Flexibility, Opportunities, Innovations

Privacy Policy for the use of the website of
BIW Isolierstoffe GmbH
www.biw.de

 

I.Name and address of controller

The controller in terms of the General Data Protection Regulation and other national data protection laws of the EU Member States and other data protection regulations is:

BIW Isolierstoffe GmbH
Pregelstr. 5
58256 Ennepetal
Germany
Tel.: +49 (0) 23 33 / 83 08 – 0
Email: infonothing@biw.de
​Website: https://www.biw.de

 

II.Data Protection Officer

Our data protection officer is available under datenschutznothing@biw.de or by postal letter addressed to our company (please add “Att: Data Protection Officer“).

 

III.General information on data processing

1.Scope of the processing of personal data

As a rule, we only process personal data of our users if and to the extent this is required for providing a functional website and offering our contents and services. As a rule, we only process personal data of our users after they have given their consent to the processing. An exemption applies in those case where it is impossible to obtain prior consent for factual reasons and processing of the data is permitted by law.

2.Legal basis for the processing of personal data

If and to the extent that we obtain consent from the data subject to the processing activities, Art. 6 subs. 1 a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing.

Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, Art. 1 subs. 1 b) GDPR serves as the legal basis for the processing.

This also applies for processing activities that are necessary for taking steps prior to entering into a contract.

If and to the extent that the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 1 subs. 1 c) GDPR serves as the legal basis for the processing.

Where the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 1 subs. 1 d) GDPR serves as the legal basis for the processing.

Where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 1 subs. 1 f) GDPR serves as the legal basis for the processing.

3.Erasure of data and duration of storage

The personal data of the data subject is erased or blocked as soon as the purpose of storage ceases to exist. The data can be stored beyond that time if this is provided for by European or national legislation in EU Regulations, EU laws or other provisions to which the controller is subject. The data is also erased or blocked as soon as the storage period prescribed by the aforesaid regulations expires unless further storage of the data is necessary for the conclusion or performance of a contract.

 

IV.Provision of the website and generation of log files

1.Description and scope of the data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected in this context:

(1) Information on the type of the browser and the browser version used

(2) Information on the operating system and the version used

(2) Referrer (“referring page“)

(3) IP address (shortened)

(4) Date and time of access

(5) Website which is accessed by the system of the user via our website

(6) Successful loading or error in loading

(7) Data volume

This data is also stored in the log files of our system. The data is not stored together with other personal data of the user.

2.Legal basis for the data processing

The legal basis for the temporary storage of the data and log files is Art. 6 subs. 1 f) GDPR.

3.Purpose of the data processing

Temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For such purpose, the ID address of the user must be and remain stored during the session.

The data is stored in log files to ensure the functionality of the website. Moreover, the data helps us to optimise the website and ensure the security of our information technology systems. The data is not analysed for marketing purposes in this context.

The said purposes also constitute our legitimate interest in the processing in terms of Art. 6 subs. 1 f) GDPR.

4.Duration of storage

The data is erased when and as soon as it is no longer needed to achieve the purpose of the data collection. Where the data is collected for the purpose of making the website available, the data is erased when and as soon as the relevant session is closed.

Where the data is stored in log files, the data is erased after seven days at the latest. However, the data can also be stored beyond that time. In this case, the IP addresses of the users are erased or masked such that the accessing client can no longer be allocated to such data.  

5.Opposition and elimination

The collection of the data for the purpose of making the website available and the storage of the data in log files are indispensable for operating the website. Thus, the user has no possibility to oppose.

 

V.Use of cookies

a) Description and scope of the data processing

Our website uses cookies. Cookies are small text files which are stored in the Internet browser resp. by the Internet browser on the user’s computer system. When a user accesses a website, a cookie can be stored on the operating system of the user. This cookie contains a typical distinctive character string which enables unambiguous identification of the browser when the website is accessed anew.

We use cookies to render our website more user-friendly. Some elements of our website require the accessing browser to be identified also after you have switched from one page to another.

In this context, the following data is stored in the cookies:

            Log-in information

In addition, we use cookies on our website which enable us to analyse the web surfing behaviour of the user.

The following data can be transferred thereby:

(1)   Search terms entered              

(2)   Frequency of page access

(3)   Use of website functions and features

The so collected data of the users is anonymised and pseudonymised by appropriate technical measures such that the data can no longer be allocated to the accessing user. The data is not stored together with other personal data of the users.

