 4(7) GDPR) is:
Evoqua Water Technologies GmbH
Auf der Weide 10
89312 Günzburg
Germany
Tel: (+49) 8221 9040
E-mail: wtger@evoqua.com
2.2. Name and address of the data protection officer
The data controller’s data protection officer is:
Lisa Rehkugler
Intersoft Consulting Services AG
Beim Strohhause 17
20097 Hamburg
Germany
Tel: (+49) 711 601 452-97
E-mail: lrehkugler@intersoft-consulting.de
3. General information on the collection of personal data
3.1. Basic principles regarding the scope of processing of personal data
We share the philosophy underlying the GDPR and the German Data Protection Act (BDSG), namely that the collection and processing of personal data (“data”) must be kept to a minimum. That is why we only process personal data insofar as this is necessary for clearly defined purposes, which will be explained to you in the following (principles of data avoidance and data economy). Data processing is only permissible insofar as it has an adequate legal basis or is based on your consent (principle of legality).
Insofar as the following does not entail anything else, the terms “to process” and “processing” cover in particular the collection, use, disclosure and transmission of personal data (on this, see Art. 4(2) GDPR).
3.2. General information on the legal bases for processing personal data
3.2.1. General legal bases
In principle the processing of personal data is forbidden and only permitted in exceptional cases. The processing of data can only be lawful if the processing is supported by an adequate legal basis. The following are considered to constitute the latter:
- Insofar as consent has been obtained from the data subject for the processing of personal data, the legal basis for this shall be point (a) of Art. 6(1) GDPR.
- For the processing of personal data which is necessary for the performance of a contract to which the data subject is a party, the legal basis for this shall be point (b) of Art. 6 (1) GDPR. This also applies to processing procedures which are necessary to undertake measures prior to entering into a contract.
- Insofar as the processing of personal data is necessary for compliance with a legal obligation to which we are subject, the legal basis for this shall be point (c) of Art. 6(1) GDPR.
- In the event that the processing is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis for this shall be point (d) of Art. 6(1) GDPR.
- Insofar as processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the legal basis for this shall be point (e) of Art. 6(1) GDPR.
- Where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis for this shall be point (f) of Art. 6(1) GDPR.
3.2.2. Particular legal bases for the processing of special categories of personal data pursuant to Art. 9 GDPR
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited.
Processing of these special categories of personal data can be permitted by us in exceptional cases, provided there is a suitable legal basis for this. The following are considered to constitute the latter:
- Insofar as the data subject has given explicit consent to the processing of those special categories of special data for one or more specified purposes, this constitutes the legal basis for the processing (point (a) of Art. 9(2) GDPR). This does not apply where Union or Member State law provides that the prohibition on processing may not be lifted by the data subject.
- Where the processing relates to personal data which are manifestly made public by the data subject, the legal basis for this shall be point (e) of Art. 9(2) GDPR.
- Insofar as the processing is necessary for the establishment, exercise or defence of legal claims, processing is permitted pursuant to point (f) of Art. 9(2) GDPR.
- Processing of the data is permitted insofar as, on the basis of Union or Member State law, it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; cf. point (f) of Art. 9(2) GDPR.
3.3. Objection and withdrawal of consent to the processing of your data
If you have already consented to your data being processed, you may withdraw this consent at any time. Once you have informed us that you withdraw your consent, such a withdrawal will affect the lawfulness of processing your personal data.
Insofar as the processing of your data is based on a balancing of interests, you may object to the processing. This applies in particular where the processing is not necessary in order to perform a contract with you as set out in the following description of the functions. Where you choose to exercise this right to object, we request that you state the reasons why we should not process your personal data as we currently do. Where there is a legitimate objection, we will look into the situation and will either cease processing or adjust it accordingly or will present to you the compelling legitimate grounds why we will continue to process your data. Naturally, you can object to the processing of your personal data for marketing/customer loyalty purposes at any time.
3.4. Erasure of data and duration of storage
Your personal data will be erased or blocked by us as soon as the purpose of processing ceases to exist; in this context blocking means removal of any connection of the data to your person. We may store data for longer than this if this is required by the European or national legislators in acts, laws or other directives to which we are subject. Data will also be blocked or erased once a period of storage prescribed by the aforementioned standards has expired, unless further storage of the data is necessary in order to enter into or perform a contract.
