Privacy Policy

Here at Hanse Equine Hospital, we look forward to our clients visiting both in person and online. With this in mind, our privacy policy applies to all of our client touchpoints.
The operator of this site takes your personal privacy very seriously. We treat your personal data confidentially and in accordance with all relevant legal data security regulations, as well as this privacy policy.

In the following, we will inform you about:

I. Name and address of the controller
II. Name and address of data protection officer
III. General information on data processing
IV. Data processing operations
V. Data processing on our website
VI. Use of cookies
VII. Contact form, email contact, forms
VIII. Data processing via social media
IX. Data security measures
X. Your rights as a data subject

We would like to point out that any data sent online (e.g. via email) may be vulnerable to gaps in security. It is not possible to completely protect all data from third-party access.

I. NAME AND ADDRESS OF THE CONTROLLER

The controller within the meaning specified in the General Data Protection Regulation (GDPR) and other national data protection laws in member nations, as well as other data protection regulations, is:

Hanseklinik für Pferde
Tierärzte Dres. Körner | Leser | Brandenberger PartG mbB

Karl-Benz-Str. 5-7
27419 Sittensen
hereinafter referred to as ‘Hanse Equine Hospital’
Telephone: +49 (0) 42 82 59 46 34 0
Email: mail@hanseklinik.com

II. NAME AND ADDRESS OF DATA PROTECTION OFFICER

Since 1 September 2020, the controller’s data protection officer has been:

Oliver Zeh
JOWECON GmbH
Hagedornstr. 24
20149 Hamburg
Email: datenschutz@jowecon.de
www.jowecon.de

III. GENERAL INFORMATION ON DATA PROCESSING

1. Purpose and scope of personal data processing
We only collect and use our client’s personal data as necessary to carry out our duties at Hanse Equine Hospital. The collection and use of our client’s personal data is done exclusively on the basis of statutory authorisation, contracts or with the client’s consent.

2. Legal basis for processing personal data
Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6, 1 lit. We also process the data of our clients and interested parties for analysis and marketing purposes.
When processing personal data which is necessary for the performance of a contract to which the data subject is a party, Article 6, 1 lit. (b), of the GDPR serves as the legal basis. This also applies to other processing operations necessary for implementing pre-contractual measures.
Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6, 1 lit. (c), of the GDPR serves as the legal basis.
In the event that the vital interests of the data subject or any other natural person make it necessary to process personal data, Article 6, 1 lit. (d), of the GDPR serves as the legal basis.
If processing is necessary to protect our company’s legitimate interests or those of a third party, and these do not override the interests, fundamental rights and fundamental freedoms of the data subject, then Article 6, 1 lit. (f), of the GDPR serves as a legal basis for processing.

3. Data deletion and storage duration
All of the data subject’s personal data will be deleted or blocked as soon as the purposes for storing it cease to apply. Data may also be stored if stipulated by European or national legislation in European Union regulations, laws or other requirements to which the controller is subject. Data will therefore also be deleted or blocked when the storage duration described in the standards expires, unless it is necessary to continue storing data until a contract is concluded or fulfilled.

4. Data recipients
We use contracted providers for individual processes. This includes hosting, maintenance and support of IT systems, marketing activities and destroying files and data storage media. These service providers only process data under specific instructions and are bound by a contract to ensure they take appropriate technical and organisational measures to protect data. Otherwise, where necessary, we may share our client’s personal data with organisations such as postal and delivery services, our principal banker, tax accountants/auditors or the tax authorities.

5. Processing when exercising your rights in accordance with Articles 15 through 22 of the GDPR
When you exercise your rights according to Articles 15 through 22 of GDPR, we will process any personal data shared with us only for the purposes of implementing these rights and in order to be able to provide proof of this. We will only use stored data for the purposes of preparing and exchanging information or for data protection monitoring purposes, and otherwise restrict processing in accordance with the measures set out in Article 18 of the GDPR.
This processing has its legal basis in Article 6, 1 lit. c), of the GDPR, in conjunction with Articles 15 through 22 of the GDPR and section 34, paragraph paragraph 2, of the German Federal Data Protection Act (BDSG).
We provide more detailed information about your rights at the end of this privacy policy.

