Data protection

Global data protection regulations (DPR)

Version 3.0 valid from 1.9.2022 until revoked

Thank you for viewing our privacy policy. We, the Utz Group, are the controllers responsible for your personal data regarding the processing operations listed below. In the following, we would therefore like to provide you with detailed information

• how we deal with your personal data (section B),
• which processing operations are involved (from section C), and
• which rights you are generally entitled to as a data subject (section F).

Please note that some of the terms used herein are taken from Regulation (EU) 679/2016 on the protection of natural persons regarding the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the so-called "General Data Protection Regulation", hereinafter abbreviated to "GDPR").
Most of the terms are defined in Section 4 GDPR.

A. Our contact details

Georg Utz Holding AG
Augraben 2-4
5620 Bremgarten
Switzerland
Phone +41 56 648 7711

The Data Protection Officer can also be contacted under
data-protection.de(at)utzgroup.com

B. Basic information on our data processing operations

This section provides basic information on how we handle your personal data. This information applies to all data processing operations carried out by us as the data controllers. Insofar as we are able to provide further details in the context of individually listed data processing operations in section C, we will specify our explanations in the relevant places.

I. Purpose

We only process your personal data for our legitimate purposes. As a rule, we only process data for the provision and supply of our services, including our online offers (e.g., the maintenance of our website).

II. Legal grounds

We process your personal data only if and to the extent that at least one of the following applies:

1. Consent (Art. 6 para. 1 Sentence 1 lit. a GDPR)

In individual cases, we ask you to give your consent in order to process certain personal data for previously defined and communicated purposes in accordance with Art. 6 section 1 s. 1 lit. a GDPR. We always obtain consent electronically and record the content and granting consent. In this case, consent is given by way of an "opt-in" procedure (confirming action by placing a tick in the appropriate box) or, if this is necessary to identify the data subject, by way of a "double-opt-in" procedure (additional confirmation of identity by receipt of an e-mail with a confirmation link which you must click on). We only use a different requesting process when placing cookies on our website (Cookiebot).

If you give your consent, you can withdraw it. Please note the more detailed information on your right of revocation under point F.II.

2. Contract fulfilment (Art. 6 section 1 s. 1 lit. b GDPR)

When carrying out pre-contractual measures or executing a contract with you, we rely on the legal basis of Art. 6 section 1 s. 1 lit. b GDPR. This includes, for example, your contact details, which we need for contract processing and communication.

3. Compliance with a legal obligation (Art. 6 section 1 s. 1 lit. c GDPR)

If we process data in order to comply with a legal obligation (e.g., commercial law or tax obligations), this is legally based on Art. 6 section 1 s. 1 lit. c GDPR.

4. Protection of vital interests (Art. 6 section 1 s. 1 lit. d GDPR)

If vital interests of the data subject or another natural person make processing of personal data necessary, this is legally based on Art. 6 section 1 s. 1 lit. d GDPR.

5. Performance of a task carried out in the public interest or in the exercise of official authority (Art. 6 section 1 s. 1 lit. e GDPR)

For the processing of personal data in the performance of tasks carried out in the public interest or in the exercise of official authority, we rely on Art. 6 section 1 s. 1 lit. e GDPR.

6. Safeguarding legitimate interests (Art. 6 section 1 s. 1 lit. f GDPR)

In accordance with Art. 6 section 1 s. 1 lit. f GDPR, we process personal data if we protect our legitimate interests or those of a third party and these interests override your interests, fundamental rights and freedoms. In these cases, you may have a right to object to the processing. Please note the more detailed information on your right of revocation under point F.I.

