Online Privacy Policy

1. Information about collecting personal data

The following provides information on the processing of personal data when using our websites www.elo.com, , www.elooffice-shop.comwww.elooffice.com/blogregister-elooffice.elo.com, feedback-elooffice.elo.com (all referred to in the following as "website") and our platform services, which incorporate this Privacy Policy by reference. Personal data is all information referring to an identified or identifiable natural person (see Art. 4 No. 1 General Data Protection Regulation, "GDPR" in the following). This includes information such as your name, e-mail address, usage behavior, or postal address. Information that cannot be directly connected with your identity, for example, the number of users of a website, is not considered personal information.

2. Name and address of the controller

a) The controller as per Art. 4 Sec. 7 GDPR is:
ELO Digital Office GmbH
Tuebinger Str. 43
70178 Stuttgart
Tel.: +49 711 806089 - 0
dsb[at]elo.com
www.elo.com

b) Name and address of the data protection officer
Our data protection officer has been appointed for the head office in Stuttgart (ELO Digital Office GmbH) and is the person to contact for matters relating to the collection of personal data that are processed directly by ELO Digital Office GmbH, Tübinger Str. 43, 70178 Stuttgart, Germany. ELO Digital Office GmbH head office in Stuttgart is also responsible for the www.elo.com website in German, English, Spanish, and Portuguese.

If you have any queries in this regard, please contact the data protection officer at dsb[at]elo.com. If the query relates to data that is not collected in Stuttgart, please contact the address above.

 

4. Proper processing of personal data

a) Processing personal data when visiting our website
When using the website for information purposes only, i.e. if you do not register or otherwise provide us with information by entering data, we only collect the personal data your browser automatically transmits to our server via log files. The log files contain IP addresses or other data that enable a user to be identified. If you want to view our website, we collect the following personal data with the server log files:

  • User IP address
  • Date and time of access/request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Access status/HTTP status code
  • Website that the request originates from
  • Language and version of the browser software.

b) Legal basis for processing data
The legal basis for temporary storage of data and log files is Art. 6 Sec. 1 f GDPR.

c) Purpose of processing data
Temporary storage of the IP address by the system is necessary in order to provide the website to your computer. The IP address has to remain stored over the duration of the session. It is stored in log files in order to ensure the functionality of the website. In addition, the data helps us optimize the website and ensure the security of our IT systems. In this context, the data is not analyzed for marketing purposes.

d) Retention period
The data are stored in log files for seven days. Data can also be stored beyond this period. In this case, user IP addresses are deleted or disguised so that it is no longer possible to associate them with the respective client.

e) The right to object and rectification
We are required to collect and store specific data in log files for the purpose of delivering the website and to ensure it works properly. While the user does not have the right to object to this, you will find other rights of data subjects at the end of this page.

4. Proper processing of personal data

a) Processing personal data when visiting our website
When using the website for information purposes only, i.e. if you do not register or otherwise provide us with information by entering data, we only collect the personal data your browser automatically transmits to our server via log files. The log files contain IP addresses or other data that enable a user to be identified. If you want to view our website, we collect the following personal data with the server log files:

  • User IP address
  • Date and time of access/request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Access status/HTTP status code
  • Website that the request originates from
  • Language and version of the browser software.

b) Legal basis for processing data
The legal basis for temporary storage of data and log files is Art. 6 Sec. 1 f GDPR.

c) Purpose of processing data
Temporary storage of the IP address by the system is necessary in order to provide the website to your computer. The IP address has to remain stored over the duration of the session. It is stored in log files in order to ensure the functionality of the website. In addition, the data helps us optimize the website and ensure the security of our IT systems. In this context, the data is not analyzed for marketing purposes.

d) Retention period
The data are stored in log files for seven days. Data can also be stored beyond this period. In this case, user IP addresses are deleted or disguised so that it is no longer possible to associate them with the respective client.

e) The right to object and rectification
We are required to collect and store specific data in log files for the purpose of delivering the website and to ensure it works properly. While the user does not have the right to object to this, you will find other rights of data subjects at the end of this page.

5. Use of cookies

We use cookies to store information that allows us to customize our site according to your individual interests and make our website more user-friendly. A cookie is a small piece of data that stores configuration information (e.g. language setting, logon credentials) on your end device.

