X. Rights of the data subject
If your personal data is processed, you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. Right of access
You can demand confirmation from the controller whether your personal data is processed by us. If such processing takes place, you can demand access to the following information from the controller:
(1) the purposes for which the personal data is processed;
(2) the categories of personal data that is processed;
(3) the recipients and/or the categories of recipients to whom your personal data has been disclosed or is still being disclosed;
(4) the planned duration of storage of your personal data or, if specific details on this are not possible, criteria for establishing the duration of storage;
(5) the existence of a right to correct or delete your personal data, of a right to restrict the processing by the controller or a right to object to this processing;
(6) the existence of a right to complain with a supervisory authority;
(7) all available information on the origin of the data, if the personal data is not collected from the data subject;
(8) the existence of an automatic decision making process, including profiling in accordance with Art. 22(1) and (4) of the GDPR and – at least in these cases – significant information on the logic involved as well as the scope and the desired effects of such processing for the data subject.
You have the right to be told if your personal data is transferred to a third country or to an international organzation. In this regard, you can demand to know about the appropriate safeguards in accordance with Art. 46 of the GDPR in connection with such transfer.
2. Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller, if your processed personal data is incorrect or incomplete. The controller must immediately implement the rectification.
3. Right to restriction of processing
You may demand the restriction of the processing of your personal data under the following conditions:
(1) if you dispute the accuracy of your personal data for a period of time that allows the controller to check the accuracy of the personal data;
(2) the processing is unlawful, and you reject the deletion of the personal data, demanding in lieu of this a restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of the processing, but you require this in order to assert, exercise or defend legal claims, or
(4) if you have submitted an objection to the processing in accordance with Art. 21(1) of the GDPR, and it has not yet been established whether the justified reasons of the controller override your own reasons.
If the processing of your personal data has been restricted, this data – apart from the storage thereof – may only be processed with your consent or for the assertion, exercise or defence of legal claims, or to safeguard the rights of another natural or legal person, or for reasons of an important public interest of the Union or a member State. If the restriction of processing is restricted in line with the above conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Obligation of erasure
You can demand the controller to have your personal data immediately erased, and the controller is obligated to erase this data immediately, provided one of the following reasons applies:
(1) Your personal data is no longer necessary for the purposes for which it was collected or has otherwise been processed.
(2) You revoke your consent supporting the processing in accordance with Art. 6(1a) or Art. 9(2a) GDPR, and there is no other legal basis for the processing thereof.
(3) In accordance with Art. 21(1) GDPR you submit an objection to the processing and there are no overriding legitimate reasons for the processing to continue or, in accordance with Art. 21(2) GDPR you submit an objection to the processing.
(4) Your personal data has been unlawfully processed.
(5) The erasure of your personal data is necessary to fulfill a legal obligation under Union law, or the law of the member States, to which the controller is subject.
(6) Your personal data was cancelled in reference to information society service offered in accordance with Art. 8(1) GDPR.
b) Information to third parties
If the controller has made your personal data publicly available and if he is obligated, in accordance with Art. 17(1) of the GDPR to erase such data, he will take suitable measures, including technical measures, in line with the available technology and the implementation costs, in order to inform the data processors of the personal data that you as a data subject have demanded them to delete all links to this personal data, or copies or reproductions of this personal data.
The right to erasure does not apply insofar as processing of the data is necessary
(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation, which requires the data to be processed in accordance with the law of the Union or the member States to which the controller is subject, or to carry out a task that lies in the public interest or is carried out in the exercise of official authority, that has been transferred to the controller;
(3) for reasons of public interest concerning public health in accordance with Art. 9(2h) and (2i) as well as Art. 9(3) of the GDPR;
(4) for archive purposes that lie in the public interest, scientific or historic research purposes or for statistical purposes in accordance with Art. 89(1) of the GDPR, insofar as the right mentioned in para. 1) is expected to make it impossible to achieve the objectives of this processing or seriously impair them, or
(5) to assert, exercise or defend legal claims.
5. Right to information
If you have asserted your right to rectification, erasure or restriction of processing vis the controller, the latter is obligated to inform all recipients to which your personal data has been disclosed about this rectification or erasure of data or the restriction of processing, unless this proves to be impossible or would involve an unreasonable amount of time and money. You have the right to demand the controller to inform you about these recipients.
6. Right to data portability
You have the right to receive any of your personal data, which you have provided to the controller, in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without any impediment from the controller to whom the personal data was provided, provided
(1) the data processing is based on consent given in accordance with Art. 6(1a) GDPR or Art. 9(2a) of the GDPR, or on a contract in accordance with Art. 6(1b) of the GDPR and
(2) the data is processed using automated procedures.
When exercising this right, you also have the right to demand that your personal data is transferred directly from one controller to another controller, provided this is technically feasible. Freedoms and rights of other persons may not be impaired by this. The right to data portability does not apply to the processing of personal data that is necessary to carry out a task that lies in the public interest or is carried out in the exercise of official authority, that has been transferred to the controller.
7. Right to object
You have the right, for reasons deriving from your own personal situation, to submit an objection at any time to the processing of your personal data, based on Art. 6(1e) or (1f) of the GDPR; this also applies to a profiling based on these provisions. The controller will no longer process your personal data unless he is able to prove compelling legitimate grounds for doing so that override your own interests, rights and freedoms, or if the processing is necessary to assert, exercise or defend legal claims. If your personal data is processed for the purposes of direct advertising, you have the right to object at any time to the processing of your personal data for the purposes of such advertising; this also applies to profiling if this is connected with such direct advertising. If you object to the processing for purposes of direct advertising, your personal data will no longer be processed for these purposes. You have the chance, in connection with the use of information society services – irrespective of Directive 2002/58/EG – to exercise your right of objection using automated procedures in which technical specifications are used.
8. Right to objection to the declaration of consent under the data protection law
You have the right to revoke your declaration of consent under the data protection law at any time. By revoking such consent, the lawfulness of the data processing that has been carried out based on such consent up to the time of revocation will be unaffected.
9. Automated decisions in individual cases, including profiling
You have the right not to be subject to a decision that is based exclusively on an automated processing – including profiling, which has a legal effect against you or causes considerable detriment to you in a similar way. This does not apply if the decision
(1) is necessary for the conclusion or fulfillment of a contract between you and the controller,
(2) is permissible based on legal provisions of the Union or the member States, to which the controller is subject, and these legal provisions contain appropriate measures to safeguard your rights and freedoms and your legitimate interests or
(3) is taken with your express consent.
These decisions may not, however, be based on particular categories of personal data in accordance with Art. 9(1) of the GDPR, unless Art. 9(2a) or (2g) of the GDPR applies and appropriate measures have been taken to safeguard rights and freedoms as well as your legitimate interests. With regard to the cases named in (1) and (3), the controller will take appropriate measures to safeguard the rights and freedoms and your legitimate interests, at least including the right to obtain the intervention of a person on the part of the controller, to represent his own viewpoint and challenge the decision.
10. Right to complain with a supervisory authority
Irrespective of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member State of your habitual residence, your place of work or the place of the presumable breach, if you are of the opinion that the processing of your personal data breaches the GDPR. The supervisory authority to which the complaint was submitted will inform the complainant about the status and the results of the complaint, including the possibility to a judicial remedy in accordance with Art. 78 of the GDPR.