III. Data erasure

We erase your personal data as soon as the purpose of processing has been achieved or otherwise ceases to apply, unless storage beyond this is provided for by law, for example pursuant to Art. 17 section 3 GDPR. In order to ensure timely erasure, if necessary, we follow a specially created erasure concept based on the erasure of personal data after the expiry of certain storage and erasure periods, which we divide in accordance with the following criteria:

• We keep accounting records and balance sheets for 10 years (Section 257 para. 1, esp. no. 4, para. 4 CC [Commercial Code], Section 238 para. 1 CC),
• We keep commercial letters, contracts and correspondence within the scope of the initiation and execution of contracts for 6 years in accordance with Section 257 para. 1 no. 2-3, para. 4 CC,
• We keep documents and associated personal data that may lead to claims (for example warranty claims) until the expiry of the relevant limitation period (in accordance with Section 195 of the Federal Code, generally three years),
• In the case of other personal data that do not fall under the aforementioned categories, we erase data immediately after the purpose has been achieved.

IV. Disclosure of personal data to third parties

We only pass on personal data to third parties if we are legally obliged or entitled to do so. This includes the following groups of recipients:

• Our contractual partners who support us in the fulfilment of our (pre-)contractual obligations towards you (e.g., logistics and payment service providers),
• Administrative authorities (e.g., financial or supervisory authorities),
• Courts, and where there is a legitimate interest,
• Web services that assist us in displaying our website, and
• Web tools that support us in the fulfilment of online marketing topics.

If required, we can provide you with a list of the specific recipients of your personal data.

V. Processing of data in so-called third countries

As a matter of principle, your personal data will only be processed in countries within the EU or the European Economic Area that are subject to the scope of the GDPR. To all other, so-called "third countries", we only transfer your personal data if an adequate level of data protection is guaranteed in the respective third country or at the respective recipient in the third country in accordance with Art. 44 et seq. GDPR. This may be the case

• in the event of a so-called "adequacy decision" of the European Commission pursuant to Art. 45 GDPR and
• by establishing appropriate safeguards pursuant to Art. 46 GDPR, such as the use of so-called "EU standard contractual clauses" pursuant to Art. 46 section 2 lit. c or binding internal data protection rules pursuant to Art. 47 GDPR.

If we cannot guarantee an adequate level of data protection when transferring data to a third country, we will only process your personal data if you give us your express consent to do so (Art. 49 section 1 s. 1 lit. a GDPR). In this case, we will inform you of the corresponding risks associated with the transfer to third countries.

C. Data processing when visiting our website

This section provides information about the personal data processing operations that take place when you visit our website.

I. Log files

When you visit our website, the browser you use on your end device automatically sends information to our website server. This information is temporarily stored in a so-called "log file".

1. Captured data

The following information is automatically captured when you visit our website and stored until it is automatically erased:

• The IP address of the requesting computer,
• Information about the type of device (mobile device, desktop computer, etc.), the type of browser and the version used, as well as the operating system of your end device, if applicable,
• The date and time of access to our website,
• Websites that the user's system calls up via our website and movements of the user on our website.

2. Purpose and legal basis

The capture and processing of these "log data" serve the following purposes founded on the following legal basis:

• Provision of our website’s content to the user, which among other things also requires temporary storage of the IP address to enable the user's communication with our website. This data processing – i.e., for the duration of your website visit – is legally based on Art. 6 para. 1 s. 1 lit. b GDPR as well as Art. 96 TKG [Telecommunications Act] and Art. 15 para. 1 TMG [Telemedia Act]. Furthermore, this data processing is based on Art. 6 para. 1 s. 1 lit. f GGDPR (cf. section B.II.6), whereby our legitimate interest follows from the fact that we are able to make the provision of the content possible in the first place.
• Ensuring the smooth connection and comfortable use of our website, evaluation of system security and stability, as well as for other administrative purposes. This is achieved by processing and storing the IP address in the log files beyond the communication process. This is also legally based on Art. 6 para. 1 s. 1 lit. f GDPR (cf. section B.II.6) and our previously mentioned legitimate interest, as well as on Art. 109 TKG.

