DATA PROTECTION DECLARATION OF INNOVESTMENT GMBH
for the platform www.innovestment.eu

We are pleased about your visit on our platform. For your convenience we have provided a translation of our Datenschutzerklärung - Data Protection declaration. This translation is for informal purposes only, and the definitive version of this page is the German version.

This privacy policy also applies to our other services and online presences. In the following, we inform you in detail about the type, scope and purpose of the personal data collected, used and processed by us and inform you about your rights you are entitled to.

We reserve the right to change the privacy policy at any time with effect for the future. If you visit our platform again, the updated and published data protection declaration applies. The respective current version of the data protection declaration can be accessed, saved and printed out at any time on our platform.

With regard to the terms used (e.g. personal data, person responsible) we refer to the definitions of the EU General Data Protection Regulation (GDPR).

I. NAME AND ADDRESS OF THE RESPONSIBLE PERSON

Responsible party within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations:

Innovestment GmbH

Managing Director: Christin Friedrich

Friedrichstrasse 68, 10117 Berlin, Germany

e-mail: [email protected]

Phone: +49 30 577 010 870

II. GENERAL INFORMATION ON DATA PROCESSING

1. The scope of processing

As a matter of principle, we collect and use personal data only to the extent that this is necessary to provide a functional platform and our content and services, you have given your consent or the processing of the data is permitted by a legal regulation.

2. The legal basis for the processing of personal data

Insofar as we obtain your consent for processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis for the processing of personal data.

When processing personal data which is necessary for the performance of a contract to which you are a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations which are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or of a third party and if your interests, fundamental rights and freedoms do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

3. Legitimate interests in the processing

If the processing of your personal data is based on Art. 6 para. 1 lit. f GDPR, our legitimate interest, unless otherwise stated, is the performance of our business activities. In all other respects, we have stated our purposes and interests in each case within the framework of the above list of processing.

4. Data deletion and storage duration

Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply or you revoke your consent. Furthermore, data may be stored if this has been provided for by the European or national legislator in union-law ordinances, laws or other regulations to which the person responsible is subject. If the purpose of storage ceases to apply, if you revoke your consent or if a storage period prescribed by the European Directive and Regulation Giver or any other competent legislator expires, the personal data will be blocked or deleted as a matter of routine and in accordance with the statutory provisions, unless it is necessary to continue storing the data in order to conclude or fulfil a contract.

5. Recipient of the collected data / data transmission

Recipients of the data collected via our platform are primarily us as a responsible company. In addition, at best, contract processors (web hosters, IT service providers, etc.) have access to the data collected via our platform. Compliance with the legal regulations is, however, guaranteed in this respect by processing contracts which we conclude with our processors based in the EU. Data will only be transferred to so-called third countries outside the EU if and insofar as this has been pointed out below.

6. The need to disclose personal data

You can visit our platform without personal data being collected. However, if you wish to make use of our services, the provision of personal data is mandatory for the execution of the contract.

7. The existence of automated decision-making

We do not carry out automatic decision making or profiling in the sense of Art. 22 GDPR.

8. Data security

We secure our platform and other systems through comprehensive technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons. These measures are subject to constant review and improvement in order to guarantee the current state of the art.

III. DATA PROCESSING WHEN USING OUR PLATFORM AND OUR SERVICES

1. Access data in server log files

Our hosting provider automatically saves access data in so-called server log files every time our platform is accessed.

This includes the date and time of retrieval.

Temporary storage of the IP address by the system is necessary to enable delivery of the platform to your end device. For this purpose, your IP address must remain stored for the duration of the session.

The legal basis for the temporary storage of your data and log files is Art. 6 para. 1 lit. f GDPR.

This data is evaluated exclusively to ensure the permanent and trouble-free operation of the platform and to improve the contents of our platform as well as for transmission to law enforcement agencies in the event of a cyber attack and to ensure the security of our information technology systems. For this purpose, the above-mentioned data will be stored for a maximum of 7 days. Data whose further storage is required for evidence purposes will be stored until the respective incident has been finally clarified.

