Privacy Policy

1. An overview of data protection

General information

The following information provides you with an easy-to-navigate overview of what happens with your personal data when you visit this website. The term “personal data” comprises all data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to our Data Protection Declaration, which we have included beneath this copy.

Data recording on this website

Who is the responsible party for the recording of data on this website?

The data on this website is processed by the operator of this website, whose contact information is available under the section “Legal disclosure” on this website.

How do we record your data?

We collect your data as a result of your sharing of your data with us. This may, for instance, be information you enter into our contact form.

Our IT systems automatically record other data when you visit our website. This data comprises mainly technical information (e.g. web browser, operating system or time the site was accessed). This information is recorded automatically when you enter this website.

What do we use your data for?

A portion of the information is generated to guarantee the error-free provision of the website. Other data may be used to analyse your user patterns.

What rights do you have regarding your data?

You have the right to receive information about the source, recipients and purposes of your stored personal data free at any time without having to pay a fee for such disclosures. You also have the right to demand that your data is rectified or eradicated. Please do not hesitate to contact us at any time under the address given in the section “Legal disclosure” if you have any questions about this or any other data protection-related issues. You also have the right to lodge a complaint with the competent supervisory authority.

Moreover, under certain circumstances, you have the right to demand the restriction of the processing of your personal data. For details, please consult the Data Protection Declaration under section “Right to restriction of data processing”.

 

2. Hosting

External hosting

This website is hosted by an external service provider (host). Personal data collected on this website is stored on the servers of the host. This may include, but is not limited to, IP addresses, contact requests, meta and communications data, contract information, contact information, names, web page access, and other data generated through a website.

Our host will only process your data to the extent necessary to fulfil its performance obligations and to follow our instructions with respect to such data

 

3. General information and mandatory information

Data protection

The operators of this website and its pages take the protection of your personal data very seriously. Hence, we treat your personal data as confidential information and in compliance with the statutory data protection regulations and this Data Protection Declaration.

Whenever you use this website, a variety of personal information will be collected. Personal data comprises data that can be used to personally identify you. This Data Protection Declaration explains which data we collect as well as the purposes we use this data for. It also explains how, and for which purpose the information is collected.

We herewith advise you that the transmission of data via the internet (e.g. through e-mail communications) may be prone to security gaps. It is not possible to completely protect data against third party access.

SSL and/or TLS encryption

For security reasons, and to protect the transmission of confidential content, such as purchase orders or enquiries you submit to us as the website operator, this website uses either an SSL or a TLS encryption programme. You can recognise an encrypted connection by checking whether the address line of the browser changes from “http://” to “https://” and also by the appearance of the lock icon in the browser line.

If the SSL or TLS encryption is activated, data you transmit to us cannot be read by third parties.

Information about the data processing controller (Art. 3 i) DSG and/or the responsible party pursuant to Art. 4 No. 7 GDPR

Swiss IT Security Group AG
Etzelmatt 1
5430 Wettingen
Switzerland

E-mail: datenschutz@sits-group.ch

Data protection officer and representative pursuant to Art. 27 GDPR:

Dr Kraft, datenschutz@it-sec.de, Einsteinstr. 55, 89077 Ulm, tel: +49 731 20589-24

The controller and/or responsible party is the natural person or legal entity that single-handedly or jointly with others makes decisions as to the purposes of and the resources for the processing of personal data (e.g. names, e-mail addresses, etc.).

Revocation of your consent to the processing of data

A wide range of data processing transactions are possible only subject to your express consent. In principle, this is voluntary. You can also revoke at any time any consent you have already given us. To do so, all you are required to do is send us an informal notification via e-mail. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation.