3. Duration of storage and erasure periods

The data are erased when the purpose for which they were captured no longer applies. In the context of providing our website’s content, the data are therefore generally erased when you leave our pages and the session is therefore ended.
Insofar as the purposes of system security and stability are pursued, log data are stored for a maximum of seven days beyond the end of the session. Beyond these seven days, data are only stored or otherwise processed as to ensure that the IP addresses of the users are erased after the expiry of the aforementioned storage period of seven days or are altered in such a way (e.g., by anonymisation or pseudonymisation) that any allocation of the log data to an IP address and therefore to the user is no longer possible.

4. Possibility of objection and removal

As will be explained under section F.I, you have a right of objection insofar as we rely on legitimate interests. However, as the data processing described above is imperative for the operation of our website, you can only assert your right of objection insofar as your particular situation does not permit processing to the extent described above. As a rule, however, we can prove the compelling necessity of the data processing just mentioned.

5. Data security

During your visit of our website, we use the widespread SSL procedure (Secure Socket Layer) in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can view whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.
We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

II. Cookies

We use cookies on our website. As we have already made you aware of our use of cookies by the placement of a cookie banner, the information provided here is intended to provide more comprehensive and supplementary information.
Cookies are small text files that your browser automatically creates and stores on your end device (PC, laptop, tablet, smartphone, etc.) while you visit our website. Cookies do not contain viruses, Trojans or other malware, but information that enables your browser to be uniquely identified when the same website is called up again. Although we do not obtain any direct knowledge of your identity through the placement of cookies, it may in principle be possible to establish a personal reference to the user, depending on the type of cookie and the possibility of assigning a cookie to an IP address.

We basically distinguish between two types of cookies:

• Necessary cookies help make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. Without these cookies, the website cannot function properly.
• Optional cookies that record and, if necessary, analyse the behaviour of users on our websites and also across website or device boundaries (e.g., across different domains of different providers), store this information in a cookie and, if necessary, make it available for retrieval by web applications.
  • Preference cookies allow a website to remember information that affects the way a website behaves or looks, such as your preferred language or the region you reside in.
  • Statistics cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.
  • Marketing cookies are used to follow visitors on websites. The intention is to show advertisements that are relevant to and attractive for the individual user and therefore more valuable to publishers and third-party advertisers.

1. Purpose and legal basis

The use of necessary cookies not only serves to enable the provision of our website and the full use of our offer, but also to make it more pleasant for you. Functions such as language settings, a shopping cart or similar would not be possible without the use of these cookies.

On the other hand, we use optional cookies to statistically record the use of our website and to conduct an analysis of the surfing behaviour of users on our website. This serves to optimise our offer and the quality of our website and its content. The analysis cookies help us to learn how the website is used and therefore to constantly optimise our offer. This enables us to adapt our offer to the wishes of our user group, for example through market research, and to design it in line with requirements. We take technical precautions to in order to pseudonymise the user data captured in this manner. Although we are then no longer able to allocate the data to the accessing user, it may be possible for the companies whose tools we use for the placement of cookies (such as Google) to allocate and identify the user more clearly.

The use of our cookies with regard to the provision of our website and the full use of our offer is legally based on Art. 6 para. 1 p. 1 lit. b GDPR, insofar as this use is mandatory in terms of the fulfilment of the contract or for the implementation of pre-contractual measures (such as a shopping cart function), and Art. 6 para. 1 p. 1 lit. f GDPR, insofar as we pursue functional purposes (appealing design and the like, security interests, etc.).

Insofar as we analyse the surfing behaviour of our users by means of optional cookies and, in doing so, make partial use of third-party software, we invoke your previously granted consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. Of course, we will refrain from this type of data processing if you have not previously given your consent.

2. Duration of storage and erasure periods

Session cookies are only stored by your browser for the duration of your browser session and are erased when you close the browser. Optional cookies remain stored on the terminal device you are using for a longer period of 1 day to 2 years. All validity periods can be viewed on the website under 'Cookie Settings' (https://www.utzgroup.com/de/cookie-einstellungen/).