4. The purposes and legal bases for processing your personal data and other information on the actual processing of data
4.1. Visiting our website
4.2. Initiation and conduct of the business relationship
4.2.1. Description and scope of data processing
In the course of initiating business and conducting our business relationship, we collect, process and use the following data in particular:
- the customer’s basic and contact details: these include, in particular, their title, first name, surname, addresses, telephone numbers, e-mail addresses, languages, roles, sector in which active, membership of associations, age and date of birth, customer numbers;
- insofar as any authorised representatives or contact persons have been nominated: their basic details, in particular their name, date of birth and tax number, as well as contact details such as their current address, previous addresses, other shipping addresses, telephone numbers and e-mail addresses;
- as necessary, basic details of citizens, in particular their name, date and place of birth, nationality, marital status and tax number and contact data (current address, previous addresses, other shipping addresses, telephone numbers and e-mail addresses);
- the customer's interests, as well as those of authorised representatives and contact persons for marketing activities, in particular events and the sending of promotional materials;
- where necessary, data contained in the ID card or other identity papers provided and other authentication data, in particular sample signatures;
- contractual data, in particular data relating to contractual content, the persons entering into the contract, the start and expiry dates, payment by instalments, payment terms;
- the situation regarding income and assets in the course of self-disclosure, in particular proof of income, information on income, subsidiary income, existing obligations regarding payment of instalments, household expenses, savings, securities, value of the life insurance policy, value of real estate;
- bank details;
- information in connection with taxes, in particular tax identification number, certification on tax matters;
- financial statement documents or business assessments, corporate forecast figures and other business and fiscal information;
- information on conduct in connection with payment and contracts;
- information from postal, electronic or telephone communications between you and us or you and third parties;
- information on your business activities and any business partners;
- other information in connection with conducting the business relationship as necessary.
4.2.2. Where do these personal data come from?
In principle we collect your personal data directly from you. In addition, we also process other personal data which we have reliably received from other companies in the Evoqua Group (these are listed under item 4.2.3.3), insofar as this is necessary for performance of the contract entered into with you, in order to undertake steps prior to entering into a contract or where you have given your consent.
4.2.3. The purpose and legal bases for the data processing
4.2.3.1. Processing in the course of performing contractual obligations
We collect and process your data in the course of initiating and performing the contract to be entered into with you or the existing contract. We do this in particular in order to establish contact with you and to undertake general correspondence with you and your authorised representatives. This is necessary, for example, in order to agree the details and specifics of the work and services to be provided, delivery of our products and/or maintenance and servicing of our products with you. We also process your data so that we can allocate our services to you and in order to issue invoices.
We thus collect and process your personal data in order to fulfil our contractual obligations to you. We process this data on the legal basis established by point (b) of Art. 6(1) GDPR and thus in order to take steps prior to entering into a contract or for the performance of contracts.
4.2.3.2. Processing on the grounds of a legitimate interest
We also process your personal data insofar as this is necessary in order to safeguard our legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in this case, you) which require protection of personal data (point (f) of Art. 6(1) GDPR). “Third parties” means natural or legal persons such as companies, public authorities, agencies or other bodies. In this context, Evoqua GmbH, as the controller and its data processors are not “third parties” (cf. point 10 of Art. 4 GDPR). Processing on the grounds of a legitimate interest occurs in particular in the following cases and for the following purposes:
- In order to check your creditworthiness and on the grounds of our legitimate interest in avoiding a default on payment or any risk of insolvency, we transmit personal data regarding assumption, performance and termination of our business relationship and data relating to non-compliance with the contract to the Verband der Vereine Creditreform e.V. (“Creditreform”) and obtain information about your creditworthiness. More information about the activities undertaken by Creditreform is available online at www.creditreform.de.
- In order to check your creditworthiness and on the grounds of our legitimate interest in avoiding a default on payment or any risk of insolvency, where necessary we transmit personal data regarding assumption, performance and amount involved in our business relationship, as well as information on non-compliance with the contract to the trade credit insurer Zurich Insurance plc’s German subsidiary (“Zurich”) and take out insurance on the receivables owed by you. More information about the activities undertaken by Zurich is available online at www.zurich.de.