Right to object to the collection of data in special cases; right to object to direct advertising for EU data subjects (Art. 21 GDPR)

IN THE EVENT THAT DATA ARE PROCESSED ON THE BASIS OF ART. 6 SECT. 1 F GDPR, YOU HAVE THE RIGHT TO AT ANY TIME OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA BASED ON GROUNDS ARISING FROM YOUR UNIQUE SITUATION. THIS ALSO APPLIES TO ANY PROFILING BASED ON THESE PROVISIONS. TO DETERMINE THE LEGAL BASIS ON WHICH ANY PROCESSING OF DATA IS BASED, PLEASE CONSULT THIS DATA PROTECTION DECLARATION. IF YOU LOG AN OBJECTION, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA, UNLESS WE ARE IN A POSITION TO PRESENT COMPELLING PROTECTION-WORTHY GROUNDS FOR THE PROCESSING OF YOUR DATA THAT OUTWEIGH YOUR INTERESTS, RIGHTS AND FREEDOMS, OR IF THE PURPOSE OF THE PROCESSING IS THE CLAIMING, EXERCISING OR DEFENCE OF LEGAL ENTITLEMENTSS (OBJECTION PURSUANT TO ART. 21 SECT. 1 GDPR).

IF YOUR PERSONAL DATA IS BEING PROCESSED IN ORDER TO ENGAGE IN DIRECT ADVERTISING, YOU HAVE THE RIGHT TO AT ANY TIME OBJECT TO THE PROCESSING OF YOUR AFFECTED PERSONAL DATA FOR THE PURPOSES OF SUCH ADVERTISING. THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS AFFILIATED WITH SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT ADVERTISING PURPOSES (OBJECTION PURSUANT TO ART. 21 SECT. 2 GDPR).

Right to log a complaint with the competent supervisory authority

In the event of violations of the GDPR, data subjects are entitled to log a complaint with a supervisory authority, in particular in the member state where they usually maintain their domicile, place of work or at the place where the alleged violation occurred. The right to log a complaint is in effect regardless of any other administrative or court proceedings available as legal recourses.

Right to data portability

You have the right to demand that we hand over any data we automatically process on the basis of your consent or in order to fulfil a contract to you or to a third party in a commonly used, machine-readable format. If you should demand the direct transfer of the data to another controller, this will be done only if it is technically feasible.

Information about, rectification and eradication of data

Within the scope of the applicable statutory provisions, you have the right at any time to demand information about your archived personal data, its source and recipients, as well as the purpose of the processing of your data. You may also have a right to have your data rectified or eradicated. If you have questions about this subject matter or any other questions about personal data, please do not hesitate to contact us at the address provided in section “Legal disclosure”.

Right to demand processing restrictions

You have the right to demand the imposition of restrictions as far as the processing of your personal data is concerned. To do so, you may contact us at any time at the address provided in section “Legal Disclosure”. The right to demand restriction of processing applies in the following cases:

  • In the event you should dispute the correctness of your data held by us, we will usually need some time to verify this claim. During the time that this investigation is ongoing, you have the right to demand that we restrict the processing of your personal data.
  • If we no need your personal data any longer and you need it to exercise, defend or claim legal entitlements, you have the right to demand a restriction of the processing of your personal.
  • If you have raised an objection pursuant to Art. 21 (1) GDPR, your rights and our rights will have to be weighed against each other. As long as it has not been determined whose interests prevail, you have the right to demand a restriction of the processing of your personal data.
  • If you have restricted the processing of your personal data, this data – with the exception of its storage – may be processed only subject to your consent or to claim, exercise or defend legal entitlements or to protect the rights of other natural persons or legal entities or for important public interest reasons cited by the European Union or a member state of the EU.

Data exchange within the group of companies

Data exchange within the group of companies to which we belong takes place exclusively within the EU/EEA and Switzerland as a country with an adequate level of protection pursuant to Art. 45 para. 1 GDPR and serves only internal administrative purposes or takes place pursuant to Art. 6 para. 2 lit. g DSG. By group of companies we mean affiliated companies within the meaning of Art. 4 No. 19 GDPR.

 

4. Recording of data on this website

Cookies

In some instances, our website and its pages use cookies,, e.g. in order to recognise visitor preferences and to be able to optimally design the website accordingly. This allows for easier navigation and a high degree of user-friendliness. Cookies also help us identify particularly popular areas of our website. Cookies are small files that are stored on a visitor’s hard drive. They allow information to be retained for a certain period of time and identify the visitor’s computer. For better user guidance and individual performance presentation, we use permanent cookies.