The collection of data for the provision of the platform and the storage of the data in log files is absolutely necessary for the operation of our platform. There is therefore no possibility of objection.

2. Use of cookies

In order to make visiting our platform attractive and to enable the use of certain functions, we use so-called "cookies" on our platform. These are small text files which are stored and saved on your end device via a browser.

Many cookies contain a so-called cookie ID. It consists of a string of characters which can be used to assign websites and servers to a specific browser in which the respective cookie was stored.

We set the following cookies:

Name des Cookies Function of the cookie Collected data Storage duration
__cfduid The _cfduid cookie helps us to detect malicious visitors to the platform and minimizes blocking of legitimate users. The _cfduid cookie collects and anonymizes end-user IP addresses with a one-way hash of certain values so that they cannot be personally identified. 1 year
__cflb The __cflb cookie ensures that a user is redirected to the same server for all requests to our platform. A unique randomized value. 24h
web-director-info The web-director-info cookie enables us to identify a user of our platform across all requests to our platform. A unique randomized value. Data about the origin (referrer) of the user. No personal data. 1 year
web-director- session The web-director-session cookie enables us to identify expired sessions. A unique randomized value. Time of last activity. 24h
web-director-vh The web-director-vh cookie enables us to recognize users as real visitors to protect us from bots. True or False No time lapse
WD_COOKIE_GDPR _CONSENT The WD_COOKIE_GDPR_CONSENT allows us to determine whether a user has read the privacy statement on our site. True or False No time lapse

The purpose of using technically necessary cookies is to simplify the use of our platform for you, e.g. your settings are saved. Some functions of our platform cannot be offered without the use of cookies. For these it is necessary that your browser is recognized even after a page change. If cookies are not accepted or deactivated, the functionality of our platform may be limited.

The legal basis for the processing of personal data using necessary cookies is Art. 6 para. 1 lit. f GDPR.

We also use cookies on our platform which enable an analysis of your surfing behaviour. We inform you about these in the corresponding section of this data protection declaration.

Some third party services that we integrate may also use cookies. Please refer to the websites of the respective providers for information on how they work and how they process data. The services used by us can be found in this privacy policy.

You will be informed about the use of cookies when you access our platform. Within the framework of the so-called cookie banner you can declare your consent to the processing of the personal data used in this context. In this context, a reference to this data protection declaration is also made. You can revoke your consent at any time with effect for the future.

The legal basis for the processing of personal data using cookies, which are not necessary for the operation of our platform, is Art. 6 para. 1 lit. a GDPR, if you have given your consent to this.

Cookies are stored on your end device and transmitted to our platform. You therefore have control over the use of cookies. You can set your browser so that you are informed about the setting of cookies and can decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general or set it so that the setting of cookies is prevented and thus permanently contradict the setting of cookies. In addition, you can delete already set cookies at any time via your browser. A comprehensive objection to online marketing cookies can also be declared at http://www.youronlinechoices.com/. This also applies to all third-party cookies listed below.

3. Collection and use of data during registration and use of our services/use of our services

You have the possibility to register on our platform. As part of the registration process, we are required by law to collect certain data from investors (Investors) such as knowledge and experience in relation to transactions with certain types of financial assets or data from identification documents (e.g. identity card or passport) ("Mandatory Data"). The scope of this data query is defined by the Financial Investment Brokerage Ordinance (Finanzanlagenvermittlungsordnung - FinVermV) and the Capital Investment Information Sheet Audit Ordinance (Vermögensanlagen-Informationsblatt- Bestätigungsverordnung - VIBBestV). Mandatory information within the scope of registration is marked with an asterisk and is required for the conclusion of the user contract. Which data is collected can be seen from the respective input forms. Within the scope of registration as a natural person, these are: Your name and your e-mail address, your address and your telephone number, your date and place of birth as well as data on your identity document. If you register as a company, we will collect your e-mail address, company name, company form, date of incorporation, registration number, registry administrator, address and the following data on your representative: his name, address, telephone number, date and place of birth and data on his identity document. You must also create a password. If you do not provide these details, you cannot create a user account.