- We also process your data insofar as this is necessary in order to establish any legal claims and in order to defend ourselves in any legal disputes. To this extent we assume that our interests override your fundamental rights and freedoms which require protection of personal data.
4.2.3.3. Collection and processing on the grounds of consent
We further collect and process your personal data if you have previously expressly given consent for this (point (a) of Art. 6(1) GDPR).
This applies, among other things, to the storage of your data in an IT system which is shared with other companies in the group. This includes Evoqua LLC and all of its affiliated companies.
The companies mentioned above have technical access to the shared IT system and to the data stored therein. These data are only accessed insofar as this is necessary for the performance and development of a business relationship with you, e.g. in order to provides services in respect of servicing, maintenance and repairs or similar services and to order replacement parts. Use of your personal data in the shared IT system will only be made in the manner described above if you have previously given your consent to such use.
4.2.3.4. Companies of the Evoqua group
The following companies within Evoqua are allowed to exchange data:
- Evoqua Water Technologies LLC (USA)
- Evoqua Water Technologies GmbH (Germany)
- Evoqua Water Technologies Limited (UK)
- Evoqua Water Technologies Pty Ltd (Australia)
- Evoqua Water Technologies (Shanghai) Co Ltd (China)
- Evoqua Water Technologies Membrane Systems Pty Ltd (Australia)
- Evoqua Water Technologies Ltd (Canada - Alberta)
- Evoqua Water Technologies Ltd (Canada – British Columbia)
- Evoqua Water Technologies Ltd (Canada - Quebec)
- Evoqua Water Technologies Pte Ltd (Singapore)
- MAGNETO special anodes B.V. (Netherlands)
- Sonitec-Vortisand Technologies, Inc. (Canada – Quebec)
- MAGNETO special nodes (Suzhou) Co, Ltd (China)
- SCL International Trading Limited (China – Hong Kong)
- Geomembrane Technologies, Inc. (Canada – New Brunswick
- ADI Systems North America, Inc. (Canada – Nova Scotia)
4.2.4. Duration of storage
We only process and store your personal data for as long as this is necessary, in particular in order to comply with contractual or legal obligations. If there is no longer a reason to process your data, we shall delete the data, or, where this is not possible, we shall block any connection to you within our systems in compliance with data protection regulations.
In this context we store your data, in particular as follows:
- The period for compliance with the obligation to store information in connection with business and tax law set out in the statutory provisions is ten years for all documents required for calculating profit, and six years for all business letters (including e-mails);
- according to the provisions of the German Civil Code (BGB), statutes of limitation can be as much as 30 years, although the standard statute of limitations in three years. For this reason we retain all contractual documents and documents relating to the contract in accordance with this regulation on the statute of limitations.
4.3. Promotional measures and maintaining contact with customers
4.3.1. Description and scope of data processing
In the course of maintaining contact with you as a customer, we process your personal data, in particular:
- the customer’s basic and contact details, comprising, in particular, your title, first name, surname, postal addresses, e-mail addresses;
- insofar as any authorised representatives or contact persons have been nominated: their basic details, in particular their name and contact details, as well as other shipping addresses, telephone numbers and e-mail addresses, as necessary and positions held;
- where necessary, interest in specific products.
4.3.2. Where do these data come from?
In principle we collect your personal data directly from you. In addition, we also process other personal data which we have reliably received from other companies in the Evoqua Group (these are listed under item 4.2.3.3).
4.3.3. The purpose and legal bases for the data processing
4.3.3.1. Processing on the grounds of a legitimate interest
We process your e-mail address in order to contact you for advertising purposes. Processing of your other data is undertaken in order to personalise our contact with you and in order to provide specialised offers and information.
We process your personal data insofar as this is necessary in order to safeguard our legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in this case, you) which require protection of personal data (point (f) of Art. 6(1) GDPR):
- We process your data for direct advertising via the post in connection with products, services and work and, in individual cases, also regarding special events. Insofar as we obtained your e-mail address in connection with the sale of products or with work or services, we also use these data for sending promotional materials via e-mail, for promotional measures for other similar products, work or services available from us. We use these data to the extent described above for advertising purposes, as we assume that we have a legitimate interest in the use of your data and that this is not overridden by your fundamental rights and freedoms in respect of protection of your data. We would like to send you information about those of our products and services which we believe may be of interest to you at regular intervals.