The cookies used on the website may be broadly classified into strictly necessary cookies and optional cookies. The legal basis for collecting strictly necessary cookies (functional cookies) is Art. 6 (1) lit. f GDPR. We will not set optional cookies (e.g. tracking cookies) unless we have an active indication of your consent (via the cookie consent banner) in accordance with Art. 6 (1) lit. a GDPR.

For more information about the types of cookies, what they are used for, how long they are stored, and how you can block or delete them, click here.

6. Newsletter

a) Description and scope of data processing
On our website or as part of prize draws or surveys, you have the option to subscribe to a free newsletter. When subscribing to the newsletter, the data from the input form is sent to us. The only information you have to provide to receive the newsletter is your e-mail address. In addition, we save your IP addresses (in shortened, anonymized form) as well as the time of subscription and confirmation. In order to process the data, we obtain your consent during the subscription process and refer to the Privacy Policy. With your consent, you can subscribe to our newsletter, which informs you of our products, solutions, and events in the area of enterprise content management. A newsletter may also be delivered provided consent is not required based on legal allowance.

b) Legal basis for data processing
For the newsletter subscription process, we use a double opt-in method. This means that after you subscribe, we will send an e-mail to the address you have provided asking you to confirm you would like to receive the newsletter. If you do not confirm subscribing within 24 hours, your information is locked and automatically deleted in one month. Within the context of newsletter subscription, the legal basis for processing data is your agreement as per Art. 6 Sec. 1 a GDPR. If consent is not required, the newsletter is delivered based on our legitimate interest in direct marketing or within the context of the weighing of interests, provided this is permitted by law, e.g. in the event of existing customer advertising (Art. 6 Par. 1 f GDPR).

c) Purpose of data processing
We require your e-mail address to deliver the newsletter, including for the purpose of direct marketing. Collection of other personal data as part of the registration process serves to prevent misuse of the services or e-mail address used, as well as to create a personalized user profile in order to better gear marketing and online offerings to your personal interests. We use a third-party tool (Rapidmail), which processes and saves this data in the EU, to send our newsletter. Using this tool, we can create analyses on opening frequency, bounces, and clicks at the personal level. For more information on Rapidmail, refer to rapidmail.de/datensicherheit.

d) Retention period
The data is deleted once it is no longer necessary to achieve the purpose for which it was collected. Your e-mail address is saved as long as your subscription to the newsletter is active (exception below). All other personal data collected as part of the registration/subscription process is generally deleted after a period of seven days.
Exception: If you expressly object (see Point 6 e) to these advertising purposes, we can add your personal data (e.g. name, address, telephone number, e-mail address) to a blacklist. This allows us to ensure we do not send any undesired advertisements (legal basis: your legitimate interest as per Art. 6 Sec. 1 f GDPR). Our legitimate interest lies in being able to meet our obligation resulting from your objection to advertisements. The data is saved for this purpose until you expressly revoke your objection to advertisements in writing. We also process and store personal data provided this is required for the purpose of weighing interests.

e) The right to object and rectification
You can withdraw your consent to receiving the newsletter (unsubscribe) at any time. You can withdraw your consent by clicking the link provided in every newsletter e-mail, e-mailing info[at]elo.com, or sending a message to the contact data provided in the company information. In addition and provided your personal data is processed, you are considered the data subject as per GDPR and are entitled to the the rights listed below with regard to the processor. If your personal data is processed for our direct advertising efforts, you have the right to object to this at any time (e.g. by clicking the link provided in every e-mail); this also applies to profiling provided directly related to such direct advertising. Your rights as a data subject pursuant to Art. 12 GDPR, which you will find at the bottom of the page, also apply.

7. Contact via e-mail/the contact form

a) Description and scope of data processing
Our website contains a contact form that can be used to contact us electronically. If you use this function, the data you enter in the form is sent only to us (ELO Digital Office GmbH, headquarters) and processed. Requests from our website (see section 1 above) from Switzerland and Austria are sent to our ELO Switzerland/ELO Austria subsidiaries and processed there accordingly. Refer to Points 12 a and b for more information)). Generally, the following data is collected:
Mandatory information: company, first and last name, country, e-mail address
Voluntary information: street, town/city, telephone, request, your message including the information specified
The following data is also saved when you send your message: your IP address, date and time of registration, website from which the request originates