IV. DATA PROCESSING OPERATIONS

1. Contractual relationship
Justifying or conducting a contractual relationship with our clients necessitates regular processing of the personal data provided to us relating to master data, contracts and payment details. The legal basis for this processing is Article 6 1 lit. (b), of the GDPR. We also process the data of our clients and interested parties for analysis and marketing purposes. This processing occurs in accordance with Article 6 1 lit. (f), of the GDPR and serves to inform our interests, helps us develop our offers and allows us to give you targeted information about Hanse Equine Hospital. Further data processing may occur if you have given permission (Article 6, paragraph 1(a), of the GDPR), or if it is necessary to comply with legal obligations (Article 6, paragraph 1(c), of the GDPR).

2. Applications
If you apply to our company, we use your application data exclusively for purposes related to your interest in current or future opportunities with us and to process your application. Your application will only be processed and taken note of by relevant contact persons at our company. All staff involved in processing data are obligated to ensure the confidentiality of your data. If we are unable to offer you a position, we will keep the data you have supplied to us for up to six months after rejection for the purposes of answering any questions related to your application and our rejection. This does not apply if legal requirements prevent us from deleting it, continued storage is necessary for evidence purposes or if you have expressly consented to a longer storage period. The legal basis for data processing is § 26 para. 1(1), of the BDSG. Should we store your data for longer than six months after you have explicitly consented to us doing so, we would like to point out that you may withdraw this consent at any time in accordance with Article 7, paragraph 3, of the GDPR. If you do withdraw consent, the legality of any processing that has occurred up to that point is not affected due to prior consent.

3. Data transfer and third-party access
In the course of our duties as a hospital, we rely on external help from IT service providers for the installation and maintenance of our hardware and software or other similar service staff. In the course of these activities, our external service providers may also come into contact with personal data, which is why we oblige our external service providers to maintain discretion and observe data secrecy, as well as limiting their access to personal data to a minimum. Supervisory authorities regularly monitor hospitals and, as a result, also have access to personal data.

V. DATA PROCESSING ON OUR WEBSITE

1. Description and scope of data processing
Every time you access our website, our system automatically collects data and information from the accessing computer.

The following data is collected:
(1) Information about the type of browser and the version used
(2) The user’s operating system
(3) The user’s internet service provider
(4) The user’s IP address (truncated)
(5) Time and date of access
(6) Websites that the user used to get to our website
(7) Whether loading was successful or not
This data is stored in our system’s log files. This data is not stored in conjunction with other personal data of the user. This data is not stored in conjunction with other personal data of the user.

2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6, 1 lit. (f), of the GDPR.

3. Purpose of data processing
It is necessary to temporarily store your IP address in our system in order to enable our website to be displayed on your computer. It also improves security. The user’s IP address must therefore be stored for the duration of the website visit.
This is stored in our log files in order to ensure the functionality of the website. This data helps to optimise our website and ensures the security of our IT systems. This data is not used for marketing purposes.
For these purposes, our legitimate interest in data processing is also covered under Article 6, 1 lit. (f), of the GDPR.

4. Duration of storage
The data is to be deleted as soon as it is no longer necessary for the purposes for which it was stored. In the case of gathering data to publicly disseminate the website, this is when the respective visit has ended.
In the case of storing data in log files, this is 14 days after the visit at the latest. Backup data is deleted after four weeks. Further data storage is possible. In this case, the user’s IP address will be deleted or scrambled, so that it can no longer be assigned to the accessing client.

5. Possibilities to object or withdraw consent
Collecting data for the public dissemination of our website and storing this data in log files are imperative for operating our website. As a result, there is no possibility for the user to withdraw consent.

6. Integrated services and third-party content
We use services and content provided by third parties on our website (hereinafter referred to collectively as ‘content’). For this integration, it is technically necessary to process your IP address, so that the content can be sent to your browser. Your IP address is then shared with the third-party provider. This data processing occurs to help maintain our legitimate interests in optimising the economic operation of our website and is based on Article 6, paragraph 1(f), of the GDPR. You can withdraw consent to this data processing at any time via the settings in your browser, or by using certain browser extensions. Extensions include, for example, the matrix-based firewall uMatrix for the Firefox and Google Chrome browsers. Please be aware that this may lead to functionality restrictions on our website. On our website, the following contents are integrated services provided by third parties:

Services from Google Ireland Limited (Ireland/EU):

  • Google Web Fonts – for displaying fonts
  • Google Maps – for displaying our map in the contact area

Other services:

  • Borlabs Opt-in plug-in – cookie consent plug-in
  • WordPress Multilingual Plugin – translation management so you can choose the display language

VI. USE OF COOKIES

1. Description and scope of data processing

This website uses so-called cookies to some extent. Cookies do not harm your computer and do not contain viruses. Cookies help to make our site more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved in your browser. Cookies are small text files that are stored on your computer and saved in your browser. A cookie contains a unique character string which enables individual identification when you access the website again.

