Privacy policy

I. Controller

The controller as defined in the Regulation (EU) 2016/679 (General Data Protection Regulation), the data protection laws of the EU Member States, and any other legal regulations governing data protection is:

XPLM Solution GmbH
Altmarkt-Galerie Dresden
Altmarkt 25
01067 Dresden, Deutschland
Email: xplm(at)xplm.com
Website: https://www.xplm.com

– hereinafter referred to as: “we” / ”us” –

II. Data protection officer

The data protection officer of the controller is:

Patrick Storelli
XPLM Solution GmbH
Walter-Oehmichen-Str. 20
68519 Viernheim, Deutschland

Email: patrick.storelli(at)xplm.com

Tel.: +49 6204 98092 269

III. General information on the processing of personal data

1. Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter: ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. Scope of processing

Personal data is generally only processed by us to the extent necessary to provide a functional website and website content, as well as to provide our services.

3.  Legal basis for processing

If we obtain the permission of the data subject to process their personal data, processing is done in accordance with Art. 6(1) subparagraph 1 point (a) General Data Protection Regulation (GDPR).

If the processing of personal data is necessary in order to fulfil the requirements of a contract with the data subject, it is done in accordance with Art. 6(1) subparagraph 1 point (b) GDPR. This also applies to processing procedures performed before conclusion of the contract that are necessary to carry out measures taken upon the request of the data subject.

If the processing of personal data is necessary in order to meet a legal obligation we are subject to, Art. 6(1) subparagraph 1 point (c) GDPR forms the legal basis for this processing.

In the case that the processing of personal data is necessary in order to protect the vital interests of the data subject or another natural person, our right to process data is based on Art. 6(1) subparagraph 1 point (d) GDPR.

If it is necessary to process data in order to guard the legitimate interests of the controller or a third party and this outweighs the interests or fundamental rights and freedoms of the data subject, then Art. 6(1) subparagraph point (c) GDPR forms the legal basis for processing.

4. Storage period

We generally delete all personal data as soon as the reason for storing it expires.

We may, however, continue to store the data if this is allowed for by European Union or Member State lawmakers in EU-regulations, national laws, or other regulations we are subject to. In this case, the data is deleted as soon as a storage period specified in these legal standards has expired, unless it is necessary to continue storing the data in order to conclude a contract or fulfil the requirements of a contract with the person concerned.

IV. Provision of the website and generation of web server log files

1. Description and scope of data processing

Every time our website is accessed our system will automatically record data from the terminal device (such as: desktop computer, tablet, smartphone) and the internet connection of the user accessing the site.

The following data is collected in the process:

  • Type and version of the web browser used by the user
  • Type and version of the operating system used by the user
  • The IP address assigned to the user
  • Date and time of access
  • URL of the pages that are accessed on our website
  • The URL of the previously accessed website, if the user has been directed to our website by clicking a link or landed on our website through an automated process (so-called referrer)

The above data is also stored in our system’s web server log files. This data is stored separately from other collected or still to be collected personal data of the user.

2. Purpose of data processing

It is necessary for our system to temporarily store the IP address so that the website can be delivered to the user’s terminal device. For this purpose, the user’s IP address must be stored for the duration of the session.

Data is stored in the web server log files in order to ensure the functionality of the website. Furthermore, the data also allows us to optimize the website and ensure the security of our information technology systems.

This is our legitimate interest in data processing in accordance with Art. 6(1) subparagraph 1 point (f) GDPR.

3. Legal basis for data processing

The legal basis for temporarily storing data and web server protocol files is formed by Art. 6(1) subparagraph 1 point (f) GDPR.

4. Storage period

The data will be deleted as soon as it is no longer needed in order to reach the aforementioned goals.

When data is collected and stored for the purpose of making the website available to the user, deletion will consequently occur as soon as the respective session is over.

If data is stored in the web server log files, it will be deleted after 24 hours at the latest.

5. Prevention of further data processing by the data subject / premature deletion of the collected data

The collection of data in order to make the website available and the storage of data in web server log files are absolutely necessary for the operation of the website. Considering this, users do not have the right to object to such data collection, nor do they have the right to have the collected data deleted prematurely.

V. Use of cookies

1. Description and scope of data processing

Our website uses cookies. We use cookies to make our website more user-friendly. Cookies are text files that the web browser stores on the user's terminal device. When a user accesses a website, a cookie can be stored on the terminal device of the user. This cookie contains a unique character string that makes it possible to clearly identify the web browser when the website is accessed again.