In order to process the data, we obtain your consent during the delivery process and refer to the Privacy Policy. Alternatively, contact via the provided e-mail address is also possible. In this case, the personal data transferred with your e-mail address is saved. Your data will not be passed on to any third party in this context (See previous paragraph for exceptions if data is passed on to protect a legitimate interest). The data is only used to process the conversation.

b) Legal basis for data processing
The legal basis for processing data is your agreement as per Art. 6 Sec. 1 a GDPR. The legal basis for processing data collected in the context of e-mail delivery is Art. 6 Sec. 1 f GDPR. If e-mail contact is made with the objective of concluding a contract, the legal basis for processing is Art. 6 Sec. 1 b GDPR.

c) Purpose of data processing
We process personal data from the form solely to process your contact with us. In case of e-mail contact, this represents the legitimate interest for processing data. Other data processed during delivery serve to prevent misuse of the contact form and ensure the security of our IT systems.

d) Retention period
The data is deleted once it is no longer necessary to achieve the purpose for which it was collected. For personal data from the contact form and the data sent by e-mail, this is the case when the conversation with the user has ended. The conversation is considered ended when it can be assumed from the circumstances that the relevant matter has been resolved fully. The additional personal data collected as part of the delivery process is deleted within seven days.

e) The right to object and rectification
The user can withdraw consent to processing of personal data at any time. If the user contacts us directly via e-mail, the user can withdraw consent to storage of personal data at any time. In such a case, the conversation cannot be continued. To exercise such right, the user may write to info[at]elo.com. All personal data saved in contact is deleted in this case. You are also entitled to the the rights listed below with regard to the processor.

8. ELOoffice support request

a) Description and scope of data processing
On our website/in the protected "My ELOoffice" area, we offer you the option to submit support requests related to the ELOoffice product by entering personal data. The data is entered to a form and the form is sent to us. The data will not be passed on to any third party.
The following data is collected for registration/subscription:
Mandatory information: customer number, company name, first and last name, e-mail address , country, serial number
Voluntary information: street, postal code, town/city, telephone
The following data is also saved when you subscribe/register: your IP address, date and time of the support request, website from which the request originates

In order to process the data, we obtain your consent during the delivery process and refer to the Privacy Policy.

b) Legal basis for data processing
ELOoffice support requests serve to fulfil a contract to which you are a contractual party or to carry out pre-contractual duties. The legal basis for processing data is Art. 6 Sec. 1 b GDPR. The legal basis for processing further voluntary data as part of the registration process is your agreement as per Art. 6 Sec. 1 a GDPR.

c) Purpose of data processing
Your ELOoffice support request is mandatory to fulfil a contract to which the you are a contractual party or to carry out pre-contractual duties. We process personal data from the form solely to process your support request.

d) Retention period
The data is deleted once it is no longer necessary to achieve the purpose for which it was collected. For personal data from the support request form, this is the case when the conversation with you has ended. The conversation is considered ended when it can be assumed from the circumstances that the relevant matter has been resolved fully. If data is required to fulfill a contract or carry out pre-contractual duties, it is only possible to delete data prematurely provided no contractual or legal obligations exclude deletion.

e) The right to object and rectification
If data is required to fulfill a contract or carry out pre-contractual duties, it is only possible to delete data prematurely provided no contractual or legal obligations exclude deletion. In addition and provided your personal data is processed, you are considered the data subject as per GDPR and are entitled to the the rights listed below with regard to the processor (ELO).

10. Use of the ELOoffice online shop

a) Purpose
If you want to place orders in the ELOoffice online shop, you are required to provide the personal data that is needed to process your order. The mandatory information required to process contracts is marked; all other information is voluntary. The data you have provided is used to process your order. Your payment data may be passed on to a payment service provider. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR.
You can optionally create a customer account so that your data is stored for subsequent purchases. When creating an account, the data you enter is stored and can be revoked. You can delete all other data, including your user account, at any time.

b) Legal basis and scope
Provided you have given express consent (in particular based on Art. 6 para. 1 sentence 1 a GDPR), the data you have provided can also be processed in order to notify you of other relevant products from the ELO Digital Office portfolio or to send you e-mails with technical information. Your rights as a data subject, which you will find at the bottom of the page, apply.

c) Retention and deletion periods
Your address, payment and order data will be stored for a period of ten years in accordance with commercial and tax law requirements. However, after two years we restrict processing of this data, i.e. your data is only used to meet legal obligations. To prevent third parties from gaining unauthorized access to your personal data, in particular financial data, the ordering process is encrypted by means of TLS technology.