Furthermore, we use so-called “session cookies”, which are automatically deleted when you leave our site. You can adjust the settings on your browser to make sure that you are notified every time cookies are placed . This makes the use of cookies transparent for you. This is done to check the authorisation of actions and the authentication of the requesting user of our services. The legal bases are Art. 13 para. 1 DSG (consent of the data subject or justification by law as well as legitimate interests) or Art. 6 para. 1 lit a GDPR, Art. 6 para. 1 lit. c) in conjunction with Art. 32 and Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is to secure our web server, to protect against attacks and to ensure the technically error-free provision of our services.

These cookies are addressed separately in this Data Protection Declaration .

Server log files

The provider of this website and its pages automatically collects and stores information in server log files, which your browser communicates to us automatically. The information comprises:

  • Type and version of browser used
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of server request
  • IP address

This data is not merged with other data sources.

This data is recorded on the basis of Art. 13 para. 1 DSG (consent of the data subject or justification by law as well as legitimate interests) and/or Art. 6 para. 1 lit. a, c, f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website – for this purpose, the server log files must be recorded.

Online application process

This part of the data privacy policy applies to applicants to any of the companies of the SITS Group. This only applies to the extent that these applicants transmit personal data to us as part of the application process, e.g. application in paper form, e-mail, contact forms with attachments or through the Greenhouse applicant portal. Application documents submitted on paper are scanned and stored in Greenhouse; the paper documents are then disposed of in compliance with data protection law via a shredder or a certified service provider or sent back to the candidates. Application documents sent by e-mail are stored in Greenhouse, the e-mails are then deleted.

We only process your personal data to process your application and/or within the framework of the talent pool. The processing of your application also includes, if necessary, the use of your data to contact you by e-mail and/or post and/or telephone. Recruiters, hiring managers and interviewers have access to your documents. Another form of processing is carried out anonymously for the purpose of measuring the success of job placements and the technical application channels used, as well as anonymously with regard to the skills of applicants submitted.

Insofar as you have given your consent to the processing of your personal data, Art. 6 (1) lit. a GDPR serves as the legal basis. This is particularly the case within the scope of the talent pool. When processing your personal data that is necessary for the performance of a contract to which you are a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

The data is processed with the help of systems of Greenhouse Software, Inc. a company based in the USA. The
SITS Group has concluded a contract with Greenhouse for this purpose based on the EU standard data protection clauses in accordance with Article 46 GDPR and has implemented sufficient technical and organizational measures to adequately protect your data. The data is stored exclusively on European servers. The transmission of the data entered by you as well as the file attachments sent along takes place via a transport-secured connection. If you want more detailed information regarding the use of greenhouse as a US service provider, please contact us at: datenschutz@it-sec.de.

The deletion of the stored personal data of the applicant takes place automatically at the earliest after 4 weeks, but at the latest after 5 years, from the date on which the applicant was informed that the position will not be filled by him and no other legal requirements conflict with this. The time limit results from the legal requirements of the respective countries for the equal treatment of applicants.

If you have given your consent to be included in the talent pool, your data will be stored in our system for up to 1 year in order to be considered in advance for future job vacancies. In this context, we use the data you provide to contact you by e-mail and/or mail and/or telephone.

When sending application documents outside our application portal, by mail, e-mail or via an agency, you will receive a summary of this privacy policy together with an confirmation of receiving your application or, at the latest, in the event of a negative response on our side. In this cases we process the applicant data in our Greenhouse applicant portal, unless you expressly object to this procedure in the context of your e-mail.

Contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up enquiries. We do not pass on this data without your consent.

The processing of the data entered in the contact form is therefore based exclusively on your consent (Art. 13 para. 1 DSG or Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. All you need to do is send us an informal notification by e-mail. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

The data sent by you to us via the contact form will remain with us until you request us to delete it, you revoke your consent to the storage or the purpose for the data storage lapses (e.g. after completion of your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

Google reCAPTCHA

Our website uses the ‘Google reCAPTCHA’ service, which is intended to enable a distinction to be made between intentional data entry by a natural person and the automatic or automated misuse of data entry. The IP address and any other data required by Google for the service will be forwarded to Google. The data is processed in accordance with Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is to determine whether a request actually originates from a natural person and needs to be processed and thus to avoid unnecessary sorting out of spam mails.

It is possible that the data will also be transferred to servers in the USA.

