Privacy policy
Data protection
The protection of your personal data is important to us.
Below we would like to inform you that we request personal data from
you and store it electronically. Your data will be stored and
processed by us in compliance with the relevant provisions of
national data protection laws and the General Data Protection
Regulation (GDPR).
you and store it electronically. Your data will be stored and
processed by us in compliance with the relevant provisions of
national data protection laws and the General Data Protection
Regulation (GDPR).
The person responsible within the meaning of the aforementioned
regulations is:
regulations is:
NT Trading GmbH
Kamminer Str. 35
10589 Berlin
Email: contact@goodgirl-badhabits.com
I.General
1.Terms
In order to ensure the readability and comprehensibility of our
data protection declaration, we will inform you in advance about
the basic terms used in the GDPR.
data protection declaration, we will inform you in advance about
the basic terms used in the GDPR.
Personal Data
Personal data means
any information relating to an identified or
identifiable natural person (hereinafter “data subject”);
An identifiable natural person is a natural person who can be
identified directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location
data, an online identifier or to one or more special features that
express the physical , physiological, genetic, psychological,
economic, cultural or social identity of that natural person.
identifiable natural person (hereinafter “data subject”);
An identifiable natural person is a natural person who can be
identified directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location
data, an online identifier or to one or more special features that
express the physical , physiological, genetic, psychological,
economic, cultural or social identity of that natural person.
affected person
Data subject is any identified or identifiable natural person
whose personal data is processed by the data controller.
processing
Processing is any operation or series of operations carried out on Data
personal data, whether or not by automated means, such as the
collection, recording, organisation, structuring, storage,
adaptation or modification, reading, querying, use, disclosure by
transmission, distribution or other form of provision, alignment or
association, restriction, deletion or destruction.
personal data, whether or not by automated means, such as the
collection, recording, organisation, structuring, storage,
adaptation or modification, reading, querying, use, disclosure by
transmission, distribution or other form of provision, alignment or
association, restriction, deletion or destruction.
Restriction of processing
Restriction of processing is the marking of stored personal data
with the aim of restricting their future processing.
with the aim of restricting their future processing.
Profiling
Profiling is any type of automated processing of personal data
which consists in using these personal data to evaluate certain
personal aspects relating to a natural person, in particular aspects
relating to work performance, economic situation, health, personal
Analyze or predict the preferences, interests, reliability,
behavior, location or movements of that natural person.
which consists in using these personal data to evaluate certain
personal aspects relating to a natural person, in particular aspects
relating to work performance, economic situation, health, personal
Analyze or predict the preferences, interests, reliability,
behavior, location or movements of that natural person.
Pseudonymization
Pseudonymization is the processing of personal data in such a way
that the personal data can no longer be assigned to a specific data
subject without the use of additional information, provided that
this additional information is kept separately and is subject to
technical and organizational measures that ensure that the personal
data not be assigned to an identified or identifiable natural
person.
that the personal data can no longer be assigned to a specific data
subject without the use of additional information, provided that
this additional information is kept separately and is subject to
technical and organizational measures that ensure that the personal
data not be assigned to an identified or identifiable natural
person.
Controller or person responsible for processing
The person responsible or responsible for processing is the natural
or legal person, public authority, institution or other body which,
alone or jointly with others, decides on the purposes and means of
processing personal data. If the purposes and means of such
processing are determined by Union or Member State law, the
controller or the specific criteria for its nomination may be
provided for by Union or Member State law.
or legal person, public authority, institution or other body which,
alone or jointly with others, decides on the purposes and means of
processing personal data. If the purposes and means of such
processing are determined by Union or Member State law, the
controller or the specific criteria for its nomination may be
provided for by Union or Member State law.
Processor
Processor is a natural or legal person, authority, institution or
other body that processes personal data on behalf of the controller.
other body that processes personal data on behalf of the controller.