10. Use of the ELOoffice online shop

a) Purpose
If you want to place orders in the ELOoffice online shop, you are required to provide the personal data that is needed to process your order. The mandatory information required to process contracts is marked; all other information is voluntary. The data you have provided is used to process your order. Your payment data may be passed on to a payment service provider. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR.
You can optionally create a customer account so that your data is stored for subsequent purchases. When creating an account, the data you enter is stored and can be revoked. You can delete all other data, including your user account, at any time.

b) Legal basis and scope
Provided you have given express consent (in particular based on Art. 6 para. 1 sentence 1 a GDPR), the data you have provided can also be processed in order to notify you of other relevant products from the ELO Digital Office portfolio or to send you e-mails with technical information. Your rights as a data subject, which you will find at the bottom of the page, apply.

c) Retention and deletion periods
Your address, payment and order data will be stored for a period of ten years in accordance with commercial and tax law requirements. However, after two years we restrict processing of this data, i.e. your data is only used to meet legal obligations. To prevent third parties from gaining unauthorized access to your personal data, in particular financial data, the ordering process is encrypted by means of TLS technology.

11. Third-party integration

(1) We do not use social media plug-ins. Instead, we have integrated icons that link to the third-party provider of the respective social media platforms when clicked. ELO currently maintains a profile on the following social media platforms: Google Maps, Twitter, Xing, LinkedIn, YouTube, and Facebook. When you visit our website, no personal data is transferred to the third-party provider. If you click the icon, you will be redirected to the provider's website and the privacy provisions of the respective provider shall apply.
(2) To this extent, we have an influence on the data collected and processing of such data by using the services of the aforementioned providers and have a responsibility in that by integrating the icon, the user is able to find the ELO website on the respective social media platform, enabling the service provider to obtain data in this way. This limits our responsibility as ultimately you make an active decision to provide your consent to transmit the data via the link. The only information available to us about the scope of data collection, the purposes and form of processing as well as the retention periods is the official information of the provider that is accessible to everyone. We inform you about this in the following.
(3) The third-party provider can store the data collected about you as user profiles, and uses these for the purposes of advertising, market research, and/or to optimize the content of its website. This type of analysis is carried out primarily to deliver targeted advertisements and to notify other users of the social network of your activities on our website (including for users that are not logged on). Since you are the data subject as per GDPR, you have the right to object to the creation of these user profiles or storage of data as per GDPR. To exercise these rights, you must contact the respective third-party provider, as they have direct access to these data. You can access privacy notices regarding the use of our websites and the ELO Digital Office Privacy Policy via the links on our websites. These do not apply to your activities on the websites of social media networks. You can read the data privacy provisions of these providers on their respective websites.
(4) We have our own social media pages on the third-party sites that can be accessed via links from this website. The links take you to the respective websites of the third-party providers (e.g. Facebook, Twitter, Xing, LinkedIn), and you can also share content that we publish. No data is transferred when you access our website. As soon as you access the third-party provider's website, the privacy policy of that provider and other declarations on the use of data shall also apply. We have no influence on this, but we recommend that you log out of the respective third-party provider's website before you use a corresponding link. This ensures that no data are transferred that the third-party provider could use to create user profiles. To protect your data, we have deliberately only used links and have refrained from using additional third-party plug-ins.

Addresses of the respective plug-in providers and URLs to their privacy policies:

Integration of Google Maps

(1) Our website uses the services of Google Maps. This enables us to display interactive maps directly on the website and enables you to use the map function.

(2) By visiting the website, Google receives information that you have accessed the corresponding subpage of our website. In addition, the data specified under No. 4 (Proper processing of personal data) of this declaration will be transmitted. This occurs regardless of whether or not you are logged in with a Google user account. If you are logged in with Google, the data we collect can be associated directly with your account. If you do not want your profile to be associated with Google, you must log out before activating the button. Google stores the data collected about you as user profiles, and uses these for the purposes of advertising, market research, and/or to optimize the content of its website. This type of analysis is carried out primarily to deliver targeted advertisements and to notify other users of the social network of your activities on our website (including for users that are not logged on). You have the right to object to the creation of these user profiles, although you must contact Google in order to exercise this right.