Recipient of the data: Google Ireland Ltd, Gordon House, 4 Barrow St, Dublin, D04 E5WE, Ireland.

In the case of the transfer of data to the USA: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

The legal basis for the transfer is the EU Standard Contract 2010 pursuant to Art. 46 para. 2 lit. c GDPR in conjunction with the decision of the EU Commission of 05.02.2010 (2010/87/EU). Additional measures to ensure greater protection of personal data and effective legal protection for data subjects are currently being prepared.

Enquiry by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your enquiry including all resulting personal data (name, enquiry) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.

This data is processed on the basis of Art. 13 para. 2 lit. a) DSG or Art. 6 para. 1 lit. b GDPR, insofar as your request is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 13 para. 1 DSG or Art. 6 para. 1 lit. a GDPR) and/or on our legitimate interests (Art. 13 para. 1 DSG or Art. 6 para. 1 lit. f GDPR), as we have a legitimate interest in effectively processing the enquiries addressed to us.

The data you send to us via contact requests will remain with us until you request us to delete it, you revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

 

5. Analysis tools and advertising

Matomo (formerly Piwik)

This website uses the open-source web analysis software Matomo to optimise and statistically evaluate visitor access to our website.

This website uses Matomo exclusively without the use of cookies, which means that Matomo does not set cookies on your terminal device at any time. Personal usage data is therefore only processed anonymously. The processing of the data obtained in this way takes place exclusively on our own servers in Germany. There is no access to the data by third parties.

Alternatively, you can also object to the storage and analysis of the data collected by Matomo at any time HERE. In this case, an opt-out cookie ensures that Matomo does not collect any session data.

In addition, as part of our website analysis, we naturally respect your ‘Do not Track’ preference as you have set it in your browser.

General information on data protection at Matomo: https://matomo.org/docs/privacy/

 

 

6. Plugins and tools

Adobe Fonts/Adobe Typekit

We use Adobe Typekit/ Adobe Fonts to display fonts on our website. This is a service that provides access to a font library and is provided by the company Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe).

When you access this website, your browser loads the required fonts directly from Adobe so that they can be displayed correctly on your terminal device. In doing so, your browser establishes a connection to Adobe’s servers in the USA. This enables Adobe to know that your IP address has been used to access this website. According to Adobe, no cookies are stored when the fonts are provided.

The use of Adobe Fonts/Typekit is necessary to ensure a consistent typeface on this website. This represents a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO.

You can find more information about Adobe Fonts at: https://www.adobe.com/de/privacy/policies/adobe-fonts.html.

The Adobe privacy policy can be found at: https://www.adobe.com/de/privacy/policy.html.

YouTube video embedded via iFrame in enhanced privacy mode

We use YouTube, a service from Google, to show you video content. To protect your privacy, we have activated the extended privacy mode.
YouTube also uses cookies to collect information about visitors to their website. YouTube uses these, among other things, to collect video statistics, to prevent fraud and to improve user-friendliness. In the process, calling up a video usually also leads to a connection being established with the Google DoubleClick network. When you start the video, this could trigger further data processing operations, especially if you are already logged into YouTube. We have no influence on this.

By pressing the start button on the video, you consent to the transmission of data to Google. Other Google services are also used (e.g. Google Fonts). Your consent exists only as long as you are on the page.

For more information about data protection at YouTube, please see their privacy policy (http://www.youtube.com/t/privacy_at_youtube).
Recipients of the data: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.

In case of access to the data from the USA (e.g. support): Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
The legal basis for the transfer is the EU standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO.

7. Social networks

LinkedIn Social network:

LinkedIn:

HTTPS://DE.LINKEDIN.COM/

Please note that LinkedIn is simply another of several options for contacting us or receiving information from us. Alternatively, the information offered via our LinkedIn account can also be accessed on our website, for example. Responsible party with whom our LinkedIn account (“fan page”) is jointly operated (“platform operator”):

LinkedIn Corporation, 1000 W. Maude Avenue Sunnyvale, CA 94085 USA Data controller for individuals living in the European Union (EU) and the European Economic Area (EEA) and Switzerland: LinkedIn Ireland Unlimited Company Wilton Place Dublin 2 Ireland In an agreement pursuant to Art. 26 para. 1 of the GDPR, the joint controllers determined who fulfils which obligation pursuant to the GDPR The platform operator shall make the essential contents of this agreement available to the data subjects: https://legal.linkedin.com/pages-joint-controller-addendum Data protection contact details:

The contact details for data protection can be found in our Data Protection Declaration, linked here. The platform operator’s data protection officer can be contacted at the following web form HTTPS://WWW.LINKEDIN.COM/HELP/LINKEDIN/ASK/TSO-DPO or at the following address:

Jonathan Adams
Senior Privacy Counsel

LinkedIn Corporation Legal Department – Privacy
1000 W. Maude Ave. Sunnyvale,
California 94085

Categories of data subjects: Both registered and unregistered visitors to our fan page on the social network We would like to make the persons concerned aware that they use LinkedIn and its functions on their own responsibility. This applies in particular to the use of interactive functions (e.g. sharing, rating).

Categories of personal data: Data that we process from registered visitors to our fan page: User ID or user name under which the data subjects have registered, released profile data (name, e-mail address, telephone number), ProFinder profile data, education, work experience, salary expectations, photo, location data, skills and endorsed skills, professional achievements (e.g. granting of patents, professional recognition, projects), possibly also special categories of personal data such as religious affiliation, health data etc., data arising from content sharing, messaging and communication, data required in the context of contract initiation or execution at the request of registered visitors, other data and content freely published, provided, disseminated, posted or uploaded by data subjects on LinkedIn or via their LinkedIn account. Otherwise, we only process pseudonymised data such as statistics and insights into how people interact with our fan page, the posts, pages, videos and other content provided via it (page activities, page views, “like” votes, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements regarding …

The pseudonymised data cannot be combined with the corresponding assignment feature (e.g. name details) by us. This makes it impossible for us to identify individual visitors, who thus remain anonymous to us. Data we process from non-registered visitors to our fan page:

Pseudonymised data such as statistics and insights into how people interact with our fan page, the posts, pages, videos and other content provided via it(page activities, page views, “like” votes, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements regarding …

The pseudonymised data cannot be combined with the corresponding assignment feature (e.g. name details) by us. This makes it impossible for us to identify individual visitors, who thus remain anonymous to us. Data we process from our website visitors:

Integrating the LinkedIn button (pure link) into our website does not transmit any IP addresses of website visitors to the platform operator. Data that the platform operator processes about registered and non-registered visitors to our fan page can be found at the following link:

https://www.linkedin.com/legal/privacy-policy

The platform operator may use various analysis tools for evaluation. We have no influence on the use of such tools by the platform operator and were not informed about such potential use.

If tools of this kind are used by the platform operator for our fan page, we have neither commissioned nor approved this nor supported it in any other way. Nor is the data obtained during the analysis made available to us. Moreover, we have no possibility of preventing or turning off the use of such tools on our fan page, nor do we have any other effective means of control.

Origin of the data We receive the data directly from the data subjects or from the platform operator. Where the platform operator obtains the data of the data subjects can be seen at the following link: https://www.linkedin.com/legal/privacy-policy

We have no influence on or effective means of control over whether the procurement of data by the platform operator is permissible. Legal basis for data processing We process data on the following legal bases:

  • Art. 6 para. 1 lit. a) GDPR: Consent of the data subjects If applicable, Art. 6 para. 1 lit. b)
  • GDPR: Fulfilment of a contract with the data subject or implementation of pre-contractual measures at the request of the data subject Art. 6 para. 1 lit. f)
  • GDPR legitimate interest Simplification of communication and data exchange by meaningfully supplementing the existing communication channels, such as website, press releases, print products and events, through the fan page
  • Promoting sales of our products and services
  • Optimisation of our fan page

We process special categories of personal data, if at all, only on the basis of the following legal grounds:

  • Art. 9 (2) (a) GDPR: Consent of the data subject
  • Art. 9 (2) (e) GDPR: The data subject has manifestly made the personal data public

The legal grounds on which the platform operator’s data processing is based can be found at the following link:

HTTPS://PRIVACY.XING.COM/EN/PRIVACY-POLICY

We have no influence or effective means of control over whether the data processing by the platform operator is permissible.