Only login information is stored and transmitted in the cookies we place.

2. Purpose of data processing

We need cookies for the following applications:

  1. SIG login (member area for Special Interest Groups)
  2. Support Portal Login

Without cookies, users would have to enter and confirm their login information (user name, password) every time they switch pages (for example: click on a button). In order to avoid this, we need to use cookies for all features involved in providing the SIG login.

At the same time, these purposes also constitute a legitimate interest in processing personal data pursuant to Art. 6(1) subparagraph 1 point (f) GDPR.

The user data collected by technically essential cookies is not used to create user profiles.

3. Legal basis for data processing

The legal basis for processing personal data using cookies is constituted by Art. 6(1) subparagraph 1 point (f) GDPR.

4. Storage period / prevention of further data processing by the data subject / premature deletion of the collected data

As a user, you do in principle have full control over the use of cookies, which may still be limited in individual cases – depending on the functional scope of the web browser used. Specifically speaking, you can deactivate or limit the storage of cookies by changing the cookie settings in your web browser. Cookies that have already been stored can be deleted at any time. This can also be done automatically.

If cookies are deactivated for our website, it may not be possible to use all of the features of the website to their full extent.

VI. Registration for SIG login (member area for Special Interest Groups)

1. Description and scope of data processing

On our website, we offer users the opportunity to register for SIG login by entering personal data.

Special Interest Groups (SIG) are informational events that we hold regularly for customers and partners addressing various topics associated with PLM.

During the registration process, data is entered into an entry form, transmitted to us, and stored.

The following data is collected during the registration process:

  • User group [meaning the SIG area(s) to be registered]
  • First name
  • Last name
  • Company
  • Email address
  • Password

During the course of the registration process, the user's consent is obtained for the data processing.

Prior to giving consent, the user is also informed of the right to withdraw consent at any time and that the lawfulness of processing based on consent before its withdrawal will not be affected by the withdrawal.

Furthermore, reference is made to the validity of the concrete privacy policy and to the fact that the user can view it at any time via the linked URL https://www.xplm.com/privacy-policy.

2. Purpose of data processing

User registration is necessary in order to provide certain content and services on our website.

Within the context of the SIG login, we provide interested companies with supplementary informational material, particularly on past events and topics.

Data collected during registration is used to assign every registered account to a legal and/or natural person with absolute certainty. Furthermore, data collection also serves the purpose of making specific information available to specific user groups.

Additionally, we also use the collected data to determine which user groups are especially interested in our services.

3. Legal basis for data processing

The legal basis for processing data is the consent given by the user pursuant to Art. 6(1) subparagraph 1 point (a) GDPR.

4. Storage period

The data will be deleted as soon as it is no longer needed for the purposes for which it was collected.

This is the case for data collected during the registration process when the registration for a SIG login is cancelled or modified.

5. Prevention of further data processing by the data subject / premature deletion of the collected data

If you have given your consent for the processing of personal data, you can withdraw it at any time. In order to withdraw a given consent, you can also use the contact form available on every page of our website or you can contact us directly via email, for instance at xplm(at)xplm.com.

Once you withdraw your consent, we will no longer process your personal data, unless there is a legal basis to process the data other than your consent, pursuant to Art. 6(1) subparagraph 1 point (a) GDPR.

The lawfulness of processing based on consent before its withdrawal will not be affected by the withdrawal.

Furthermore, you have the option to cancel your registration at any time by deleting the registered user account yourself through the account settings or letting us know that you want your registered user account deleted. You can also use the contact form available on every page of our website for such a notification or you can contact us directly via email, for instance at xplm(at)xplm.com.

In the first case, your user account as well as all data collected in relation to it will be immediately deleted, within 14 days at the latest, as long as there are no legal obligations that would prevent deletion.

In the case that the data stored about you is incorrect, incomplete, or there are other justified reasons to modify it, you can change the data – with the exception of the email address – at any time or have us change the data, either by changing the data yourself in your user account or informing us of your desire to change the data, specifying the data to be changed. In the latter case, we will perform the changes within 7 days. As soon as the changes have been made, the old data will be automatically deleted.

VII. Registration for the Support Portal

1. Description and scope of data processing

Moreover, we offer users of our website the possibility to register for our Support Portal, specifying personal data.