The legal basis for the processing of your data is the fulfilment of our contract with you in accordance with Art. 6 para. 1 lit. b GDPR.

We use the information you provide to authenticate you when you log in and to respond to requests to reset your password, to verify your authorization to manage the user account, to enforce the Platform's terms of use and all related rights and obligations, and to contact you in order to send you technical or legal notices, updates, security messages or other messages concerning, for example, the management of the user account. We therefore only use the data you provide us with to process the contract and to provide our services to be rendered within the scope of the contract. We may also pass on your data to one or more order processors (e.g. parcel service or payment service provider), who will also use your data exclusively for internal use on our behalf.

We also store your IP address and the date and time of registration in order to prevent the misuse of our platform and the services offered on it and to clarify any criminal offences committed. The storage of this data is therefore necessary for our own protection. The legal basis for this processing of personal data is Art. 6 para. 1 lit. f GDPR. The above-mentioned purposes also constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

In the context of the use of our services, we also use the data provided by you during registration.

The legal basis for the processing of your data is the fulfilment of our contract with you in accordance with Art. 6 para. 1 lit. b GDPR.

For the purpose of contract processing, we transfer your data to the companies in which you have invested via our platform. These companies require the necessary personal data (name, place of residence, year of birth and investment) for the execution and processing of the contractual relationship.

This data will not be passed on to third parties, unless there is a legal obligation to do so or the passing on of the data serves criminal prosecution.

After complete processing of the contract or deletion of your account, your data will first be blocked for further use and then deleted after the legal retention periods have expired, unless you have expressly consented to further use of your data or we reserve the right to use your data for other purposes that are permitted by law and about which we inform you below.

You have the possibility to object to the processing at any time and to delete your account. In such a case the contractual relationship with you cannot be continued.

4. Partner program - data of the intermediaries

You have the opportunity to register for our partner program and recommend Innovestment and the investments we broker through our partner program.

To do this, you must provide third parties with a corresponding affiliated link, a so-called partner link. The third party is provided with a unique identification feature via the partner link, without stating your name and first name in the link.

In the event of a successful recommendation by several third parties, we will link the investment sums made by the third parties via the platform to your account, but without providing any further identification features.

We also use the account data you have provided us with to pay you the corresponding commissions.

The legal basis for the processing of your data is accordingly the fulfilment of the partner contract with you in accordance with Art. 6 Para. 1 lit. b GDPR.

We only use the data you provide us with for the contract processing of the partner program.

We also store your IP address and the date and time of recommendation e-mails sent via the partner program in order to prevent misuse of the partner program and to clarify any criminal offences committed. The storage of this data is therefore necessary for our own protection. The legal basis for the processing of personal data is Art. 6 para. 1 lit. f GDPR. The above-mentioned purposes also constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

After complete processing of the contract or deletion of your account, your data will first be blocked for further use and then deleted after the legal retention periods have expired, unless you have expressly consented to further use of your data or we reserve the right to use your data for other purposes that are legally permitted and about which we inform you below.

5. Partner program - data of the recruited

Registered agents have the possibility to advertise our services and offers on our platform. For this purpose, intermediaries can integrate a direct link (a so-called partner link) to our offers on their website or send this partner link to interested third parties by e-mail. The third party is provided with a unique identification feature of the agent via the partner link in order to be able to assign the advertised third party to the respective agent.