Recipient
The recipient is a natural or legal person, public authority,
institution or other body to which personal data is disclosed,
regardless of whether it is a third party or not. However, public
authorities which may receive personal data in the context of a
specific investigative task under Union or Member State law shall
not be considered as recipients.
institution or other body to which personal data is disclosed,
regardless of whether it is a third party or not. However, public
authorities which may receive personal data in the context of a
specific investigative task under Union or Member State law shall
not be considered as recipients.
Third
Third party is a natural or legal person, public authority, agency
or other body other than the data subject, the controller, the
processor and the persons authorized to process the personal data
under the direct responsibility of the controller or the processor.
or other body other than the data subject, the controller, the
processor and the persons authorized to process the personal data
under the direct responsibility of the controller or the processor.
consent
Consent is any voluntary, informed and unambiguous expression of
wishes given by the data subject for a specific case, in the form
of a statement or other unambiguous confirmatory act, by which the
data subject indicates that he or she agrees to the processing of
personal data concerning him or her is.
wishes given by the data subject for a specific case, in the form
of a statement or other unambiguous confirmatory act, by which the
data subject indicates that he or she agrees to the processing of
personal data concerning him or her is.
Payment service provider
Payment service providers are used to process payments within the
framework of contracts that a data subject concludes with the
person responsible.
framework of contracts that a data subject concludes with the
person responsible.
2.Type and scope of data collection
When you access our website or retrieve a file stored on our
website, data is collected and processed. In principle, this only
happens if this is necessary to provide a functional website and
its content and services. Furthermore, personal data is regularly
collected and used only with appropriate consent. An exception
applies in cases in which obtaining prior consent is not possible
for actual reasons and the processing of the data is permitted by
legal regulations.
website, data is collected and processed. In principle, this only
happens if this is necessary to provide a functional website and
its content and services. Furthermore, personal data is regularly
collected and used only with appropriate consent. An exception
applies in cases in which obtaining prior consent is not possible
for actual reasons and the processing of the data is permitted by
legal regulations.
a.Legal basis for processing personal data
If we obtain the consent of the data subject for the processing of
personal data, Art. 6 Para. 1 lit. a GDPR serves as the legal basis.
If personal data is processed to fulfill the contracts concluded
with us, Article 6 Paragraph 1 Letter b GDPR serves as the legal
basis. This also applies to processing operations that are
necessary to carry out pre-contractual measures. If the processing of personal data is necessary to fulfill a legal
obligation to which our company is subject, Article 6 Paragraph 1
Letter c GDPR serves as the legal basis.
If personal data is processed to fulfill the contracts concluded
with us, Article 6 Paragraph 1 Letter b GDPR serves as the legal
basis. This also applies to processing operations that are
necessary to carry out pre-contractual measures. If the processing of personal data is necessary to fulfill a legal
obligation to which our company is subject, Article 6 Paragraph 1
Letter c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or
another natural person require the processing of personal data,
Article 6 (1) (d) GDPR serves as the legal basis. If the processing is
another natural person require the processing of personal data,
Article 6 (1) (d) GDPR serves as the legal basis. If the processing is
necessary to protect a legitimate interest of
our company or a third party and the interests, fundamental rights
and freedoms of the data subject do not outweigh the first-mentioned
interest, Art. 6 Para. 1 lit. f GDPR serves as the legal basis for
the processing.
our company or a third party and the interests, fundamental rights
and freedoms of the data subject do not outweigh the first-mentioned
interest, Art. 6 Para. 1 lit. f GDPR serves as the legal basis for
the processing.
b.Data deletion and storage period
The personal data we collect will be deleted as soon as the purpose
of storage no longer applies. Storage takes place if this is provided for
of storage no longer applies. Storage takes place if this is provided for
by a law, an EU regulation or other regulations. Furthermore, deletion
occurs when a storage period prescribed by the standards mentioned expires, unless there is a need for further
storage of the data for the conclusion or fulfillment of a contract.
storage of the data for the conclusion or fulfillment of a contract.