During the registration process, data is entered into an entry form, transmitted to us, and stored.

The following mandatory data is collected during the registration process:

  • First name
  • Last name
  • Email address
  • Company

The following data are collected during the registration process, if they are specified by the user voluntarily:

  • Title (indirect: Gender)

During the course of the registration process, the user's consent is obtained for the data processing.

Prior to giving consent, the user is also informed of the right to withdraw consent at any time and that the lawfulness of processing based on consent before its withdrawal will not be affected by the withdrawal.

Furthermore, reference is made to the validity of the concrete privacy policy and to the fact that the user can view it at any time via the linked URL https://www.xplm.com/privacy-policy.

2. Purpose of data processing

A registration of the user is required for the provision of specific content and services on our website.

Within the framework of our Support Portal we offer our clients various possibilities of the effective use of our Software-Support.

The data collected within the registration process serve the purpose of doubtlessly matching the registered user account with one of our clients. This serves the purpose of ensuring a specific support as well as determining if and under which modalities the respective user is entitled to the use of our support and services.

3. Legal basis for data processing

The legal basis for processing data is the consent given by the user pursuant to Art. 6(1) subparagraph 1 point (a) GDPR.

In case the processing of data serves the fulfillment of a contract with the relevant user, this constitutes additional legal grounds for data processing pursuant to Art. 6(1) subparagraph 1 point (b) GDPR.

4. Storage period

The data will be deleted as soon as it is no longer needed for the purposes for which it was collected.

This is the case for data collected during the registration process when the registration for the Support Portal is cancelled or modified.

5. Prevention of further data processing by the data subject / premature deletion of the collected data

If you have given your consent for the processing of personal data, you can withdraw it at any time. In order to withdraw a given consent, you can also use the contact form available on every page of our website or you can contact us directly via email, for instance at xplm(at)xplm.com.

Once you withdraw your consent, we will no longer process your personal data, unless there is a legal basis to process the data other than your consent, pursuant to Art. 6(1) subparagraph 1 point (a) GDPR.

The lawfulness of processing based on consent before its withdrawal will not be affected by the withdrawal.

Furthermore, you have the option to cancel your registration at any time by letting us know that you want your registered user account deleted. You can also use the contact form available on every page of our website for such a notification or you can contact us directly via email, for instance at xplm(at)xplm.com.

In this case your user account as well as all data collected in relation to it will be immediately deleted, within 14 days at the latest, as long as there are no legal obligations that would prevent deletion.

In the case that the data stored about you is incorrect, incomplete, or there are other justified reasons to modify it, you can have us change the data at any time by informing us of your desire to change the data, specifying the data to be changed. In this case, we will perform the changes within 7 days. As soon as the changes have been made, the old data will be automatically deleted.

VIII. Contact form and contact via email

1. Description and scope of data processing

There is a contact form on our website that can be used to contact us electronically. If a user decides to use this option, the data entered into the form will be transmitted to us and stored. The mandatory data required is:

  • The user’s email address

and – if the user decides to enter this additional information in individual cases:

  • First and last name
  • Phone number
  • Message text

Before the contact form is sent, your consent to process the data will be obtained.

Prior to giving consent, you will also be informed of your right to withdraw your consent at any time and that the lawfulness of processing based on your consent before its withdrawal will not be affected by the withdrawal.

Furthermore, reference is made to the validity of the concrete privacy policy and to the fact that it can be viewed at any time via the linked URL https://www.xplm.com/privacy-policy.

Contact can also be made via the email addresses made available for this purpose, particularly xplm(at)xplm.com. In this case, the personal data of the user transmitted with the email will be stored.

Reference is made to the applicability of this privacy policy in all emails sent by us. Furthermore, a link to the URL https://www.xplm.com/privacy-policy, where this privacy policy can be viewed at any time, is also clearly displayed behind the phrase “Privacy Policy”.

2. Purpose of data processing

The personal data from the contact form is used exclusively to process the contact attempt. In cases where contact is made via email, this is also our legitimate interest in processing the data.

3. Legal basis for data processing

The legal basis for processing data is the consent given by the user pursuant to Art. 6(1) subparagraph 1 point (a) GDPR.