We use cookies in order to be able to trace the origin of the advertised third party and its corresponding investment. Each time a (sub)page of the agent's website on which our cookie has been integrated is called up, the browser on the end device of the advertised third party is automatically prompted to transmit data to us for the purposes of online advertising and the settlement of commissions. In this way, we obtain knowledge of personal data which serves to trace the origin of investments received by us and subsequently enable us to invoice commissions. Among other things, we can recognize that the recruited third party has clicked on the partner link on the relevant website or in the relevant e-mail.

The legal basis for the processing of personal data is Art. 6 para. 1 lit. a GDPR, if consent has been given.

The recruited third party can give his consent e.g. via the cookie banner of the agent or directly to the agent and revoke it in the settings at any time with effect for the future.

6. Platform analysis

We use an analysis tool on our platform. With this tool we can perform an analysis of your use of the platform. We use cookies for this purpose. Every time you call up a page on our platform, your browser on your end device is automatically prompted to transmit data to us for the purpose of analysis. In the course of this, your pseudonymised IP address, information on the operating system and browser used, geo-information, the URL called up, the website from which the individual page called up was accessed (referrer site), the sub-pages accessed from the website called up, your length of stay on the website, search terms entered by you, the videos viewed by you, the frequency with which our website is accessed.

Your IP address is immediately pseudonymised during this process so that we can no longer assign the IP address directly to you as a person. The software runs exclusively on our servers.

We use the collected data to evaluate the use of our platform by you and our other users and thereby constantly improve our platform.

7. Social media

In addition to this platform, we also maintain presences in various social networks. If you visit such a presence, personal data may be transmitted to the provider of the social network. It is possible that, in addition to the storage of the data you specifically entered in this social network, further information may also be processed by the social network provider. Thus, your data is usually processed for market research and advertising purposes, among other things, to create corresponding user profiles and to display personalised advertising to you. For this purpose, the social network provider usually stores cookies on your end device, in which your usage behaviour and interests are stored. In addition, the social network provider may process the most important data of the computer system from which you visit it, for example your IP address, the type of processor used and browser version including plug-ins.

If you are logged in with your personal user account of the respective network during the visit of such a network, this network can assign the visit to your account. If you do not wish to have such an assignment, you must log out of your account and delete the cookies before visiting our social media presence.

The legal basis for the processing of personal data is Art. 6 para. 1 lit. f GDPR. Provided that you have given your consent for processing to the respective provider of the social network, the legal basis for processing your data is Art. 6 para. 1 lit. a GDPR.

We maintain a presence in the respective social networks in order to be able to communicate with you there and inform you about our services. These purposes also include our legitimate interest in the processing of personal data in accordance with Art. 6 para. 1 lit. f GDPR.

For further information on the purpose and scope of data collection as well as on the further processing and use of your data and the possibility to opt-out, please refer to the data protection regulations of the respective network:

Facebook

Facebook is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. We have entered into a data sharing agreement with Facebook pursuant to Art. 26 GDPR. For more information on data sharing, please refer to the Facebook terms and conditions.

Privacy policy: https://www.facebook.com/about/privacy/

Opt-Out: https://www.facebook.com/settings?tab=ads

Twitter

Twitter is operated by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

Privacy policy: https://twitter.com/en/privacy 

Opt-out: https://twitter.com/personalization

Google/YouTube

Google and Youtube are operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The USA is an unsafe third country. However, Google LLC has voluntarily certified itself under the US-EU Privacy Shield Agreement, thereby committing itself to comply with EU privacy standards. The entity responsible for Germany is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Privacy policy: https://policies.google.com/privacy

Opt-out: https://adssettings.google.com/authenticated

LinkedIn

LinkedIn is operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland.

Privacy policy: https://www.linkedin.com/legal/privacy-policy

Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Xing

Xing is operated by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany.