II. Own data collection via the website
1.Log files
a.Description and scope of data processing
When you access our website Browser type/version Operating system
used Referrer URL (previously visited website), as well as pages
accessed on our website IP address Date and time of the server request
accessed on our website IP address Date and time of the server request
Internet service provider logged.
b.Legal basis for data processing
The legal basis for storing the data and log files is Article 6 (1)
(f) GDPR.
c.Purpose of data processing
Storage in log files ensures that our website functions properly.
It also serves to optimize and ensure the security of our systems.
The data will not be evaluated for marketing purposes in this
context.
It also serves to optimize and ensure the security of our systems.
The data will not be evaluated for marketing purposes in this
context.
d. Duration of storage
The data we store will be deleted as soon as it is no longer
required to achieve the purpose for which it was collected. This is
the case after seven days at the latest. Storage beyond this is
possible. In this case, the users' IP addresses are deleted or
altered so that it is no longer possible to assign the calling
client.
required to achieve the purpose for which it was collected. This is
the case after seven days at the latest. Storage beyond this is
possible. In this case, the users' IP addresses are deleted or
altered so that it is no longer possible to assign the calling
client.
e.Objection and possibility of elimination
The collection of the above-mentioned data is absolutely necessary
for the operation of the website. There is therefore no possibility
for the user to object.
for the operation of the website. There is therefore no possibility
for the user to object.
2.Technically necessary cookies
a.Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored on the visitor's computer system when our websites are accessed.
Cookies contain a string that allows the visitor's browser to be
identified when they visit our website again. We use technically
necessary cookies that serve to make our offering more user-friendly,
effective and secure. For example, the following data is stored and transmitted in the
cookies:
Cookies contain a string that allows the visitor's browser to be
identified when they visit our website again. We use technically
necessary cookies that serve to make our offering more user-friendly,
effective and secure. For example, the following data is stored and transmitted in the
cookies:
Articles in shopping cart
Login data
language settings
We pseudonymize the data obtained from this. It is therefore not
possible to assign the data to the visitor. Furthermore, this data
is not stored with other personal data. You can set your browser so that
possible to assign the data to the visitor. Furthermore, this data
is not stored with other personal data. You can set your browser so that
you are informed about the setting of cookies and decide individually
whether to accept them or exclude the acceptance of cookies for
certain cases or in general. If you do not accept cookies, the
functionality of our website may be restricted. If cookies are also set
on our websites for advertising and/or analysis purposes, we will
provide information about this separately in this declaration.
b.Legal basis for data processing
The legal basis for the processing of personal data using necessary
cookies is Article 6 (1) (f) GDPR.
cookies is Article 6 (1) (f) GDPR.
c.Purpose of data processing
Technically necessary cookies serve to simplify the use of websites.
Some functions of the website or online shop cannot be offered
without the use of cookies. For this it is necessary that the browser
is recognized even after a page change. The user data collected through
Some functions of the website or online shop cannot be offered
without the use of cookies. For this it is necessary that the browser
is recognized even after a page change. The user data collected through
technically necessary cookies is not used to create user profiles.
d. Duration of storage, possibility of objection and removal
Cookies are stored on the user's computer and transmitted by the user.
Therefore, users also have full control over the use of cookies. By
changing the settings in your internet browser, you can deactivate or
restrict the transmission of cookies. Cookies that have already been
saved can be deleted at any time. This can also be done automatically.
If cookies are deactivated for our website, it may no longer be
possible to fully use all functions of the website.
Therefore, users also have full control over the use of cookies. By
changing the settings in your internet browser, you can deactivate or
restrict the transmission of cookies. Cookies that have already been
saved can be deleted at any time. This can also be done automatically.
If cookies are deactivated for our website, it may no longer be
possible to fully use all functions of the website.
3.Contact form and email
If you contact us using the contact form or email, you agree to email communication that is encrypted for transport but not for content.