The legal basis for processing data conveyed by the user by sending an email is formed by Art. 6(1) subparagraph 1 point (f) GDPR. If the user seeks to conclude a contract when they contact us via email, this constitutes additional legal grounds for data processing pursuant to Art. 6(1) subparagraph 1 point (b) GDPR.

4. Storage period

The collected data will be deleted as soon as it is no longer needed for the purposes for which it was collected. For personal data from the contact form and data sent via email, this is the case when the respective conversation with the user comes to an end. The conversation ends once it can be assumed from the circumstances, that the matter involved has been conclusively resolved.

5. Prevention of further data processing by the data subject / premature deletion of the collected data

The user can withdraw the consent given for the purpose of using the contact form at any time. If users contact us via email, they can object to the storage of their personal data transmitted in this respect at any time. In such cases, it will not be possible to continue the conversation.

Notification of withdrawal of consent given or objection to further processing of personal data can also be conveyed through our contact form or directly via email, for instance at xplm(at)xplm.com.

In the case of a withdrawal or objection, all personal data stored when contact is made will be deleted.

IX. Application form

1. Description and scope of data processing

Furthermore, we also provide an application form on our website that can be used for electronic applications (online applications). If a user decides to take advantage of this option, the data entered into the form will be transmitted to us and stored. The mandatory data required is:

  • Selection for the offered positions
  • Title (gender)
  • First and last name
  • Email address
  • Application text

and – if the user decides to upload this additional information in specific cases:

  • Application documents in electronic format

Before the contact form is sent, your consent to process the data will be obtained.

Prior to giving consent, you will also be informed of your right to withdraw consent at any time and that the lawfulness of processing based on consent before its withdrawal will not be affected by the withdrawal.

Furthermore, reference is made to the validity of the concrete privacy policy and to the fact that it can be viewed at any time via the linked URL https://www.xplm.com/privacy-policy.

2. Purpose of data processing

The personal data from the application form is used exclusively to process your application.

3. Legal basis for data processing

The legal basis for processing data is the consent given by the user pursuant to Art. 6(1) subparagraph 1 point (a) GDPR.

Since the application aims to conclude an employment contract, this constitutes an additional legal basis for data processing pursuant to Art. 6(1) subparagraph 1 point (b) GDPR.

4. Storage period

The collected data will be deleted as soon as it is no longer needed for the purposes for which it was collected. This is the case for personal data from the application form, when the respective application has ended. An application has ended once it can be assumed from the circumstances that the affected matter has been conclusively resolved.

5. Prevention of further data processing by the data subject / premature deletion of the collected data

The user can withdraw the consent given while using the application form at any time. In this case, it will not be possible to continue processing the application.

Notification of withdrawal of consent given can also be conveyed to us through the contact form available on every page of our website or directly via email, for instance at xplm(at)xplm.com or jobs(at)xplm.com.

In the case of a withdrawal, all personal data stored during the course of the application will be deleted.

X. Web analysis service "Matomo"

1. Description and scope of data processing

We make use of Matomo on our website, a free and open-source web analysis service. Matomo uses JavaScript and so-called "analysis cookies", which are stored on the user's device by the web browser and allow us for an analysis of the usage of the website by our users. The information about the usage of our website is stored on our web server in Germany and not transferred abroad.

The following data are collected by means of Matomo:

Via JavaScript

  • User IP address *
  • Optional User ID
  • Date and time of the request
  • Title of the page being viewed
  • URL of the page being viewed
  • URL of the page that was viewed prior to the current page (so-called Referrer)
  • Screen resolution being used
  • Time in local user’s time zone
  • Files that were clicked and downloaded
  • Links to an outside domain that were clicked
  • Pages generation time (the time it takes for webpages to be generated by the webserver and then downloaded by the user)
  • Location of the user: country, region, city, approximate latitude and longitude (Geolocation)
  • Main Language of the browser being used (Accept-Language header)
  • User Agent of the browser being used (User-Agent header)

Via cookies

  • Random unique Visitor ID
  • Time of the first visit for this user
  • Time of the previous visit for this user
  • Number of visits for this user

* The IP addresses collected by Matomo are stored anonymously. Namely, the IP address assigned to the user will be processed shortened (e.g.: 12.214.31.144 becomes shortened to 12.214.31.xxx). As the IP address qualifies the collected data as personal data, this quality gets lost by means of shortening the IP address, with the result that no personal will be processed afterwards.