Privacy policy and opt-out: https://privacy.xing.com/en/privacy-policy

8. Integration of Youtube

On our platform we integrate videos from the social network youtube.com, which is operated by YouTube, LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA ("YouTube"). YouTube LLC is a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA. The entity responsible for Germany is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When you access our platform, your browser establishes a direct connection with the YouTube servers. Your browser is automatically prompted by the respective video embedded on our platform to download a representation of the corresponding component from YouTube. In the course of this technical process, YouTube is informed about which specific subpage of our platform you are visiting.

If you use the videos, the corresponding information - e.g. the activation of the play button - is transmitted from your browser to YouTube, possibly linked to your user account and stored.

The legal basis for the use of your data is Art. 6 para. 1 lit. f GDPR.

Our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR lies in the optimisation and economic operation of our platform.

If you are logged in with your personal Google Account during your visit to our platform, YouTube may associate your visit and the specific sub-pages of our platform you visited with your account.

If you don't have a Google Account, there is still the possibility that YouTube may store your IP address.

If you do not wish to receive such processing, you must log out of your Google Account and delete your cookies before visiting our platform.

You can object to the use of your data by Google at any time by clicking on the following link: https://adssettings.google.com/authenticated.

For more information about privacy, please see the YouTube privacy policy: https://policies.google.com/privacy.

9. Integration of Google Maps

We integrate the Google Maps API on our platform, a map service for displaying maps and creating directions to make it easier for you to find our location. Google Maps is operated by Google LLC (www.google.de), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Responsible for Germany is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google reserves the right to transfer data to Google LLC in the USA. However, Google LLC has voluntarily certified itself under the US-EU Privacy Shield Agreement and is thus committed to complying with EU data protection requirements.

By visiting our platform, Google receives the information about the call of our platform as well as other log files, if applicable. Google stores and uses the data for the purposes of advertising, market research and/or the design of its own services to meet requirements. This cookie is usually not deleted by closing the browser, but expires after a certain time (up to 24 months), unless you delete it first.

The legal basis for the use of Google Maps is Art. 6 para. 1 lit. f GDPR. The purpose of the data processing is to enable us to find our location.

You have the possibility to easily deactivate the service of Google Maps and thus prevent the data transfer to Google:

To do this, deactivate JavaScript in your browser. However, we would like to point out that in this case you will not be able to use the map display. By using this platform and not deactivating the JavaScript function, you expressly declare, in full knowledge of the data protection issues, that you agree to the processing of the data collected about you by Google in the manner described above and for the aforementioned purpose.

You can object to the use of your data by Google at any time by clicking on the following link: https://adssettings.google.com/authenticated.

For further information on data protection, please refer to the data protection regulations of Google: https://policies.google.com/privacy.

10. Newsletter

You can register to receive our newsletter. Our newsletter appears regularly and contains information about our projects as well as about the industry and relevant events.

To register, you must provide us with your e-mail address. Other information that serves to optimise the newsletter can be provided voluntarily. The registration takes place in a so-called double opt-in procedure. After registering on our platform, you will receive a confirmation e-mail from us in which you must confirm your registration once again. This entire process is documented and saved. This includes the storage of the registration and confirmation time as well as the storage of your IP address. The collection of this data is necessary so that we can trace the processes in the event of misuse of the e-mail address and therefore serves as a legal safeguard. By subscribing to our newsletter, you agree to receive it.

We use the data you provide during registration exclusively to send you our newsletter. Furthermore, we could inform you if this is necessary for the operation of the newsletter, e.g. in case of changes in the newsletter offer or if technical conditions change.

The legal basis for the processing of your data after registration for the newsletter is Art. 6 para. 1 lit. a GDPR, if you have given your consent.

You can revoke your consent to the storage and use of your personal data to receive the newsletter at any time with effect for the future. To revoke your consent, you can use the link provided for this purpose in the newsletter or inform us of your revocation by e-mail to the following address: [email protected]

Your data will be deleted as soon as they are no longer required for the purpose of their collection. Your e-mail address will therefore be stored for as long as your subscription to the newsletter is active.