Most of the cookies we use are so-called session cookies. They are automatically deleted at the end of your visit. Other cookies are stored on your computer until you delete them. These cookies enable us to recognise your computer the next time you visit. User data gathered this way is pseudonymised by technical measures. This means that the data can no longer be attributed to the accessing client. This data is not stored together with other personal user data.

We generally differentiate between two types:

Web browser cookies

A web browser cookie is a small text file that is sent from our website to your computer or mobile device, where it is saved by your web browser. Web browser cookies may save information such as your IP address or other identifiers, your type of browser and information about the content you display to digital services and how you interact with these. By saving this information, web browser cookies can save your preferences and settings for online services and analyse how you use these services.

Tracking technologies Web beacons/GIFs, pixels, page tags, script
Emails and mobile apps may contain small, transparent image files or lines of code that tell you how you interact with them. Upon opening our website, the user will see a banner where they are asked for their consent and informed about cookies.

Upon opening our website, the user will see a banner where they are asked for their consent and informed about cookies. It is also mentioned in this privacy policy. There is also a note about this under ‘More information’. You are automatically directed to this page when clicking it. Here, it is explained under section 5 how you can stop cookies being saved in your browser settings.
The Federal Office for Information Securityhas more information on this.

2. Legal basis for data processing
The legal basis for processing personal data when using technically necessary cookies is our legitimate interest according to Article 6, 1 lit. (f), of the GDPR.
The legal basis for processing personal data when using cookies for analysis purposes is based on the consent provided by the user for this purpose in accordance with Article 6, 1 lit. (a), of the GDPR.

3. Purpose of data processing
The purpose of using technically necessary cookies is to make it easier for users to use websites. Some of the features on our website will not work without the use of cookies. It is necessary for these features that we are able to recognise your browser even if you change sites. This applies to:
A) Sessions Management
The user data collected by technically necessary cookies will not be used to create user profiles. It is also not used by analysis cookies.

4. Duration of storage
Cookies are stored on the user’s computer and transmitted to our site. As such, you as the user have full control over the use of cookies. Session cookies are stored for one hour. Please refer to our cookie banner for more details.

5. Possibilities to object or withdraw consent
The user/visitor to the website can deselect every individual cookie, as long as they are not required for the functional operation of our website. Already-stored cookies can be deleted at any time. You can also do this automatically. If cookies are deactivated for our website, you may not be able to fully utilise all functions of the website.

You can also set your browser to inform you about cookies, and only allow cookies in individual cases, have cookies turned on for certain cases or generally exclude them, as well as delete cookies when you close your browser.

VII. CONTACT FORM, EMAIL CONTACT, FORMS

1. Description and scope of data processing

A contact form is available on our website which can be used to contact us electronically. If a user utilises this, the data entered in the form will be shared with us and stored. This data includes:

– Name
– Email address
– telephone number

At the time of sending the message, the following data is also stored:
(1) The user’s IP address
(2) The data and time of registration
In order to process this data, your consent will be requested prior to sending, and you will be directed to this privacy policy.

You can alternatively contact us via the email address provided on the page ‘Forms’. In this case, the user’s personal data associated with the email and any attachments will be stored.
This data will not be shared with third parties. This data is exclusively used to process the respective enquiry.

2. Legal basis for data processing
The legal basis for processing personal data is based on the consent provided by the user for this purpose in accordance with Article 6, 1 lit. (a), of the GDPR.
The legal basis for processing the data that is shared when sending an email is Article 6, 1 lit. (f), of the GDPR. If the purpose of the email is to conclude a contract, the additional legal basis for process applies in accordance with Article 6, 1 lit. (b), of the GDPR.

3. Purpose of data processing
Processing personal data from the entry form is only used to help us respond to your query. In cases of contact via email, this is based on our legitimate interest in processing your data.
Any other personal data processed when the email is sent helps us to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Duration of storage
If you send us a query via our contact form, only the information you supplied on the form is stored for the purposes of answering your query and in the case of any follow-up questions. We will not share this data without your consent.