3. Right of objection and removal

You were informed about the use of cookies and referred to this privacy policy when you accessed our website, whereby you were requested to provide your consent. You can also withdraw your given consent at any time (Section F.II).
As a user, you can also adjust technical settings to decide yourself whether and how your browser uses and stores cookies. You can configure your browser so as not to store cookies on your computer or to always send a message before a new cookie is created. You can delete cookies that have already been created or have them automatically deleted by your browser. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website.

III. Google Tools - Analytics

a) Purpose and legal basis

For the purpose of analysis as well as the demand-oriented design and continuous optimisation of our websites and their use, we use the web analysis service "Google Analytics" of the Google company based in Ireland (Google Ireland Limited, Gordon House, Barrow Street Dublin 4; hereinafter referred to as "Google"). Google Analytics uses cookies (see section C.II) that can analyse the use of the website by creating pseudonymous usage profiles of our customers.

This is only activated if you have given the appropriate consent when accessing our website in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. Please note that you are entitled to withdrawal (Section F.II).

b) Data recipients

The information generated by the cookie (e.g., browser type, operating system, IP address, etc.) about your website use may be transmitted to and stored on a Google server in the USA. Your IP address will be shortened and anonymised by Google within the Member States of the European Union or in other contracting states to the Agreement on the European Economic Area before transmission (so-called "IP masking"). Only in exceptional cases will the full IP address be transmitted to and shortened on a Google server in the USA.

Google will use the aforementioned information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage for the purposes of market research and to tailor the website to your needs. If necessary, this information is transferred to third parties if this is required by law or if third parties process these data on our behalf. Google may also merge data from other sources of its own with your data, so that Google can identify you despite IP masking.

Please note, as we communicated when asking for consent, that

• if applicable, data are stored on a server in the USA and that the USA is a third country (Section B.V),
• inter alia, investigative authorities of the USA may obtain access to these data under certain circumstances without any possibility of influence on our part or on the part of Google, and
• it can therefore not be fully guaranteed that your data are fully subject to the level of data protection under GDPR and therefore you can no longer exercise full control over your data.

If you have nevertheless given your consent, your consent explicitly refers to the fact that you are aware of and accept these risks.

c) Right of objection and removal

We only activate the Google Analytics function if you have given your appropriate consent when accessing our website. As Google Analytics works with cookies, the explanations under the previous point C.II also apply. Please pay particular attention to your right of withdrawing your consent (see further details in Section F.II).

You can also prevent Google Analytics from capturing data by either downloading and installing a browser add-on or setting an opt-out cookie at the following Internet address: tools.google.com/dlpage/gaoptout. Setting an opt-out cookie will prevent the future capture of your data by Google Analytics when you visit this website. However, if you delete your cookies in the future, this will result in the opt-out cookie also being deleted and you may have to reactivate it.

d) Joint controllers

Finally, we would like to point out that we are jointly responsible with Google for overall data processing (Art. 26 GDPR). Data capture on the website is first carried out by us; the website then transmits the captured data to Google through the respective tool. Once the data have been transmitted, Google is again solely responsible for further processing.
We have entered into an agreement with Google under which you can exercise your data protection rights in accordance with this processing series both against us and against Google. If the assertion of your rights relates to a data processing operation that is within the area of responsibility of the other joint controller, we will forward your request accordingly so that your rights are safeguarded.

IV. Email contact

If you contact us via the email address provided on our website, we will store your email address and any other data you (voluntarily) provide. Data are only passed on to third parties if this is necessary to process your request (e.g., HubSpot).

1. Purpose and legal basis

We process the aforementioned data for the purpose of handling your request. Other data are only processed for technical or security reasons (for example, prevention of misuse and ensuring our system security). This is legally based on Art. 6 para. 1 p. 1 lit. b GDPR (fulfilment of a contract or pre-contractual measures) and with regard to the latter purpose, Art. 6 para. 1 p. 1 lit. f GDPR, as we have a legitimate interest in the integrity of our website.