11. E-mail

Due to legal regulations, we provide information on our platform that enables rapid electronic contact with us and direct communication with us. This includes above all our e-mail address. As far as you contact us by e-mail, the personal data transmitted by you will be stored automatically.

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 Par. 1 lit. f GDPR. If the purpose of the contact is the conclusion of a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR..

However, we use the personal data provided by you exclusively for the processing of your concrete inquiry. The data provided will always be treated confidentially.

Your details may be stored in a customer relationship management system (CRM system) or other customer data organisation tool.

The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. For personal data sent by e-mail, this is the case when the respective conversation with you has ended. The conversation is finished when it can be concluded from the circumstances that the matter in question has been finally clarified.

If you contact us, you can object to the storage of your personal data at any time. In such a case the conversation cannot be continued.

12. Appointments via Calendly

You have the possibility to make an appointment with us on our platform. We use the online calendar "Calendly" to request and select an appointment. "Calendly" is an offer from Calendly, LLC, 3423 Piedmont Road NE, Atlanta, GA 30305-1754, United States.

When you book an appointment, you will automatically be connected to our Calendly appointment account. After you have chosen your appointment, confirmed it and entered your contact details and concerns, Calendly will send you an email confirming your appointment. For more information about Calendly and Calendly Privacy Policy, please visit https://calendly.com/pages/privacy

Your details from the Calendly form, including the data you enter there, will be stored by us for the purpose of processing your enquiry and in the event of follow-up questions. This data remains with us until you request us to delete it, revoke your consent to store it or the purpose for which it was stored ceases to apply (e.g. appointment made). Mandatory legal provisions - in particular retention periods - remain unaffected.

We have also completed a "Data Processing Addendum" with Calendly. This is a contract in which Calendly undertakes to protect the data of our users, to process it on our behalf in accordance with Calendly's Privacy Policy and in particular not to pass it on to third parties. You can find more information about Calendly and the privacy policy at Calendly here: https://calendly.com/pages/privacy.

13. Payment service provider

We use the following external payment service providers to process payments:

Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland

You transmit to the respective payment service provider your inventory data, such as first name, surname, address, date of birth, gender, e-mail address, IP address, telephone number, mobile phone number as well as your bank data, as far as they are necessary for payment processing, e.g. account numbers, credit card numbers, passwords, TANs, check numbers, validity date and CVC code. For the processing of the payment also such personal data are necessary, which are in connection with your respective investment, such as the amount of the investment and fiscal charges, which we transmit to the respective payment service provider.

The transmission of the data is exclusively for the purpose of payment processing. The legal basis for the transmission of the data to the respective payment service provider is therefore Art. 6 para. 1 lit. b. GDPR, insofar as the payment serves to fulfil a contract. Otherwise, we use external payment service providers on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f. GDPR in order to offer you an effective and secure payment option.

We do not get access to the entered data, they are processed and stored exclusively by the payment service providers. The payment service providers may transfer your data to credit agencies for identity and credit checks and fraud prevention.

Payment transactions are subject to the terms and conditions of the respective payment service provider. For further information on data protection, please refer to the respective data protection declaration:

Stripe Payments Europe Ltd: https://stripe.com/de/privacy#pagmt

IV. RIGHTS CONCERNED

If your personal data is processed, you as a data subject within the meaning of the GDPR are entitled to the following rights:

1. Right to information (Art. 15 GDPR)

In addition, you have the right to receive free information from us at any time about the personal data stored about you and a copy of this information. You also have a right to information regarding the following information:

  • the processing purposes,
  • the categories of personal data processed,
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular to recipients in third countries or to international organisations,
  • if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration,
  • the existence of a right of rectification or erasure of personal data concerning you or of a right to have the processing limited by the controller or to object to such processing
  • the existence of a right of appeal to a supervisory authority,
  • if the personal data are not collected from the data subject: all
  • available information on the origin of the data and,
  • the existence of automated decision making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing on the data subject.