5. Possibilities to object or withdraw consent
The user has the opportunity to withdraw consent to processing their personal data at any time. If the user has contacted us via email, they can withdraw consent to store their personal data at any time. In such an instance, the conversation cannot be continued.
In this case, all personal data that is stored in the process of making contact with us will be deleted.


VIII. DATA PROCESSING VIA SOCIAL MEDIA

1. General Information
We are represented on several social media platforms with a company page. Through this, we would like to offer further opportunities for information about our company and for exchange. The Hanse Equine Hospital has company sites on the following social media platforms:
• Facebook
• Instagram
• YouTube (Google)

If you visit one of these profiles on a social media platform or interact with these, your personal data may be processed. All information linked to your social media profile constitutes personal data. This also includes messages and statements made while using the profile. In addition, while visiting a social media profile, certain information is often automatically gathered which may also constitute personal data.

We would like to explain this process to you in more detail:
We use social media plug-ins (also called social plug-ins) on our social media platforms to connect with users via these social media platforms. If the data subject is logged in to a social media service while using this platform, this platform usually recognises which other sites the data subject visits every time they open it and for the entirety of their visit. This information is collected by the relevant plug-in and assigned to the specific personal account of the data subject. If the data subject clicks on an integrated button on the social network (Twitter, Facebook, Instagram, etc.), the data and information linked to the data subject’s personal user profile is assigned to the respective social network, and then stored and processed there.

A data subject who does not wish for this to happen can log out of their social media profile before visiting the platform. Most plug-ins usually also share data with their social network in such cases, but this data may not necessarily be assigned to a particular user profile.

1.1 Visiting a Facebook and Instagram social media page

When you visit our Facebook or Instagram page, through which we present our company or individual products from our range, certain information about you is processed.

The sole controller of this processing of personal data is Meta Platforms Ireland Limited (Ireland/EU – “Meta”). Further information on the processing of personal data by Meta can be found at: https://www.facebook.com/privacy/explanation.

Meta offers the possibility to object to certain data processing; information and opt-out options in this regard can be found at: https://www.facebook.com/settings?tab=ads.

Meta provides us with anonymised statistics and insights for our Facebook and Instagram page that help us gain insights into the types of actions people take on our page (known as “page insights”). These page insights are compiled based on certain information about the people who visit our page. This processing of personal data is carried out by Meta and us as joint controllers. This processing serves our legitimate interest in evaluating the activity carried out on our page and improving our site in light of this knowledge. The legal basis for this processing is Article 6 paragraph 1(f), of the GDPR. We cannot match the information provided to us from page insights to individual Facebook profiles that interact with our Facebook page. We have entered into a joint controller agreement with Meta which sets out the allocation of data protection obligations between us and Meta. For details about the processing of personal data to create site insights and the agreement concluded between us and Meta, please visit: https://www.facebook.com/legal/terms/information_about_page_insights_data.

In relation to this data processing, you have the possibility to assert your data subject rights (see “Your rights”) also against Meta. Further information on this can be found in Meta’s privacy policy at: https://www.facebook.com/privacy/explanation.

Please note that according to the meta data protection regulations, user data is also processed in the USA or other third countries. Meta only transfers user data to countries for which an adequacy decision has been issued by the European Commission in accordance with Article 45 of the GDPR or on the basis of appropriate guarantees in accordance with Article 46 of the GDPR.

1.2 YouTube
This concerns the service offered by US company Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’)).

If you visit a site with a certain plug-in, your browser connects to YouTube and loads content from this site. YouTube may keep track of your visit to this website, even if you do not actively use this function of the social plug-in. If you have a YouTube account, you can use the social plug-in and, as a result, can share information with your friends. The Hanse Equine Hospital has no influence on the content of the plugin and the transmission of information.

On their website, Google provides detailed information on the scope, type, purpose and subsequent processing of your data. You can also find more information on your rights and settings options for security and privacy here.

Data protection information from Google:https://www.google.com/intl/de/policies/privacy

2. Further processing of data that you have shared with us via our social media sites

We also process information that you have shared with our company site via our respective social media platforms. This information may be your username, contact details or a message you have sent us. We only process this personal data when we have already explicitly asked for your consent to share it with us. We are the sole controller for this processing. We process this data on the basis of our legitimate interest of getting in contact with the person making the query. The legal basis for processing this data is Article 6, paragraph 1(f), of the GDPR.