When the users access our website, they are informed by an appropriate information banner that the website uses cookies for analysis purposes and they are referred to this Privacy Policy. In this context, the users are also instructed on how they can prevent the storage of cookies in their browser settings.

b) Legal basis for the data processing

The legal basis for the processing of personal data involving the use of cookies that are necessary for technical reasons is Art. 6 subs. 1 f) GDPR.

The legal basis for the processing of personal data involving the use of cookies for analysis purposes is Art. 6 subs. 1 a) GDPR when the user has given his consent to this processing.

c) Purpose of the data processing

The purpose pursued by using cookies which are necessary for technical reasons is to render the use of websites easier for the users. Some functions and features of our website cannot be offered without cookies. These functions and features require the browser to be recognised and identified also after the user has switched from one page to another.

We need cookies for the following applications:

(1) Website navigation and function control

The user data which is collected by cookies which are necessary for technical reasons is not used for the preparation of user profiles.

Analysis cookies are used to improve the quality of our website and its contents. By the analysis cookies, we get to know how the website is used and are thus able to continuously optimise our presentation and services.

The aforesaid purposes also constitute our legitimate interest in the processing of the personal data in terms of Art. 6 subs. 1 f) GDPR.

e) Duration of the storage, opposition and elimination

Cookies are stored on the computer of the user and transmitted to our website from this computer. That is why you as the user have full control over the use of cookies. You can set or adjust your Internet browser to prevent or restrict the transmission of cookies. You can at any time delete cookies that have already been stored. This can also be done automatically. If you deactivate cookies for our website, you may possibly be unable to use all functions and features of the website without restrictions.

In the case of flash cookies, you cannot prevent their transmission in your browser settings but by changing the settings of the flash player.

 

VI.Contact form and email contact

1.Description and scope of the data processing

A contact form is available on our website which can be used if you want to contact us electronically. When a user makes use of the contact form, the data he enters in the form is transferred to us and we store this data. This data includes - depending on how and to which extent it is entered by the user - :

(1) Form of address/ title

(2) Name

(3) Company name

(4) Address

(5) Telephone number

(6) Email address

(7) Concern/ request and message

In addition, the following data is stored at the time you send us the message:

(1) IP address of the user

(2) Date and time of registration

When you send us the contact form or email, we ask you for your consent to the processing of the data and refer to this Privacy Policy.

Alternatively, you can contact us via the email address indicated on our website. In this case, we store the personal data of the user which is transferred in his email.

The so transferred data is not disclosed or transferred to third parties. The data is exclusively used for processing the conversation.

2. Legal basis for the data processing

The legal basis for the processing of the data is Art. 6 subs. 1 a) GDPR when the user has given his consent to the processing.

The legal basis for the processing of the data that is transferred in the context of an email sent to us is Art. 6 subs. 1 f) GDPR. Where the email contact is established for the purpose of concluding a contract, Art. 6 subs. 1 b) GDPR constitutes an additional legal basis.

3. Purpose of the data processing

The processing of the personal data entered in the form exclusively serves to process your contact request. If you contact us by email, this constitutes at the same time the required legitimate interest in the processing of the data.

The other personal data processed during email transmission serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data is erased when and as soon as it is no longer needed to achieve the purpose of the data collection. In the case of personal data collected from the contact form or personal data transferred to us by email, the data is erased when and as soon as the relevant conversation with the user is terminated. The conversation is deemed terminated when it can be concluded from the specific circumstances of the case that the issue in question has been finally settled.

The additional personal data collected during email transmission is erased after seven days at the latest.

5. Opposition and elimination

The user has the right to withdraw his consent to the processing of the personal data at any time. When the user contacts us by email, he can oppose the storage of his personal data at any time. In this case, the conversation cannot be continued.

For this, it is sufficient to send us an email in which you communicate your request to:    datenschutznothing@biw.de .

In this case, all personal data that was stored in the context of contacting us is erased.

 

VII.Application form

1. Description and scope of the data processing

We provide an application form on our website which you can use to file an electronic application for vacancies which we have published. If a user makes use of this option, the data he enters in the application form is transferred to us and stored.