(3) For further information on the purpose and scope of data collection and processing, refer to the link provided next to the icon in Google's privacy policy. This page provides more information on the rights and options available to protect your privacy: https://policies.google.com/privacy?hl=en. Google also processes your personal data in the USA and is also subject to the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework. Requests relating to data protection should be addressed to Google's European headquarters: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.
 

Data that we receive as a result of visits to our fan page on Facebook ("Page Insights Addendum")

a)    Subject
Facebook provides ELO with Page Insights for the company website (referred to as "fan page"). Page Insights are aggregated data that can help ELO understand how users are engaging with the fan page.
Page Insights may be based on personal data collected in connection with a visit or interaction of users with the fan page and its content. The Court of Justice of the European Union (CJEU) has ruled that in such a case Facebook Ireland Limited ("Facebook Ireland") and the fan page operator (ELO) are jointly responsible (pursuant to Art. 26 GDPR) for the Insights Data.
This Page Insights Addendum sets out the main elements of the agreement on shared responsibility and related data processing. For more information, refer to https://www.facebook.com/legal/terms/information_about_page_insights_data.

b)    Responsibilities
Facebook Ireland takes primary responsibility pursuant to GDPR for processing Insights Data and agrees to comply with all obligations under GDPR with respect to processing Insights Data (including Art. 12 and 13, Art. 15 to 22, and Art. 32 to 34 GDPR). In addition, Facebook Ireland shall make the main elements of this Page Insights Addendum available to data subjects (you as a user) (see link above).
Responsibility for processing the data from the fan page itself lies with the controller named at the beginning of this declaration.

c)    Legal basis
The legal basis for processing Insights data pursuant to GDPR is Art. 6 (1) lit. a GDPR. You can opt-out at any time in the settings for your ad preferences. To do so, use the following links: www.facebook.com/ads/preferences/ and www.youronlinechoices.com.
As a data subject within the meaning of GDPR, you also have other rights, which you will find at the bottom of this declaration. You can exercise these rights by contacting Facebook Ireland or ELO.

d)    Processing activity and supervision
Facebook Ireland is solely responsible for taking and implementing decisions about processing Insights Data. Facebook Ireland decides in its sole discretion how to comply with its obligations under this Page Insights Addendum. ELO must agree that Facebook Ireland is the main establishment in the EU for processing Insights Data for all data controllers and acknowledges that the lead supervisory authority for this processing is the Irish Data Protection Commission.
Furthermore, Facebook Ireland remains solely responsible for processing personal data in connection with Page Insights other than that covered by the scope of this Page Insights Addendum. This Page Insights Addendum does not grant ELO any right to request the disclosure of personal data of Facebook users that is processed in connection with Facebook Products, including for Page Insights that are provided to ELO.

e)    Contact
If ELO is contacted by data subjects or a supervisory authority under the GDPR with regard to processing Insights Data and the obligations assumed by Facebook Ireland under this Page Insights Addendum (“Requests”), ELO is required to forward all relevant information to Facebook Ireland. Facebook Ireland will answer Requests in accordance with its obligations. ELO is not authorized to act or answer on Facebook Ireland’s behalf.
Any claim, cause of action or dispute ELO has against Facebook Ireland that arises out of or relates to this Page Insights Addendum must be resolved exclusively in the courts of Ireland. This Page Insights Addendum, which was drawn up by Facebook Ireland, is also governed by Irish law.

f)    Changes and validity of the version
Facebook Ireland may need to update the Page Insights Addendum from time to time. ELO has no influence on this and is accordingly required to comply with updates to the Page Insights Addendum.
If ELO finds any part of this Page Insights Addendum to be unenforceable, the remaining part will remain in full force and effect. If Facebook Ireland fails to enforce any part of this Page Insights Addendum, it will not be considered a waiver. Any amendment to the Page Insights Addendum or waiver must be submitted in writing by ELO and will not be effective until signed by Facebook Ireland in accordance with its Terms.

 

Integration of Google reCAPTCHA
Using the Google reCAPTCHA tool helps us prevent misuse of our forms and website campaigns by computer-generated bots or spam software, protecting both you and us.  User behavior is analyzed in the background to differentiate whether the website visitor is a person or a bot. This means users do not have to actively trigger reCAPTCHA; instead, a box is checked indicating that they are not a bot (invisible reCAPTCHA). Recognition of users as humans by means of reCAPTCHA is kept in place until you delete your cache or turn off cookies. You will find more information on turning off cookies in the section "Cookies".