We also process data shared with us for analysis and marketing purposes where necessary. This processing occurs in accordance with Article 6, paragraph 1(f), of the GDPR and serves our interest in developing our offers and providing you with targeted information about Hanse Equine Hospital. The underlying promotional purpose is considered a legitimate interest in accordance with the GDPR. Responsibility for operation that conforms with data protection is to be ensured by the respective providers. If you do not want social networks to match the data collected by visiting our website with your profile, you will need to log out of your social network profile before visiting our site, as mentioned above.

Further data processing may occur if you have given permission (Article 6, paragraph 1(a), of the GDPR), or if it is necessary to comply with legal obligations (Article 6, paragraph 1(c), of the GDPR).

IX. DATA SECURITY MEASURES

SSL encryption
This site uses SSL encryption for security reasons and to protect the transfer of confidential information such as queries that you send to us when using our website. You can recognise an encrypted connection, because the address bar changes from ‘https://’ to ‘https://’, and you will notice a lock symbol in the search bar.
When SSL encryption is active, any data you share with us cannot be read by third parties.

Security
We utilise technical and organisational safety measures to protect the data that you send our company from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security measures are continuously improved in line with technological developments. If you have any further questions about your personal data or data protection, please contact the above-mentioned data protection officer.

X. YOUR RIGHTS AS A DATA SUBJECT

If your personal data is processed, you are a data subject as defined by the GDPR, and you may exercise the following rights against the controller:

1. Right to information
You can request confirmation from the controller as to whether personal data relating to you will be processed by us.
If we process this data, you can request the following information from the controller:
(1) The purposes for which the personal data is being processed
(2) The categories of personal data being processed
(3) The recipients or categories of recipients who received or will receive the personal data
(4) The intended storage duration of your personal data or, if this information is not available, criteria for storage durations
(5) The right to correction and deletion of your personal data, the right to restrict processing by the controller or the right to object to this processing
(6) The right to complain to a regulatory authority
(7) All available information about the origin of the data, if the personal data was not provided by the data subject
(8) Whether decision-making is automated, including profiling, according to Article 22, 1 and 4, of the GDPR and – at least in these cases – meaningful information on the logic involved, as well as the potential scope of effects that processing may have on the data subject.

You have the right to request information about whether the personal information was transmitted to a third country or international organisation. In this context, you may also ask to be informed of the appropriate guarantee linked to sharing this information in accordance with Article 46 of the GDPR. linked to sharing this information in accordance with Article 46 of the GDPR.

2. Right to correction
You have to right to request that the controller correct and/or complete information, as far as processed personal data that relates to you is incorrect or incomplete. The controller must immediately make the correction.

3. Right to restrict processing
Under the following conditions, you may request that processing of your personal data be restricted:

(1) You dispute the accuracy of the personal data for a period that enables the controller to check the accuracy of your personal data
(2) The processing is unlawful but you reject to having your personal data deleted, and instead request that the use of your personal data is restricted
(3) The controller no longer needs your personal data for the purposes intended by processing, but still needs them for the establishment, exercise or defence of legal claim
(4) You have filed an objection against the processing in accordance with Article 21, paragraph 1, of the GDPR, but it has not yet been established whether the controller’s legitimate reasons supersede your reasons

If processing of your personal data is restricted, this data may only be processed – excluding storage of the data – with your explicit consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural person or legal entity, or for reasons of significant public interest to the European Union or a member state.

If processing is restricted according to the above-mentioned requirements, you will be informed by the controller before this restriction is lifted.

4. Right to deletion
a) Obligation to deletion
You may request that the controller immediately delete your personal data, and the controller is obligated to immediately delete this data, provided that one of the following reasons applies:

(1) Your personal data is no longer required for the purposes for which it was collected, or must no longer be processed for other reasons.
(2) You revoke your consent that the processing was based on in accordance with Article 6, paragraph 1 lit. (a), or Article 9, 2 lit. a), of the GDPR, and there is no other legal basis for processing.
(3) You have filed an objection to the processing in accordance with Article 21, paragraph 1, of the GDPR, and there are no other justifiable reasons for processing, or you have filed an objection in accordance with Article 21, paragraph 2, of the GDPR.
(4) Your personal data was unlawfully processed.
(5) Deletion of your personal data is required to fulfil a legal obligation according to the laws of the European Union, or the laws of the member states to which the controller is subject.
(6) Your personal data was collected in the course of services provided by the information society in accordance with Article 8, paragraph 1, of the GDPR.