Please find out about the associated risks, e.g. here:
https://www.bsi-fuer-buerger.de.
a.Description and scope of data processing
We provide visitors to our website with a contact form for quick,
electronic contact. The data entered in the input mask will be
transmitted to us and stored. In addition, the user's IP address as well
as the date and time of transmission are stored at the time of sending. Alternatively, you can contact us using the email address provided. In
this case, the user's personal data transmitted with the email will be
stored. There is no transfer of the data to third parties. The data will
only be used to process the request.
b.Legal basis for data processing
The legal basis for processing the data is Article 6 Paragraph 1 Letter a
GDPR. The legal basis for the processing of data transmitted in the
course of sending an email is Article 6 (1) (f) GDPR. If the email contact
is aimed at concluding a contract, the additional legal basis for the
processing is Article 6 Paragraph 1 Letter b GDPR.
c.Purpose of data processing
The processing of personal data serves solely to process the contact.
If you contact us via email, this also represents the necessary legitimate
interest in processing the data. The other personal data processed
during the sending process serves to prevent misuse of the contact
form and to ensure the security of our information technology systems.
d. Duration of storage
The data will be deleted as soon as it is no longer required to achieve
the purpose for which it was collected. For the personal data from the
input mask of the contact form and those that were sent by email, this
is the case when the respective conversation with the user has ended.
The conversation ends when it can be seen from the circumstances
that the matter in question has been finally clarified.
The additional personal data collected during the sending process will
be deleted after a period of seven days at the latest. If the
correspondence results in a business transaction, we are legally
obliged to keep the exchanged correspondence for 6 years (starting
with the end of the calendar year in which the respective letter was sent).
e.Objection and possibility of elimination
The user has the option to revoke his consent to the processing of
personal data at any time. For this purpose, the user can contact the
person responsible using the contact options provided on the website.
If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot
continue. If the storage of data results from a legal obligation, there is
no right to object.
4.Newsletter
a.Description and scope of data processing
Users have the opportunity to subscribe to our newsletter on our
website. When you register for the newsletter, the data requested from
the input mask will be transmitted to us. The following data is also
collected when registering:
IP address of the login's computer
Date and time of registration
As part of the registration process, consent is obtained through a
so-called double opt-in procedure. If customers have purchased goods
or services from us and have provided their email address, this can also
be used to send a newsletter. In such a case, the newsletter will only be
used to send direct advertising for similar goods or services.
b.Legal basis for data processing
The legal basis for the processing of data after the user has registered
for the newsletter, provided the user has given his consent, is Article 6 Paragraph 1 Letter a of the GDPR. The legal basis for sending the
newsletter as a result of the sale of goods or services is Section 7
Paragraph 3 UWG.
c.Purpose of data processing
The purpose of collecting the user's email address is to deliver the newsletter. The collection of other personal data as part of the
registration process serves to prevent misuse of the services or the
email address used.
d. Duration of storage
The data will be deleted as
soon as it is no longer required to achieve the purpose for which it was collected. The user's email address is therefore stored as long as the subscription to the newsletter is active.
e.Objection and possibility of elimination
The subscription to the newsletter can be canceled at any time by the affected user. For this purpose, there is a corresponding link in every newsletter.
5. Registration during the ordering process or entry when ordering as a
guest
a.Description and scope of data processing
Users have the opportunity to register on our website. When registering,
the data requested from the input mask is transmitted to us and stored.
The same applies to the entries made as part of the guest order. The
personal data can be transferred to third parties, such as parcel service
providers, if this is necessary to fulfill the contract. They use the data
passed on exclusively for internal purposes that are attributable to us.