2. Duration of storage and erasure periods

All of the aforementioned data will be erased as soon as we have processed your request and further clarification is no longer necessary. Erasure shall take place subject to any obligations and rights pursuant to Section B.III.

3. Possibility of objection and removal

Once you have contacted us, you can withdraw your request and object to further processing of your data at any time. In addition, you may have the right to object in accordance with Art. 21 GDPR (cf. Section F.I.1).

V. Social Media

1. Use of social media plugins

We currently refrain from using any social plugins, such as those from Facebook, Twitter, Pinterest, etc. On our website, we only offer you the option of establishing a direct connection with our social media channels. This means that no personal data are passed on.

2. Transfer and allocation

If you are already logged in to one of these services, the providers can allocate your click from our website to your profile on Facebook, Twitter or Instagram. If you do not want these services to be able to make this allocation, you must log out of the corresponding service before visiting our website or clicking on our social media icon.

3. Possibility of objection and removal

By expressly accepting these DPR as part of the electronic order process or by validly applying the DPR after delivery in paper form to you as the ordering party, you acknowledge the use, purpose and operation of these tools and expressly agree to the use of such tools.

VI. Links to other websites

1. Exclusion of liability

Insofar as we refer or link from our websites to the websites of third parties, we cannot assume any guarantee or liability for the correctness or completeness of the contents and the data security of these websites. As a rule, such references or links are displayed by framing to ensure you can immediately recognise that you are no longer on our B2B platform.

2. Separate provisions under data protection law

Since we have no influence on the compliance of data protection regulations by these third parties, you should separately check and accept the respective data protection declarations offered by these third parties, in particular with regard to the use of cookies and other collection programmes for marketing measures.

D. Webshop

1. Use of our webshops

In order to use the ordering function of our webshop, we need data to carry out the ordering process. Mandatory data are marked as such, further information is voluntary. We process the data you provide to process your order. In addition, you can use the payment method of your choice, which also requires data entry. This is legally based on Art. 6 para. 1 s. 1 lit. b GDPR.

2. Storage

As already communicated above, we are obliged by commercial and tax law to store your address, payment and order data for a period of ten years. However, we will restrict processing after approximately three years, i.e., after the expiry of any warranty and other rights. Your data will then only be used to comply with legal obligations.

E. Contracts

If you are our contractual partner, we have provided the essential information regarding our data processing of your personal data as a controller in our GTC. Please note that in this context we also apply our General Information under section B for data processing in contracts. The following information is therefore only provided as a supplement to our General Terms and Conditions and to our General Information under Section B. If you have any further questions, please contact us using the contact details provided in Section B.I.1 or B.I.2.

I. Purpose and legal basis

The purpose of capturing the personal data obtained in the course of concluding and executing the contract is to enable us to fulfil our obligations under the contract. For example, we need your contact details to provide you with our services. This is legally based on Art. 6 para. 1 s. 1 lit. b GDPR. Data will only be passed on to third parties under the conditions set out in Sections B.IV and B.V. Categories of recipients in our contracts include payment service providers and logistics service providers. Failure to provide the data on your part may result in the contract not being concluded and/or executed.

Furthermore, we use the data to serve you as a customer and for statistical market and opinion research purposes. This is necessary to continuously improve our products and services and to adapt them to the needs of our customers. We only engage in direct advertising with your prior consent or if there is another corresponding legality under the Union law of the Member States.

The aforementioned data processing in the case of consent given is legally based on Section 6 para. 1 s. 1 lit. a GDPR, insofar as this is necessary for the fulfilment of the contract and the implementation of pre-contractual measures, Section 6 para. 1 s. 1 lit. b GDPR, in all other aforementioned cases Section 6 para. 1 s. 1 lit. f GDPR (safeguarding of legitimate interests), whereby our legitimate interest is the marketing and continuous improvement of our products and services and their adaptation to the needs of our clients.