b) Sharing information with third parties
If the controller has made your personal data public and is required to delete it according to Article 17, paragraph 1, of the GDPR, they must take appropriate measures, including taking into account available technology and the cost of implementing appropriate measures, including those of a technical nature, in order to insure that they inform those responsible for data processing that you as the data subject have requested the deletion of all links to your personal data, or of copies or replications of this personal data.

c) Exceptions
The right to deletion does not apply if processing is necessary for any of the following:
(1) Exercising the right to freedom of expression and information
(2) Fulfilling a legal obligation that requires processing under the laws of the European Union or member states to which the controller is subject, or carrying out a task that is in the public interest or is an exercise of public authority that has been transferred to the controller
(3) Reasons in the public interest within the field of public health according to Article 9, 2 lit. (h) and (i), as well as Article 9, paragraph 3, of the GDPR
(4) Archiving purposes in the public interest, scientific or historic research purposes or for statistical purposes according to Article 89, paragraph 1, of the GDPR, as far as the rights mentioned in a) will likely make it impossible to achieve these objectives or will seriously impair them
(5) The establishment, exercise or defence of legal claim

5. Right to information
If you have asserted your right to correction, deletion or restriction of processing vis-à-vis the controller, they are obligated to share this correction, deletion or restriction with all recipients of your personal data, unless this proves to be impossible or is associated with a disproportionate effort. You have the right to be informed about these recipients by the controller.

6. Right to data portability
You have the right to receive any personal data you have shared with a controller in a structured, portable and machine-readable format. You also have the right to have this personal data shared with another controller without obstruction by the controller that collected your data, as long as both of the following apply:
(1) Processing is based on consent according to Article 6, paragraph 1 lit. (a), of the GDPR, or Article 9, 2 lit. (a), of the GDPR, or based on a contract in accordance with Article 6, paragraph 1 lit. (b), of the GDPR
(2) Processing occurs by means of automated processes

In exercising these rights, you have the additional right to request that this personal data be transferred directly from one controller to another controller, as long as this is technically possible. This does not affect the freedoms and rights of others.

The right to data portability does not apply to personal data processing that is necessary to carry out a task that is in the public interest, or is an exercise of public authority that has been transferred to the controller.

7. Right to object
You have the right to enter an objection to the processing of your personal data at any time on grounds that arise as a result of your own personal situation that occur based on Article 6, 1 lit. (e) or (f), of the GDPR; this also applies for profiling that was based on these provisions.

The controller will no longer process your personal data, unless they can prove compelling and legitimate reasons for processing that outweigh your rights and freedoms, or that the processing is necessary for the establishment, exercise or defence of legal claims.

If your data is processed as part of direct advertising, you have the right to enter an objection to the processing of your personal data for the purposes of such advertising at any time; this also applies to profiling, insofar as it is connected to direct advertising.

If you object to processing for the purposes of direct advertising, your data may no longer be processed for this purpose.

In connection with the use of services of the information society – notwithstanding the 2002/58/EC guidelines – you have the possibility of exercising your right to object by using automated procedures that use technical specifications.

8. Right to withdraw a declaration of consent under data protection law
You have the right to withdraw a declaration of consent under data protection law at any time. The lawfulness of any processing carried out prior to the withdrawal of your consent is not affected due to the prior consent given.

9. Automated decisions in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – which may legally affect you, or significantly affect you in another way. This does not apply if the decision is one of the following:
(1) Necessary to conclude or fulfil a contract between you and the controller
(2) Permitted due to legislation of the European Union or member states to which the controller is subject, and this legislation contains appropriate measures to safeguard your rights, freedoms and legitimate interests
(3) Made with your explicit consent.

However, these decisions may not be based on certain categories of personal data in accordance with Article 9, paragraph 1, of the GDPR, unless Article 9, 2 lit. (a) or (g), of the GDPR applies, and appropriate measures have been taken to safeguard your rights, freedoms and legitimate interests.

With regard to the cases mentioned in (1) and (3), the controller must take appropriate measures to safeguard your rights, freedoms and legitimate interests, including at least the right to have a person intervene on the part of the controller, to express your point of view and to challenge the decision made.

10. Right to complain to a regulatory authority
Without prejudice to any other administrative or legal action, you have the right to complain to a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged violation, if you believe that processing of your personal data violates the GDPR.
The regulatory authority that you lodge your complaint with is to inform the complainant about the status and results of the complaint, including the possibility of appealing in accordance with Article 78 of the GDPR.

Last revision: 04.02.2022