Purposes of data processing

We process data for the following purposes:

  • Public presentation and advertising
  • Communication and data exchange
  • Event management
  • If necessary, contract initiation and execution

Information on the purposes for which the platform operator processes data can be found at the following link: https://privacy.xing.com/en/privacy-policy

We have no influence on the purposes for which the platform operator actually uses the data. We also have no effective means of control in this respect.

Storage period

The storage and deletion of data is the duty of the platform operator. Information on this can be found at the following link: https://privacy.xing.com/en/privacy-policy

We have no influence on how the platform operator determines the regular deletion periods and in what way the data is deleted. We also have no effective means of control in this respect.

Categories of recipients

Only our employees and service providers who manage our fan page and require the data for the above-mentioned purposes have access to the data we process. If the data subjects post their data publicly on our fan page, it can be accessed by other registered and possibly also non-registered visitors.

The categories of recipients to whom the platform operator discloses the data or enables registered visitors to disclose their data, as well as information on intra-group data exchange, can be found at the following link: https://privacy.xing.com/en/privacy-policy

We have no influence on the disclosure of data to individual (categories of) recipients by the platform operator. We also have no effective means of control in this respect.

Data transfers to third countries

If data subjects post their data publicly on our fan page, it can be accessed by other registered and possibly also non-registered visitors.

Involved logic and scope of profiling or automated individual decision-making based on the collected data

If data subjects are tracked through the collection of their data, whether through the use of cookies or similar technologies or through the storage of their IP address, the platform operator is obliged to inform them of this. Information on this can be found at the following link:

HTTPS://PRIVACY.XING.COM/EN/PRIVACY-POLICY

The platform operator may use various analysis tools for evaluation purposes.

We have no influence on the use of such tools by the platform operator and have not been informed about any such potential use. If tools of this kind are used by the platform operator for our fan page, we have neither commissioned nor approved this nor supported it in any other way. Nor is the data obtained during the analysis made available to us. Moreover, we have no possibility to prevent or turn off the use of such tools on our fan page, nor do we have any other effective means of control.

Rights of data subjects

Joint controllers must provide data subjects with various rights regarding the processing of their data, which they can exercise directly in relation with the platform operator:

Data subjects have a right of access, rectification or deletion of personal data concerning them or a right to restriction of data processing by the data controller if certain conditions are met in accordance with Art. 15 to 18 GDPR. Data subjects also have the right to revoke their consent to the processing of their personal data at any time with effect for the future (Art. 7 (3) GDPR).

They may also object to the further processing of their data, which is based exclusively on the legitimate interest of the controller pursuant to Art. 6 (1) (f) GDPR (Art. 21 (1) GDPR), insofar as legitimate interests in the exclusion of data processing arise from their particular personal situation and there are no longer any compelling legitimate reasons for the controller to continue processing their data. Insofar as personal data is processed for the purpose of direct marketing, data subjects have the right to object to this processing with effect for the future at any time (Art. 21 (2) GDPR).

If the data processing is based on the consent of the data subject pursuant to Art. 6 (1) (a), Art. 9 (1) (a) GDPR or pursuant to Art. 6 (1) (b) GDPR on a contract with the data subject, and is carried out with the help of automated processes, the data subjects may, pursuant to Art. 20 (1) GDPR, request to receive the personal data stored about them in a structured, common and machine-readable format, or to have it transferred to a third party designated by the data subject.

In principle, data subjects have the right not to be subject to automated individual decision-making pursuant to Art. 22 (1) GDPR. Where such an automated individual decision is permitted under Art. 22 (2) (a) to (c) GDPR, data subjects are granted the following rights under Art. 22 (3) GDPR: Right to express one’s point of view, right to object to the intervention of a person by the controller, right to challenge the automated individual decision (right of challenge).

Furthermore, data subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data violates the GDPR, Art. 77 GDPR. The supervisory authority responsible for the platform operator is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
(The Hamburg Commissioner for Data Protection and Freedom of Information)

Ludwig-Erhard-Str. 22, 7. OG

20459 Hamburg, Germany

Phone: +49 40 428 54 4040

Fax: +49 40 428 54 4000

Email: MAILBOX@DATENSCHUTZ.HAMBURG.DE