See Section III for details. this data protection declaration.
b.Legal basis for data processing
The registration and the guest order serve to carry out pre-contractual measures and to fulfill a contract to which the user is a party. The legal
basis for the processing of the data is Article 6 (1) (b) GDPR.
c.Purpose of data processing
User registration is necessary to fulfill contracts with users or to carry
out pre-contractual measures. The same applies to the entries made
as part of the guest order.
d. Duration of storage
The data will be deleted as soon as it is no longer required to achieve
the purpose for which it was collected. This is the case for the data
collected during the registration process if the registration on our
website is canceled or changed. This is the case during the registration process or the guest order process to fulfill a contract or to carry out
pre-contractual measures if the data is no longer required to carry out
the contract. Even after the contract has been concluded, it may be necessary to store the contractual partner's personal data in order to
comply with contractual or legal obligations. For legal reasons, we must
retain correspondence exchanged in connection with the conclusion of
a contract for 6 years (starting with the end of the calendar year in
which the respective letter was sent).
e.Objection and possibility of elimination
Users have the option to cancel their registration at any time. Users can change or have the stored data changed at any time. You can find out
how the registration can be deleted from the person responsible. If the
data is necessary to fulfill a contract or to carry out pre-contractual measures, early deletion of the data is only possible unless contractual
or legal obligations prevent deletion.
III.Data transfer to third parties for contract fulfillment
1. General
a.Description and scope of data processing
When you place an order, we only collect and use your personal data to
the extent that this is necessary to fulfill and process your order and to process your inquiries. The data you enter during the ordering process
will, if necessary for the fulfillment of the contract or approved by you,
be passed on to service partners that we need to process the
contractual relationship or service providers that we use as part of order
processing.
In addition to the recipients named in the respective clauses of this data protection declaration, these include, for example, recipients in the following categories: Shipping service providers, payment service providers, merchandise management service providers, order processing service providers, web hosts, IT service providers and dropshipping retailers.
b.Legal basis for data processing
The processing described above serves to fulfill a contract to which the user is a party. The legal basis for processing the data is Art. 6 Para. 1 lit. b GDPR.
c.Purpose of data processing
The transmission serves to fulfill our contractual obligations.
d. Duration of storage
Your data will be deleted when it is no longer required to carry out the contract, unless contractual or legal retention obligations conflict with this.
e.Objection and possibility of elimination
The user has the option at any time to revoke the consent given to the person responsible or the provider. If the data is necessary to fulfill a contract or to carry out pre-contractual measures, early deletion of the data is only possible unless contractual or legal obligations prevent deletion.
2.Payment service providers
a. Description and scope of data processing
If a user selects a payment service provider for payment processing during the ordering process, the user's data, which is required to carry out the payment, is automatically transmitted to them. These include, for example, the name and address, bank details such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract details, amounts and recipient-related information. In this case, the person responsible does not receive any account or credit card-related information, but only information as to whether the payment transaction was successful. Under certain circumstances, the payment service provider will transmit the data to credit reporting agencies for the purpose of identity and creditworthiness checks. In this respect, reference is made to the payment service provider's terms and conditions and data protection information, which you can view on their website. If you have to be registered with your chosen payment service provider in order to use it, you will be redirected to their website during the payment process. In this case, the provider collects the data itself. The data protection declaration of the respective payment service provider applies.
The payment service providers offered by the controller and further information about them can be found in the payment information.
b. Legal basis for data processing
The legal basis for processing the data is Article 6 (1) (b) GDPR (processing to carry out pre-contractual measures and fulfill a contract).
c. Purpose of data processing
The transmission of the data to the selected payment service provider serves to fulfill a contract to which the user is a party; it is carried out in particular for payment processing, to prevent misuse, and to check identity and creditworthiness.
d. Duration of storage
Your data will be deleted when it is no longer required for our business processes and there are no legal retention requirements. We have no influence on the storage of data by the payment service provider. Please contact the payment service provider you have chosen directly, who is the “responsible party” within the meaning of data protection regulations.
e. Possibility of objection and removal
You have the information in this data protection declaration under “III. “Rights of the data subjects” which can be asserted against the person responsible.