When reCAPTCHA is in place, your data is transferred to Google servers, in either Europe or the United States. The IP address transmitted by the browser to Google is not merged with other Google data from other Google services. However, if you are logged onto your Google account when using the reCAPTCHA plug-in, the data will be merged. In this case, the deviating Google data privacy policy will apply.

If you do not want your usage data to be transmitted to Google Ltd., you will have to log out of Google entirely and delete all Google cookies before visiting our website or using the reCAPTCHA software. Generally, the data is transferred to Google automatically as soon as you open our site. To delete this data, you will have to contact Google support at support.google.com. Furthermore, you will find your rights as a data subject pursuant to Art. 12 GDPR at the bottom of the Privacy Policy.

12. Rights of data subjects

Provided your personal data is processed, you are considered the data subject as per GDPR and are entitled to the rights listed below with regard to the controller.

Right of access
You have the right to obtain from the controller confirmation as to whether or not personal data relating to you is being processed. Should this be the case, you can request the following information:
(1) The purposes for which the personal data is processed;
(2) The categories of the personal data processed;
(3) The recipients/categories of recipients receiving the personal data related to you;
(4) The planned storage period for the personal data related to you or, if no concrete information is possible, criteria for determining the storage period;
(5) Existence of a right to rectification or erasure of the personal data related to you, a right to restrict processing by the processor, or a right to object to this processing;
(6) The existence of a right to appeal to the authorities.
(7) All available information on the origin of the data if the personal data is not collected from the associated individual;
(8) The existence of an automated decision making solution including profiling, as per Art. 22 Sec. 1 and 4 GDPR and – at least in these cases – meaningful information on the involved logic as well as the reach and target effect of such processing for the concerned individual.

You have the right to be informed of whether the personal data related to you is transmitted to a third country or an international organization. In this context, you can request to be informed of appropriate safeguards as per Art. 46 GDPR in conjunction with the transmission of your data.

Right to rectification
You have the right to rectification and/or completion provided the processed personal data related to you is incorrect or incomplete. The data processor must promptly rectify the issue.

Right to restrict processing
You can exercise your right to restrict processing of the personal data related to you provided the following conditions are met:
(1) If you dispute the accuracy of the personal data related to you for a period that enables the processor to verify the accuracy of the data;
(2) Processing is wrongful and you reject the deletion of your personal data, instead exercising your right to restrict the use of your personal data;
(3) The processor no longer requires the personal data for processing, but you need it to assert, exercise, or defend legal claims.
(4) If you have exercised your right to object to processing as per Art. 21 Sec. 1 GDPR and it has not been determined whether the the legitimate interest of the processor outweigh your interest.

If processing of the personal data related to you has been restricted, this data may only be processed (besides storage) with your express consent or to assert, exercise, or defend legal claims, or to protect the rights of other natural or legal persons, or for reasons of an important public interest of the European Union or a member state.

If restriction of processing was lifted based on the requirements above, you will be notified by the processor before this restriction is lifted.

Right to erasure

a) Obligation to erasure
You have the right to obtain from the controller the erasure of any personal data related to you and the controller is under the obligation to erase this data without undue delay provided one of the following grounds applies:
(1) The personal data related to you is no longer needed for the purpose for which it was collected or processed in any other way.
(2) You withdraw your consent for processing based on Art. 6 Sec. 1 a or Art. 9 Sec. 2 a GDPR and there is no other legal basis for processing.
(3) As per Art. 21 Sec. 1 GDPR, you object to processing and there are no superior legitimate reasons for processing; or, you object to processing as per Art. 21 Sec. 2 GDPR.
(4) The personal data related to you was processed unlawfully.
(5) Deletion of the personal data related to you is required to fulfil a legal obligation in line with EU law or law of member states to which the processor is subject.
(6) The personal data related to you was collected as per Art. 8 Sec. 1 GDPR with regard to the services offered by the information society.

b) Information to third parties
If the processor has published your personal data and is obligated to delete this data as per Art. 17 Sec. 1 GDPR, the processor shall take suitable measures taking into account the available technology and implementation costs, including those of a technical nature, to inform the processor responsible for processing the personal data that you as data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.