- From time to time we also commission market research institutes in order to monitor customer satisfaction and so that we can optimise our products and services to the benefit of our customers. We likewise assume that your interests and your fundamental rights and freedoms, which require protection of your data, will not be unduly impaired by this.
4.3.3.2. Collection and processing on the grounds of consent
Insofar as we are not already using your data on the basis of our legitimate interests (as described above under item 4.3.3.1), we will obtain explicit consent in order to use your data for (other) advertising purposes.
4.3.4. Duration of storage
The data are deleted once they are no longer needed in order to fulfil the purpose for which they were collected. We will store your personal data for advertising purposes, that is to say the sending of information and offers on products and services, for a maximum of six years from the last relevant contact with you. A relevant contact means verbal communication, communication via the telephone or an exchange of written communications between us.
4.3.5. Possibility of objection or removal
If you object to the use of your data, we will cease sending you advertising materials. When we collect your data and each time that we use them, we will clearly and unequivocally point out your right to withdraw your consent at any time.
5. Passing on of your data to third parties
We will not pass any personal data on to companies, organisations or persons outside our company except in the following circumstances:
5.1. Passing on data to contracted data processors
We make personal data available to other companies which are affiliated to us or another company within our group and to third-party business partners and other reliable companies or persons who are contracted to process them on our behalf. This is undertaken on the basis of our instructions and in accordance with our privacy policy and other appropriate measures in respect of confidentiality and security.
5.2. Passing on data to affiliated companies (within the group) as part of our common data retention
In the course of the acceptance and performance of a contractual relationship with you, we save and process your data in an IT system which is also used by the other companies in the Evoqua Group listed under item 4.2.3.3. The data stored by us in this system are therefore technically accessible to these companies. In principle it is not our intention that your personal data should be accessed by these companies, but the possibility cannot be excluded. The companies will access your data insofar as this is necessary for a business relationship with you, as described under item 4.2.3.3, and insofar as you have given your consent for this.
5.3. Passing on data to suppliers
In the course of our business relationship with you, we will pass your data, in particular your first and surname, your address, your contact details, your customer and order number (where available), to suppliers which we have commissioned to manufacture or supply the products ordered by you in the course of manufacturing or servicing your product.
5.4. Passing on data to service providers
If you opt for a service product from us (service or maintenance), we will pass your data, in particular your first and surname, your address, your contact details, your customer and order number (where available), to our service providers, who need this in order to supply the service.
5.5. Passing on data to the Verband der Vereine Creditreform e.V.
In the course of our business relationship with you, we pass on the personal data we have collected from you relating to the initiation, performance and termination of our business relationship and data relating to non-compliance with the contract to the Verband der Vereine Creditreform e.V., Hellersbergstraße 12, 41460 Neuss/Germany.
5.6. Passing on data to trade credit insurers
In the course of our business relationship with you, we pass on the personal data we have collected from you in order to check your creditworthiness and on the grounds of our legitimate interest in avoiding a default on payment or any risk of insolvency to the trade credit insurer Zurich Insurance plc’s German subsidiary (“Zurich”) and take out insurance on the receivables owed by you. More information about the activities undertaken by Zurich is available online at www.zurich.de.
5.7. Passing on data for legal reasons, in particular to the authorities
We will pass personal data on to official bodies (the authorities), companies, organisations or persons outside our company if we are obliged to do so by applicable laws, regulations, legal processes or an enforceable order from the authorities, or where we, in good faith, suppose that access to this data or use, storage or the passing on of the same is reasonably necessary, in particular in order to comply with pertinent obligations.
5.8. Passing on data to banks and the providers of payment services
We will further pass on your personal data in connection with the processing of business relationships concerning products or services to banks and leasing and finance providers and to the providers of payment services for the accounting and processing of payments.
6. Passing on your data to a third country or an international organisation
6.1. Third-party companies
Insofar as not otherwise explicitly stated in this privacy policy, we do not transmit any personal data to third countries or international organisations.