This data includes – depending on how and to which extent it is entered by the user – :

(1) Form of address/ title

(2) First name, last name

(3) Address

(4) Address

(5) Telephone number/ cell phone number

(6) Email address

(7) Previous job and previous salary

(8) Desired job including desired entry data and desired salary

(9) Highest educational degree

(10) Curriculum vitae and application letter

In addition, the following data is stored at the time you send us the message:

(1) IP address of the user

(2) Date and time of registration

When you send us the application form, we ask you for your consent to the processing of the data and refer to this Privacy Policy.

Your personal data is collected and processed for no purposes other than that pursued by the application procedure which is to fill vacancies in our company. Your data, as a rule, is only transferred to the internal bodies and departments of our company which are responsible for the application procedure from time to time.

Your personal application data is not disclosed or transferred to other companies of our group  unless you have given your explicit prior consent to the disclosure/transfer.

Your application data will not be used, disclosed or transferred to third parties for any purposes other than the aforesaid.

 2. Legal basis for the data processing

The legal basis for the processing of the data is Art. 6 subs. 1 a) GDPR if you have given us your explicit consent to the processing, and also Art. 4 subs. 1 b) GDPR. Abs. 1 lit. b.

3. Purpose of the data processing

Your personal application data is collected and processed for no purposes other than that pursued by the application procedure which is to fill vacancies in our company.

The other personal data processed during the transmission of the application form serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

Your personal application data is, as a rule, erased six months after the termination of the application procedure at the latest. This does not apply where statutory provisions prevent the erasure or further storage is necessary for reasons of documentation or proof or when you have explicitly consented to an extended storage beyond that time.

The additional data which is collected during the transmission of the application form is erased after seven days at the latest.

5. Opposition and elimination

The user has the right to withdraw his consent to the processing of the personal data at any time. In this case, the user can no longer take part in the application procedure.

For this, it is sufficient to send us an email in which you communicate your request to:   datenschutznothing@biw.de .

In this case, all personal data that was stored in the context of contacting us is erased.

 

VIII.Web analysis by Matomo

1. Scope of the processing of personal data

We use the Open-Source-Software Tool Matomo on our website to analyse the web surfing behaviour of our users. The software places a cookie on the computer of the user. When the user access individual pages of our website, the following data is stored:

  1. Two bytes of the IP address of the accessing system of the user
  2. The accessed website
  3. The website from which the user was referred to the website accessed (referrer)
  4. The sub-pages which are accessed from the accessed website
  5. The duration of the visit to the website
  6. The frequency of website access

The software is exclusively executed on the servers of our web designer www.lessingtiede.de. The personal data of the users is stored nowhere else but on these servers. Lessingtiede.de processes the data exclusively on our instructions and on our behalf according to Art. 28 GDPR.

The software is configured such that the IP addresses are not stored in full but that 2 bytes of the IP address are masked (for ex.:  192.168.xxx.xxx). This ensures that the shortened IP addresses can no longer be allocated to the accessing computer.

2. Legal basis for the processing of personal data

The legal basis for the processing of the personal data of the users is Art. 6 subs. 1 f) GDPR.

3. Purpose of the data processing

The processing of the personal data of the users enables us to analyse the web surfing behaviour of our users. The analysis of the data obtained in the analysis enables us to compile information on the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes also constitute our legitimate interest in the processing of the data in terms of Art. 6 subs. 1 f) GDPR. The anonymisation of the IP address makes sure that the interest of the user in the protection of his personal data is sufficiently considered.

4. Duration of storage

The data is erased when and as soon as we do no longer need them for the documentation purposes pursued by us.

In our case, this is the case after 30 days.

5. Opposition and elimination

Cookies are stored on the computer of the user and transmitted to our website from this computer. That is why you as the user have full control over the use of cookies. You can set or adjust your Internet browser to prevent or restrict the transmission of cookies. You can at any time delete cookies that have already been stored. This can also be done automatically. If you deactivate cookies for our website, you may possibly be unable to use all functions and features of the website without restrictions.

When you delete the deactivation cookie from your system after the deactivation, you have to place the opt-out cookie again to prevent web analysis cookies from being placed.

More detailed information on the privacy settings of the Matomo software is available under the following link: https://matomo.org/docs/privacy/ .