II. Duration of storage and erasure periods

As a matter of principle, we only store personal data as long as this serves a legitimate purpose. If the purpose of processing no longer applies, we have taken technical and organisational measures to ensure that personal data are deleted or made unidentifiable or that processing is restricted.
We will only store data after the purpose of processing has ceased to apply if this is provided for by the European or national legislator in Union regulations, laws or other provisions to which our company is subject. Such cases may include the existence of legitimate interests in storage, such as during the course of limitation periods for the purpose of legal defence against any claims or, for example, the fulfilment of statutory retention obligations. If any further storage described above is no longer covered by the aforementioned standards, we will immediately erase the data or restrict their processing, unless any further storage of the data is necessary for the conclusion of a contract or for other purposes.

III. Possibility of objection and removal

In particular, you have the right to revoke your consent against the collection and further processing of data on the basis of consent (cf. Section F.II). Data processing necessary for the performance of the contract or the implementation of pre-contractual measures is not subject to any right of objection; however, you may object to data processing on the grounds of legitimate interest under the conditions set out in Section F.I.1.
With regard to our direct advertising, we refer to your right of revocation (in the case of granted consent) pursuant to Section F.II and to your right of objection pursuant to Section F.I.2.
Apart from that, you are entitled to data subject rights already mentioned under Section F.

F. Your rights as a data subject

If you are affected by our processing of your personal data, you may have the following rights:

I. Right to object (Art. 21 GDPR)

Regarding data processing for specific purposes, you have the right to object in accordance with Section 21 GDPR. For any objection, please contact us or our data protection officer at the contact details provided. You will not incur any additional costs other than the transmission costs in accordance with the base rates of your telecommunications provider. A right of objection exists in the following cases:

1. Processing for legitimate interest (Art. 6 para. 1 s. 1 lit. f, 21 para. 1 GDPR):

If personal data are processed for the purpose of safeguarding legitimate interests (Section 6 para. 1 s. 1 lit. f GDPR), you may object to the processing of your personal data at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising or defending legal claims.

2. Processing for direct marketing purposes (Art. 21 para. 2 GDPR, Section 7 para. 3 UWG [Unfair Competition Act]):

To the extent that we process data for direct marketing and/or related profiling purposes, you may object at any time to the processing of your personal data for such marketing and/or profiling purposes. If you object, we will refrain from any further processing of your data for direct marketing and/or profiling purposes.

3. Processing for the performance of a task carried out in the public interest or in the exercise of official authority (Section 6 para. 1 s. 1 lit. e, 21 para. 1 GDPR):

If personal data are processed for the performance of tasks in the public interest or for the exercise of official authority (Section 6 para. 1 s. 1 lit. e GDPR), you may object to the processing of your personal data at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising or defending legal claims.

4. Processing for scientific or historical research purposes or for statistical purposes (Art. 21 para. 6 GDPR):

If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Section 89 para. 1 GDPR, you have the right to object, on grounds relating to your particular situation, to the processing of your personal data, unless the processing is necessary for the performance of a task carried out in the public interest.

II. Right of withdrawal after consenting (Section 7 para. 3 GDPR)

You can withdraw your consent once given at any time with effect for the future – in full or in part – without incurring any costs by contacting us using our contact details. The lawfulness of the processing of the data covered by the consent on the basis of the consent until withdrawal remains unaffected by the withdrawal.

III. Right of access (Art. 15 GDPR)

You have the right to request information about your personal data processed by us. This right of access comprises

• the purposes of the processing;
• the categories of personal data concerned processed by us;
• the categories of recipient to whom your personal data have been or will be disclosed;
• in the event of a transfer of personal data to so-called "third countries" (cf. Section B.V) outside the scope of the GDPR, whether and in what way we ensure an adequate level of protection by means of appropriate safeguards (Sections 45, 46 GDPR) at the data recipient in the third country;
• the planned storage period, insofar as we can assess this; if an assessment and indication of the storage period are not yet conclusively possible, we will at least provide information on the criteria for determining the storage period (e.g., periods of limitation, statutory retention periods, cf. also Section B.III);
• your right to rectification, erasure, restriction of processing and to object to the processing of your personal data (details below);
• the existence of a right of appeal to a supervisory authority;
• the origin of the data if they were not captured by us; and
• the existence of an automated decision in individual cases pursuant to Section 22 GDPR, including profiling, which also includes details of the decision-making criteria (i.e., the logic used) of the automated decision and the effects and consequences for the data subject.