3. Data transmission for credit checks
a.Description and scope of data processing
In cases permitted by law, data may be transmitted to credit reporting agencies for credit checks as part of payment processing. The recipients of the data can be the following companies:
Schufa, SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden https://www.schufa.de/de/datenschutz/
Arvato Bertelsmann, Bertelsmann SE & Co. KGaA, Carl-Bertelsmann-Straße 270, 33311 Gütersloh, https://finance.arvato.com/de/ueber-arvato/datenschutz.html
Infoscore Claims Management GmbH, Gütersloher Str. 123, 33415 Verl, https://www.inkassoportal.de/rechts/datenschutz
Creditreform, Association of Creditreform e.V. associations, Hellersbergstraße 12, 41460 Neuss, https://www.creditreform.de/eu-dsgvo.html
Bürgel, CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 Munich, https://www.crifbuergel.de/sites/default/files/documents/informationsblatt_dsgvo.pdf
b.Legal basis for data processing
The legal basis for processing the data is Article 6 Paragraph 1 Letter b GDPR.
c.Purpose of data processing
The transmission is carried out to prevent misuse and to check identity and creditworthiness.
d. Duration of storage
Your data will be deleted when it is no longer required for our business processes and there are no legal retention requirements. We have no influence on the storage of data by the provider. You can reach the provider using the contact details above.
e.Objection and possibility of elimination
The user has the option at any time to revoke the consent given to the provider or the person responsible. It is not possible to revoke data that is absolutely necessary for payment processing.
IV.Rights of the data subjects
1. Right to information
Any person affected by the processing of personal data may request confirmation from the person responsible as to whether the person's personal data is being processed. If such processing occurs, you can request information from the person responsible about the following information: Processing purposes Categories of personal data that are processed Recipients or the categories of recipients to whom the relevant personal data have been or will be disclosed planned duration of storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage period Existence of a right to rectification or deletion of personal data concerning you, a right to restrict processing by the controller or a right to object to this processing
Existence of a right to lodge a complaint with a supervisory authority all available information about the origin of the data if the personal data is not collected from the data subject Existence of automated decision-making including profiling in accordance with Article 22 Paragraphs 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject The data subject also has the right to request information as to whether the personal data concerning him or her will be transferred to a third country or to an international organization. In this context, you can request to be informed about the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transfer. When processing data for scientific, historical or statistical research purposes: This right to information may be limited to the extent that it is likely to make the realization of the research or statistical purposes impossible or seriously impair it and the restriction is necessary for the fulfillment of the research or statistical purposes.
2.Right to rectification
Data subjects have the right to request rectification and/or completion from the controller if the processed personal data concerning them is incorrect or incomplete. The person responsible must make the correction immediately. When processing data for scientific, historical or statistical research purposes: Your right to rectification may be limited to the extent that it is likely to make impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.
3. Right to restriction of processing
Under the following conditions, data subjects may request the restriction of the processing of personal data concerning them: if the accuracy of the personal data in question is contested for a period enabling the controller to verify the accuracy of the personal data the processing is unlawful and the data subject refuses the deletion of the personal data and instead requests the restriction of the use of the personal data the controller no longer needs the personal data for the purposes of processing, but the data subject needs them to assert, exercise or defend legal claims, or if the data subject has lodged an objection to the processing in accordance with Article 21 Para. 1 GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh the reasons of the data subject. If the processing of the personal data in question has been restricted, these data - with the exception of their storage - may only be permitted with the consent of the data subject or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for important public reasons in the interests of the Union or a Member State. If the restriction of processing has been restricted in accordance with the above conditions, the data subject will be informed by the person responsible before the restriction is lifted. When processing data for scientific, historical or statistical research purposes: The data subject's right to restriction of processing may be limited to the extent that it is likely to make impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.
4. Right to deletion
a. Obligation to delete
The data subject may request from the controller that the personal data concerning him or her be deleted immediately, and the controller is obliged to delete this data immediately if one of the following reasons applies: the personal data concerned are no longer necessary for the purposes for which they were collected or otherwise processed; the data subject has withdrawn their consent on which the processing was based in accordance with Article 6 (1) (a) or Article 9 (2) (a) of the GDPR and there is no other legal basis for the processing; The data subject objects to the processing in accordance with Article 21 Paragraph 1 of the GDPR and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing in accordance with Article 21 Paragraph 2 of the GDPR; the personal data was processed unlawfully; the deletion of the personal data concerned is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject; The personal data in question were collected in relation to information society services offered in accordance with Article 8 (1) GDPR.