 

IX.Google Maps

We use the map service Google Maps via an API. This service is provided by Google Inc., 1600

Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). We must store your IP address to be able to use the functions and features of Google Maps. This information is, as a rule, transferred to a server of Google in the USA and stored there. The operator of this website has no influence on this data transfer.

We use Google Maps to ensure attractive online presentation of our services and to make it easy to find our location.

This is a legitimate interest in terms of Art. 6 subs. 1 f) GDPR.

Additional information on the handling of user data is available in the Privacy Policy of Google: https://www.google.de/intl/de/policies/privacy .

 

X.Social media (Linkedin, Xing, youtube, facebook)

We cannot only be found on our website but also in various social media. If you visit any of these sites, personal data might be transferred to the provider of the social network.

In addition to the data which you have deliberately entered in that social medium, also other data and information may be collected, processed or used by the provider of the social network. This provider might collect, process and use the most important data of the computer system from which you access the social media site such as your IP address, the type of processor used and the browser version including plug-ins.

If, while visiting such a social medium, you are logged in to your personal user account with the relevant provider, the latter can automatically allocate the visit to this account. If you do not want such an allocation to be made, you have to log out from your account before you visit the website.

Information on the purpose and scope of data collection by the relevant social medium and the further processing and use of your data there as well as the rights to which you are entitled in connection therewith is available in the terms of use of the relevant social medium:

Linkedin terms
YouTube terms

Xing terms
Facebook terms
 

XI.YouTube components with enhanced data protection mode

On our website, we use components (videos) of YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA, which is a company of Google Inc.

Here, we use the option provided by YouTube “enhanced data protection mode”. As soon as you access a page which contains an embedded video, a connection is established to the YouTube servers and the content is presented on the Internet page through an appropriate message to your browser. Pursuant to the information provided by YouTube, only data is transferred to the YouTube server in the “enhanced data protection mode” including in particular the information from which of our Internet pages you are viewing the video. Only when you are logged in to YouTube at the same time, this information will be allocated to your YouTube member account. You can prevent this allocation by logging out from your member account before you visit our website. 

Further information on data protection by YouTube/Google is available in sec. XI.

 

XII. Newsletter

1. General
With the following information we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedures as well as your right of objection. By subscribing to our newsletter, you agree to the receipt and the procedures described.

Content of the newsletter: We send newsletters, e-mails and other electronic notifications with advertising information (hereinafter "newsletter") only with the consent of the recipient or a legal permission. Insofar as the contents of a newsletter are concretely described, they are authoritative for the consent of the users. Incidentally, our newsletter contains information about our services and us.

Double opt-in and logging: Registration for our newsletter is done in a so-called double-opt-in procedure. That After registration, you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with external e-mail addresses. The registration for the newsletter will be logged in order to prove the registration process according to the legal requirements. This includes the storage of the login and the confirmation time, as well as the IP address. Likewise, changes to your data stored with the shipping service provider will be logged.

Credentials: To subscribe to the newsletter, it is sufficient to provide your e-mail address. Optionally, we ask you to give a name in the newsletter for personal address.

The dispatch of the newsletter and the associated performance measurement are based on a consent of the recipients acc. Art. 6 para. 1 lit. a, Art. 7 DSGVO i.V.m § 7 Abs. 2 No. 3 UWG or if consent is not required, based on our legitimate interests in the direct marketing acc. Art. 6 para. 1 lt. F. DSGVO i.V.m. § 7 Abs. 3 UWG.

The logging of the registration process is based on our legitimate interests in accordance with. Art. 6 para. 1 lit. f DSGVO. Our interest lies in the use of a user-friendly and secure newsletter system, which serves both our business interests and the expectations of the users and also allows us to prove our consent.

Termination / Revocation - You may terminate the receipt of our newsletter at any time, ie. Revoke your consent. A link to cancel the newsletter can be found at the end of each newsletter. We may save the submitted email addresses for up to three years based on our legitimate interests before we delete them to provide prior consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for cancellation is possible at any time, provided that at the same time the former existence of a consent is confirmed.

2. Shipping service provider: mailingwork GmbH
The dispatch of the newsletter takes place by means of the mailing service mailingwork GmbH, Birkenweg 7, 09569 Oederan, Germany. The privacy policy of the shipping service provider can be viewed here: https://mailingwork.de/datenschutz/. The shipping service provider is based on our legitimate interests acc. Art. 6 para. 1 lit. f DSGVO and a contract processing agreement acc. Art. 28 (3) sentence 1 DSGVO.