You have the right to request a copy of your personal data processed by us. In this case, you will not incur any costs for the first data copy, but we will charge a reasonable fee for further data copies. If you exercise this right, we will generally provide the data copy in electronic form, unless otherwise specified. This provision is subject to the rights and freedoms of other persons who may be affected by the transmission of the data copy.

IV. Right to rectification (Art. 16 GDPR)

You have the right to ask us for the immediate rectification of your inaccurate data. Likewise, you may request that we complete your incomplete personal data by means of supplementary declarations or notifications from you.

V. Right to erasure (Art. 17 GDPR)

You have the right to ask us for the immediate erasure of your personal data stored with us, to the extent that

• you have revoked your consent (cf. B.II.1) to the data processing, unless the data processing is based on other legalities;
• the storage or other processing of your personal data is no longer necessary for the purposes for which they were captured and processed;
• you have objected to data processing pursuant to Section 21 GDPR and there are no overriding legitimate grounds for further processing; in the case of direct marketing pursuant to Section 21 para. 2 GDPR, erasure will take place unconditionally on the basis of objection;
• your personal data have been processed unlawfully;
• it concerns data of a child captured in relation to information society services pursuant to Section 8 para. 1 GDPR.

If we have made personal data public, we will also inform other controllers of your request for erasure, including the deletion of links, copies and/or replications, to the extent technically possible and reasonable.
The aforementioned rights to erasure of your personal data do not exist insofar as the processing is required

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing under Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
• for reasons of public interest in public health pursuant to Section 9 para. 2 lit. h and i GDPR and Section 9 para. 3 GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Section 89 para. 1 GDPR, insofar as your right to erasure is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
• for the assertion, exercise or defence of legal claims.

VI. Right to restriction of processing (Art. 18 GDPR)

You have the right to request us to restrict the processing of your personal data (i.e., to limit the processing to mere storage) if one of the following cases applies:

• You have contested the accuracy of your personal data. For the duration of our revision for accuracy, you can request that your data not be used for other purposes and be restricted in this respect.
• The processing is unlawful and you oppose the erasure of your personal data (Art. 17 para. 1 s. 1 lit. d GDPR) and request the restriction of their use instead (Art. 18 GDPR).
• We no longer need the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims. In this case, you can request the restriction of processing to the aforementioned purposes.
• You have objected to the processing in accordance with Article 21 para. 1 GDPR. As long as it has not yet been determined whether our legitimate interests or reasons for processing outweigh yours, you can request that we only process your data to verify the aforementioned determination.

If we have restricted the processing of your personal data at your request, we may and will only process such data – apart from their storage – with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
f a processing restriction is lifted, you will be informed of this in advance.

VII. Right to data portability (Art. 20 GDPR)

You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format and you have the right to transfer these data to another controller without hindrance from us, provided that

• the processing is based on consent pursuant to Section 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Section 6 para. 1 s. 1 lit. b GDPR and
• the processing is carried out with the aid of automated procedures.

Where technically feasible, you may also request us to transfer your personal data directly to another controller.
The exercise of the right to data portability does not affect the right to data erasure (Section 17 GDPR). However, the right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

You cannot exercise the right to data portability if it affects the rights and freedoms of other individuals.

VIII. Right to lodge a complaint (Art. 77 GDPR)

We always process personal data in accordance with the law. If you nevertheless have reason to believe that we have violated applicable data protection law, you may at any time contact the competent supervisory authority of the Union or the Member States and lodge a complaint. Competence lies with the supervisory authority of your usual place of residence, your place of work or the place of the alleged infringement.

Download DPR 01.09.2022