b.Information to third parties
If the person responsible has made the personal data in question public and is obliged to delete it in accordance with Article 17 Para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to ensure that those responsible for data processing, to inform those processing the personal data that you, as the data subject, have requested them to delete all links to this personal data or copies or replications of this personal data.
c.Exceptions
There is no right to deletion if processing is necessary to exercise the right to freedom of expression and information; to fulfill a legal obligation requiring processing under Union or Member State law to which the controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller: for reasons of public interest in the field of public health in accordance with Article 9 Paragraph 2 Letters h and i and Article 9 Paragraph 3 GDPR; for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 Para. 1 GDPR, insofar as the law mentioned under section a) is likely to make the achievement of the objectives of this processing impossible or seriously impair it, or to assert, exercise or defend legal claims.
5. Right to information
If the data subject has asserted the right to rectification, deletion or restriction of processing against the controller, the latter is obliged to notify all recipients to whom the relevant personal data has been disclosed of this rectification or deletion of the data or restriction of processing, unless , this turns out to be impossible or involves disproportionate effort. The data subject has the right to be informed about these recipients by the person responsible.
6.Right to data portability
Data subjects have the right to receive the personal data concerning them that has been provided to the controller in a structured, commonly used and machine-readable format. In addition, data subjects have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR and the processing takes place using automated procedures.
In exercising this right, data subjects also have the right to have personal data concerning them transmitted directly from one controller to another controller, to the extent that this is technically feasible. The freedoms and rights of other people must not be impaired by this. The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
Data subjects have the right, for reasons arising from their particular situation, to object at any time to the processing of personal data concerning them, which is carried out on the basis of Article 6 (1) (e) or (f) of the GDPR; This also applies to profiling based on these provisions. The person responsible will no longer process the personal data in question unless he can demonstrate compelling legitimate grounds for the processing that outweigh the interests of the data subjects, their rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If the personal data concerned are processed for the purpose of direct advertising, data subjects have the right to object at any time to the processing of the personal data concerning them for the purpose of such advertising; This also applies to profiling insofar as it is connected to such direct advertising.
If data subjects object to processing for direct marketing purposes, the personal data concerning them will no longer be processed for these purposes. Data subjects have the opportunity, in connection with the use of information society services - notwithstanding Directive 2002/58/EC - to exercise their right to object by means of automated procedures using technical specifications. When processing data for scientific, historical or statistical research purposes: Data subjects also have the right, for reasons arising from their particular situation, to object to the processing of personal data concerning them for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR . The right to object can be limited to the extent that it is likely to make the realization of the research or statistical purposes impossible or seriously impair it and the restriction is necessary for the fulfillment of the research or statistical purposes.
8. Right to revoke the declaration of consent under data protection law
Data subjects have the right to revoke their declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out based on the consent before its revocation.
9.Automated decision-making in individual cases including profiling
Data subjects have the right not to be subject to a decision based solely on automated processing - including profiling - which has legal effects on them or similarly significantly affects them. This does not apply if the decision is necessary for the conclusion or performance of a contract between the data subject and the controller is permitted by Union or Member State law to which the controller is subject and such law contains appropriate measures to safeguard the rights and freedoms of data subjects and their legitimate interests, or with express consent
However, these decisions may not be based on special categories of personal data in accordance with Article 9 Paragraph 1 GDPR, unless Article 9 Paragraph 2 Letters a or g GDPR applies and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests . With regard to the cases mentioned in points 1 and 3, the controller shall take appropriate measures to safeguard the rights and freedoms and legitimate interests of data subjects, including at least the right to obtain human intervention on the part of the controller, to express one's own point of view and to appeal of the decision is heard.
10.Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, place of work or the place of the alleged infringement, if they are of the opinion that the processing of personal data concerning them violates the GDPR. The supervisory authority to which the complaint was submitted will inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.