6.2. Affiliated companies (within the group)
Occasionally your personal data will be passed on to other companies affiliated to us (within the group) in the United States of America (USA). Those companies in the USA affiliated with us (within the group) have signed up to the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework).
7. Automated decision-making
We do not use any automated decision-making.
8. Rights
If personal data concerning you are processed, you are the data subject in the meaning intended in the GDPR and you have the following rights in connection with us, the controller:
8.1. Right to information
You have the right to obtain from the controller confirmation as to whether personal data relating to you are being processed by us. Where such processing is being undertaken, you have the right to obtain from the controller the following information:
- the purposes for which your personal data are being processed;
- the categories of personal data which are being processed;
- the recipients or categories of recipients to whom the personal data concerning you have been or are being disclosed;
- the period for which the personal data is intended to be stored, or, if concrete information on this is not available, the criteria used to determine that period;
- the existence of the right to rectification or erasure of the personal data concerning you, to restriction of processing by the controller or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- all available information on the source of the data, if the personal data were not collected from the data subject;
- the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You further have the right to be informed as to whether personal data relating to you were transferred to a third country or international organisation. Where this is the case, you also have the right to be informed regarding suitable safeguards pursuant to Art. 46 GDPR in connection with the transfer of data.
8.2. Right to rectification
You have the right to obtain from the controller rectification and/or completion of your personal data insofar as the personal data concerning you which are being processed are incorrect or incomplete. The controller must rectify the data without undue delay.
8.3. Right to restriction of processing
You have the right to obtain from the controller restriction of processing provided one of the following prerequisites applies:
- if you contest the accuracy of the data, for a period enabling the controller to verify the accuracy of the personal data;
- if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims, or
- you have objected to processing pursuant to Art. 21(1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.
Where processing of your personal data has been restricted, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. Where processing has been restricted subject to the above prerequisites, you will be informed by the controller before the restriction of processing is lifted.
8.4 Right to erasure
8.4.1. Right to be forgotten
You have the right to demand from the controller the erasure of personal data concerning you without undue delay and the controller is obliged to erase this data without undue delay where one of the following grounds applies:
- The personal data were collected or otherwise processed for purposes for which they are no longer required.
- You withdraw the consent on which the processing is based according to point (a) of Art. 6(1) GDPR, or point (a) of Art. 9(2) GDPR, and there is no other legal ground for the processing.
- You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
- The personal data concerning you were unlawfully processed.
- The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
8.4.2. Information to third parties
Where personal data have been made public by the controller and the data controller is obliged to delete this personal data pursuant to Art. 17(1) GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, as the data subject, have requested the erasure by such controllers of any links to, or copies or replication of, those personal data.
8.4.3. Exceptions
The right to erasure does not apply where the processing is necessary
- for exercising the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9(2) as well as Art. 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR insofar as the right referred to in point a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
8.5. Right to information
You have the right to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format. You further have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided
- the processing is based on consent pursuant to point (a) of Art. 6(1) GDPR or point (a) of Art. 9(2) GDPR or on a contract pursuant to point (b) of Art. 6(1) GDPR and
- that the processing is carried out by automated means.
In exercising this right to data portability, you further have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others may not be affected thereby. The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
8.6. Right to data portability
You have the right to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format. You further have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided
- the processing is based on consent pursuant to point (a) of Art. 6(1) GDPR or point (a) of Art. 9(2) GDPR or on a contract pursuant to point (b) of Art. 6(1) GDPR and
- that the processing is carried out by automated means.
In exercising this right to data portability, you further have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others may not be affected thereby. The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
8.7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) GDPR; this also includes profiling based on these provisions. The controller shall no longer process the personal data unless he is able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you are entitled to exercise your right to object by automated means using technical specifications.
8.8. Right to withdraw consent to this data protection Privacy Policy
You have the right to withdraw your consent to this data protection privacy policy at any time. Withdrawal of your consent will not affect the lawfulness of the processing undertaken on the basis of your consent prior to it being withdrawn.
8.9. Right not to be the subject of automated decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply where the decision
- is necessary for entering into, or performance of, a contract between you and the data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on your explicit consent.
Nonetheless, these decisions may not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless point (a) or (g) of Art. 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in items (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
8.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.