Furthermore, you have the right of information as to whether personal data has been transferred to a third country or to an international organisation. If this is the case, you also have the right to obtain information about the appropriate guarantees in connection with the transfer.

2. Right of rectification (Art. 16 GDPR)

You have the right to request the immediate correction and/or completion of incorrect or incomplete personal data concerning you. We must make the correction without delay.

3. Right to restrict processing (Art. 18 GDPR)

You have the right to demand that we restrict processing if one of the following conditions is met:

  • The accuracy of the personal data is contested by the data subject, for a period of time that allows the controller to verify the accuracy of the personal data.
  • The processing is unlawful, the data subject refuses to have the personal data deleted and instead requests that the use of the personal data be restricted.
  • The controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the purpose of exercising or defending legal claims.
  • The data subject has lodged an objection to the processing pursuant to Art. 21 para. 1GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh those of the data subject.

Where the processing of personal data relating to you has been restricted, such data may be processed, with the exception of storage, only with your consent or for the purpose of pursuing, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.

4. Right of cancellation (Art. 17 GDPR)

You have the right to demand that the personal data relating to you be deleted immediately if one of the following reasons applies and insofar as the processing is not necessary

  • The personal data has been collected or otherwise processed for purposes for which it is no longer necessary.
  • The data subject withdraws the consent on which the processing was based pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR and there is no other legal basis for the processing.
  • The data subject lodges an objection to the processing pursuant to Art. 21 para. 1 GDPR and there are no legitimate overriding reasons for the processing or the data subject lodges an objection to the processing pursuant to Art. 21 para. 2 GDPR.
  • The personal data were processed unlawfully.
  • The deletion of personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
  • The personal data was collected in relation to information society services offered in accordance with Art. 8 Paragraph 1 of the GDPR.

If the personal data have been made public by us and if we, as data controllers, are obliged to delete the personal data pursuant to Art. 17 para. 1 GDPR, we shall take reasonable measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data controllers who process the published personal data that the data subject has requested these other data controllers to delete all links to these personal data or copies or replications of these personal data, unless the processing is necessary.

  • The right to deletion does not exist insofar as the processing is necessary:
  • on the exercise of the right to freedom of expression and information;
  • in order to comply with a legal obligation to which the processing relates under Union or national law to which the controller is subject or in order to perform a task carried out in the public interest or in the exercise of official authority vested in the controller
  • for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
  • for archiving, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to in section a) is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or
  • to assert, exercise or defend legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or limitation of processing against us, we are obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients.

6. Right to data transferability (Art. 20 GDPR)

You have the right to receive the personal data concerning you which you have provided us with in a structured, common and machine-readable format. You also have the right to have this data communicated to another controller without hindrance from us, provided that the processing is based on the consent pursuant to Art. 6 para. 1 lit a GDPR or Art. 9 para. 2 lit a GDPR or on a contract pursuant to Art. 6 para. 1 lit b GDPR, and provided that the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority delegated to us.

Furthermore, when exercising your right to data transfer in accordance with Art. 20 Paragraph 1 GDPR, you have the right to request that personal data be transferred directly from us to another responsible party, insofar as this is technically feasible and provided that this does not affect the rights and freedoms of other persons.

The right to data transferability shall not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right of appeal (Art. 21 GDPR)

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out pursuant to Art. 6, paragraph 1, letters e or f of the GDPR. This also applies to profiling based on these provisions.

In the event of an objection, we no longer process the personal data unless we can prove compelling reasons for processing worthy of protection that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

To exercise your right of objection, you can contact us at any time.

8. Right to revoke a data protection consent

You have the right to revoke your consent to the processing of personal data at any time. Revocation of your consent does not affect the lawfulness of the processing that has taken place on the basis of your consent until revocation.

9. Right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you is in breach of the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

DATED: February 26, 2020

Download privacy policy as PDF

 

bhp