The shipping service provider may use the data of the recipients in pseudonymous form, i. without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of shipping and the presentation of newsletters or for statistical purposes. However, the shipping service provider does not use the data of our newsletter recipients to address them themselves or to pass the data on to third parties.

 

XIII. Rights of the data subjects

When your personal data is processed, you are a data subject in terms of the GDPR and you are entitled to the following rights in the relationship with the controller:

1. Right to information/ access

You have the right to request from the controller a confirmation whether personal data concerning you is processed by us.

If such personal data is processed, you have the right to request from the controller information about the following:

(1)       the purposes for which the personal data is processed;

(2)       the categories of personal data which are processed;

(3)      the recipients resp. the categories of recipients to whom personal data concerning you has been or will still be disclosed;

(4)      the scheduled duration of storage of the personal data concerning you or, where no detailed information can be provided on this point, the criteria for the determination of the duration of storage;

(5)      the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of the processing by the controller or a right to object to this processing;

(6)       the existence of a right to lodge a complaint with a supervisory authority;

(7)      all information available on the origin of the data where the personal data is not collected from the data subject;

(8)      the existence of an automated decision-making procedure including profiling according to Art. 22 subs. 1 and 4 GDPR and – at least in these cases – sound information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or an international organisation. In this context, you have the right to request information about appropriate safeguards in terms of Art. 46 GDPR provided in connection with the transfer.

2. Right to rectification

You have the right to rectification and/or completion by the controller if the personal data concerning you which is processed is inaccurate or incomplete. The controller is obliged to rectify the data without undue delay.

3. Right to restriction of the processing

You have the right to request restriction of the processing of the personal data concerning you where any of the following applies:

  1. the accuracy of the personal data concerning you is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
  4. you have objected to processing pursuant to Article 21 subs. 1 GDPR pending the verification whether the legitimate grounds of the controller override the grounds you rely on.

Where the processing of your personal data was restricted, your personal data may only be processed, with the exception of storage, with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where the processing was restricted according to the aforementioned conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a)Obligation to erase

You have the right to request from the controller erasure of personal data concerning you without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. your personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  2. you withdraw the consent on which the processing was based according to Article 6 subs. 1 a) or Art. 9 subs. 2 a) GDPR, and there is no other legal ground for the processing;
  3. you object to the processing pursuant to Article 21 subs. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 subs. 2 GDPR;
  4. your personal data has been unlawfully processed;
  5. your personal data has to be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
  6. your personal data has been collected in relation to the offer of information society services referred to in Article 8 subs. 1 GDPR.
b)Notification of third parties

Where the controller has made your personal data public and is obliged pursuant to Art. 17 subs. 1 GDPR to erase this personal data, the controller, taking account of available technology and the cost of implementation, is obliged to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, this personal data.

c)Exemptions

The right to erasure does not apply to the extent that the processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with Art. 9 subs. 2 h) and i) and Art. 9 subs. 3 GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 subs. 1 GDPR in so far as the right referred to under a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defence of legal claims.

5. Right to be notified

When you have asserted your right to rectification, erasure or restriction of processing against the controller, the latter is obliged to communicate this rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. 

You have the right to request the controller to inform you of the aforesaid data recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. Moreover, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided, where:

  1. the processing is based on consent pursuant to Art. 6 subs. 1 a) GDPR or Art. 9 subs. 2 a) GDPR or on a contract pursuant to Art. 6 subs. 1 b) GDPR, and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The exercise of this right must however not adversely affect the rights and freedoms of others.

The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 subs. 1 e) or f) GDPR, including profiling based on those provisions.

In this case, the controller will no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to withdraw your consent given under data protection law

You have the right to withdraw your consent given under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing that has taken place based on this consent until the time of the withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This does not apply if the decision:

(1)       is necessary for entering into, or for the performance of, a contract between you and a data controller;

(2)       is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3)       is based on your explicit consent.

However, these decisions must not be based on special categories of personal data referred to in Art. 9 subs. 1 GDPR unless Art. 9 subs. 2 a) or g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests have been implemented.

In the cases referred to in subs. (1) and (3), the controller is obliged to implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes this GDPR.

The supervisory authority with which the complaint has been lodged is obliged to inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.