2. Purpose of data processing

We use Matomo for the purpose of analyzing the usage of our website and continuously improving individual features, offers and the user experience. The statistical evaluation of the user behavior on our website allows us to improve our offer and to design it more effective and interesting for our users.

This is our legitimate interest in the simultaneous processing of data by Matomo.

3. Legal basis for data processing

The legal basis for processing data by means of Matomo is Art. 6(1) subparagraph 1 point (f) GDPR.

4. Storage period

The collected data will be deleted as soon as they are no longer needed for the purposes for which they were collected. Therefore all data collected by means of Matomo will automatically be deleted after 3 months.

5. Prevention of further data processing by the data subject

As stated, the data processing using Matomo is partly carried out by means of cookies. As a user, you do in principle have full control over the use of cookies, which may still be limited in individual cases – depending on the functional scope of the web browser used. Specifically speaking, you can deactivate or limit the storage of cookies by changing the cookie settings in your web browser. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all of the features of the website to their full extent.

You can object to Matomo's data processing in two ways:

  • By activating the "Do Not Track" function in your web browser.
  • By saving the Matomo deactivation cookie in your web browser.

"Do Not Track" function

Matomo supports the "Do Not Track" function of your web browser (https://www.eff.org/issues/do-not-track). If this is activated, Matomo will not track your visits.

Matomo deactivation cookie

Decide here whether the Matomo web analysis cookie may be stored in your browser so that we can collect and analyze various statistical data. If you do not wish this, click on the following link to save the Matomo deactivation cookie in your browser.

NOTE: The Matomo deactivation cookie becomes ineffective if you delete it in your web browser settings or in any other ways. In this case, the above link must be clicked again to reset the cookie and activate the exclusion from the web analysis.

XI. Google Maps

1. Description and scope of data processing

Additionally, we use Google Maps, an online map service of Google LLC (hereinafter: Google), on parts of our website.

If you open pages of our website on which contents of Google Maps are embedded, the IP address assigned to you (i.e. to your internet connection), terminal device-related information as well as information regarding your use of our website will be transmitted to and stored on a server of Google in the USA. If you have a Google user account and are logged in in such during the access of Google Maps contents, your data can be matched with your user account directly. We have no impact on the details and scope of the processing of your personal data by Google. One cannot rule out the possibility that Google creates usage profiles with your data and uses the data for the purpose of personalized advertising, market research and/or adequate designing of its websites and services.

For this reason, you – prior to being able to access the relevant pages of our offices by means of a click on ‘directions’ through the navigation of our website on https://www.xplm.com/offices – will be informed explicitly by a pop-up notification that we embed contents of Google Maps on the pages of our offices and that the access of these pages will therefore lead to the processing of your personal data by Google, on which we have no impact regarding the details and scope of processing. Furthermore, reference is made to the validity of the concrete privacy policy and to the fact that it can be viewed at any time via the linked URL https://www.xplm.com/privacy-policy.

Google has submitted to the Privacy Shield agreement between the European Union and the USA and has been certified within its framework. For additional information please refer to the following link:

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Additional information about Google Analytics is available at:

Contact details of Google:

Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043
USA

Tel: +1 650 253 0000
Fax: +1 650 253 0001

Due to the large amount of inquiries, Google recommends to use the electronic forms available on Google Help (https://www.google.com/support), because only notifications that are sent by means of the contact forms provided reach the corresponding employee purposefully and swiftly.

2. Purpose of data processing

We use Google Maps for the purpose of providing interactive maps and route planning features related to our offices to our users in order to improve the user experience.

This is our legitimate interest in the simultaneous processing of your data by Google.

3. Legal basis for data processing

The legal basis for processing data by means of Google Maps is Art. 6(1) subparagraph 1 point (f) GDPR.

4. Prevention of further data processing by the data subject / premature deletion of the collected data

If you want to prevent the processing of personal data relating to you based on the embedding of Google Maps, you should not access the relevant pages of our offices.

Apart from that, you can object to the processing of personal data relating to you, in particular if the processing is done in order to create usage profiles. In order to claim your right to objection, you have to contact Google (please refer to the aforementioned contact details. 

XII. YouTube

1. Description and scope of data processing

In addition we use videos of the online video service YouTube, which are embedded on our website and in consequence, are (still) stored on https://www.youtube.com and accessed at that domain by your terminal device, but can be watched directly on our website.