c) Exceptions
The right to erasure does not apply if processing is required
(1) to exercise the right to free expression of opinion and information;
(2) to meet a legal obligation requiring processing in accordance with the law of the European Union or a member state to which the processor is subject, or to carry out a duty in the public interest or in exercising official authority assigned to the processor;
(3) for reasons of public interest in the area of public health as per Art. 9 Sec. 2 h as well as Art. 9 Sec. 3 GDPR;
(4) for archiving purposes in the public interest, economic or historical research purposes, or for statistical purposes as per Art. 89 Sec. 1 GDPR provided that the right named in a) is not expected to render attainment of the objectives of this agreement impossible or have a serious negative effect, or
(5) To assert, exercise, or defend legal claims.

Right to be informed
If you have exercised your right to rectification, erasure, or to restrict processing vis-à-vis the processor, the processor is obligated to notify all recipients to which your personal data was disclosed of rectification or deletion of the data, or restriction to its processing, unless this proves to be impossible or requires a disproportional amount of effort. You have the right to be informed of these recipients by the processor.

Right to data portability
You have the right to receive the personal data related to you that you have provided to the processor in a structured, commonly used, machine-readable format. In addition, you have the right to pass on this data to another processor without interference of the processor to which you have provided the personal data, provided
(1) Processing is based on consent as per Art. 6 Sec. 1 a GDPR or Art. 9 Sec. 2 a GDPR, or on a contract as per Art. 6 Sec. 1 b GDPR and
(2) Processing is carried out by automated processes.

In exercising this right, you also have the right to demand your personal data be transferred directly from one processor to another processor, provided this is technically feasible. This must not negatively affect the freedoms and rights of other individuals.

The right to data portability does not apply to processing of personal data required or to carry out a duty in the public interest or in exercising official authority assigned to the processor.

Right to object
You have the right to object to the processing of your personal data based on Art. 6 Sec. 1 e or f GDPR for reasons resulting from your particular situation at any time; this also applies to profiling based on these provisions.

The processor no longer processes your personal data unless the processor can provide compelling legitimate reasons that outweigh your interests, rights, and freedoms, or processing serves to assert, exercise, or defend legal claims.

If the personal data related to you is processed to carry out direct advertising, you have the right to object to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling provided directly related to such direct advertising.

If you object to processing for purposes of direct advertising, your personal data will no longer be processed for this purpose.

You have the option to exercise your right to object by means of an automated process which uses technical specifications in connection with the use of services provided by the information society, directive 2002/58/EC notwithstanding.

Right to withdraw consent to use of data
You have the right to withdraw your consent to the use of your data at any time. Withdrawing your consent does not affect the lawfulness of the processing taking place based on your consent up to withdrawal.

Automated decision-making, including profiling
You have the right to not be subjected to a decision based solely on automated processing, including profiling, that has a legal effect on you or affects you significantly in a similar manner. This does not apply if the decision
(1) Is required to conclude or fulfil a contract between you and the processor,
(2) Is permissible based on legal provisions of the European Union or a member state to which the processor is subject and these legal provisions contain suitable measures to protect your rights and freedoms as well as your legitimate interests, or
(3) Is carried out with your express permission.

However, these decisions shall not be based on special categories of personal data as per Art. 9 Sec. 1 GDPR provided Art. 9 Sec. 2 a GDPR applies and suitable measures have been taken to protect your rights and freedoms as well as your legitimate interests.

With regard to the cases named in (1) and (3), the processor shall take appropriate measures to ensure your rights and freedoms as well as your legitimate interests, including at least the right to request an individual on the side of the processor to intervene, to present your own position, and to contest the decision.

Right to appeal to the authorities
Notwithstanding any other administrative or judicial decision, you have the right to appeal to the authorities, especially in the member state where you are located, of your workplace, or of the location of the alleged violation if you believe that the processing of your personal data is in violation of GDPR.
The authority receiving the appeal shall inform the appealing party of the status and result of the appeal, including the option for a legal decision as per Art. 78 GDPR.

We reserve the right to change the policy at any time subject to data privacy regulations.

13. Contact

If you have any questions, requests, or complaints related to data privacy, please contact us at the address named in item 2.

Version: September 2019