The website https://www.youtube.com is provided by YouTube LLC (hereinafter: YouTube).

Every YouTube video is embedded in ‘privacy-enhanced mode‘, the consequence being that – according to information of the Google LLC, the parent company of YouTube – YouTube does not use cookies to track your viewing behavior, meaning that your viewing activity is not collected to personalize your viewing experience.

Additionally, we disabled tracking for advertising purposes by YouTube by adding our website to YouTube’s ‘Tag for child-directed treatment’ page.

Apart from the aforementioned, we have no impact on the processing of your personal data by YouTube, regarding the details and scope of processing.

The parent company of YouTube, Google LLC, has submitted to the Privacy Shield agreement between the European Union and the USA and has been certified within its framework, including YouTube. For additional information please refer to the following link:

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Additional information about YouTube is available at:

Contact details of YouTube:

YouTube LLC
901 Cherry Ave.
San Bruno, CA 94066
USA

Tel.: +1 650 253 0000
Fax: +1 650 253 0001

https://www.youtube.com/t/contact_us

Represented by:

Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043
USA

2. Purpose of data processing

We use YouTube videos for the purpose of providing a more interesting design to our offer and in order to improve the user experience.

This is our legitimate interest in the simultaneous processing of your data by YouTube.

3. Legal basis for data processing

The legal basis for processing data by means of YouTube videos is Art. 6(1) subparagraph 1 point (f) GDPR.

4. Prevention of further data processing by the data subject / premature deletion of the collected data

If you want to prevent the processing of personal data relating to you based on the embedding of YouTube videos to the highest possible extent, you should not watch the videos embedded on our website.

Apart from that, you can object to the processing of personal data relating to you, in particular if the processing is done in order to create usage profiles. In order to claim your right to objection, you have to contact YouTube (please refer to the aforementioned contact details).

XIII. Rights of the data subject

If your personal data is processed, you are considered a data subject as defined by GDPR. You are at the same time entitled to the following rights in relation to the controller (us):

1. Right of access

You can receive confirmation from us of whether we are processing personal data relating to you.

In the case that we are processing personal data relating to you, you can require access to this personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Furthermore, you also have the right to request information on whether the personal data relating to you are transmitted to a third country or to an international organization. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

2. Right to rectification

If personal data we are processing relating to you are inaccurate, you have the right to obtain without undue delay the rectification.

Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to restriction of processing

You can require that we restrict the processing of personal data relating to you, if

  • you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;
  • you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether our legitimate grounds outweigh yours.

If the processing of personal data relating to you has been restricted, this data – aside from its storage – will only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If the processing has been restricted, we will inform you before the restriction of processing is lifted.

4. Right to erasure (‘right to be forgotten’)

a) Obligation to erase

You can require that we erase the personal data relating to you without undue delay and we are obligated to erase this data without undue delay as long as one of the following grounds apply:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you withdraw your consent on which the processing is based according to Art. 6(1) subparagraph 1 point (a), or Art. 9(2) point (a) GDPR and there is no other legal ground for the processing;
  • you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in the law of the European Union or Member States to which we are subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

b) Information to third parties

If we have made the personal data public and are obliged pursuant to Art. 17(1) GDPR to erase the personal data, we, taking account of available technology and the cost of implementation, are obliged to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions

The right to erasure does not apply to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by European Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
  • for reasons of public interest in the area of public health in accordance with Art. 9(2) points (h) and (i) as well as Article 9(3) GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defense of legal claims.

5. Right to information

We are obliged to communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Art. 16, Art. 17(1) and Art. 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed about those recipients if you require it.

6. Right to data portability

You have the right to receive the personal data relating to you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us, where the processing:

  • is based on consent pursuant to Art. 6(1) subparagraph 1 point (a) GDPR or Article 9(2) GDPR or on a contract pursuant to Art. 6(1) subparagraph 1 point (b) GDPR; and
  • the processing is carried out by automated means.

That right shall not adversely affect the rights and freedoms of others.

In exercising your right to data portability, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data relating to you which is based on Art. 6(1) subparagraph 1 point (e) or (f) GDPR, including profiling based on those provisions.

We no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which overweigh your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data relating to you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to Withdraw the Consent to the Processing of Personal Data

If you have given consent to processing of your personal data for one or more specific purposes, you have the right to withdraw your consent at any time.

The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.