FORGOT YOUR DETAILS?

Privacy policy.

Here you will find our Data Protection Notes as they are applied within a client relationship.

Data protection statement

Protecting your privacy is an important matter for us. As a visitor of our website, you communicate your personal data to us, which we process according to the provisions of the EU General Data Protection Regulation (GDPR [German: DS-GVO]), applicable as of May 25, 2018, the statutory data protection provisions of the Federal Data Protection Act (BDSG), also applicable as of May 25, 2018, as well as the Telemedia Act (TMG). All data will of course be handled confidentially.

With the following data protection information, we wish to clarify for you in detail which data is collected, processed, and utilized when our website is used, and for which purposes.

  1. Contact data of the controller and the data protection officer

1.1. Controller name and address

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States and other data protection provisions (Art. 4 par. 7 GDPR) is:

Sonntag & Partner Partnerschaftsgesellschaft mit beschränkter Berufshaftung
Schertlinstraße 23, 86159 Augsburg Germany
Tel.: (+49) 821 57058 0

E-Mail: datenschutz@sonntag-partner.de

1.2. Data protection officer name and address

The controller's data protection officer is:

DATEV eG
Mr. Bernd Bosch

IT Strategy, Data Protection & Corporate Market | BA723
Sigmundstraße 172, 90329 Nuremberg
Germany

E-Mail: bernd.bosch@datev.de

  1. General information about the collection of personal data

2.1. Policy

This data protection statement applies for all clients, interested parties, employees, and other contracting parties, and all other natural persons who visit our website.

2.2. Policies with regard to the scope of processing personal data

We share the philosophy underlying the GDPR and the Federal Data Protection Act to the effect that collecting and processing personal data (“data”) must be limited as far as possible. Therefore, we only process personal data insofar as necessary for clearly defined purposes, which will be presented to you below (principles of data avoidance and data economy). To this end, data processing is only permissible to the extent it is supported by a sufficient legal basis or your consent (principle of lawfulness).

This means specifically that we generally only process your personal data insofar as is necessary to provide a functional website, and our content and services. Processing personal data is only routinely carried out according to your consent. An exception applies in those cases in which it is not possible to obtain consent in advance for practical reasons and processing the data is permitted by statutory provisions.

Insofar as not otherwise stated in the following, the terms “process” and “processing” also specifically include the collection, use, disclosure, and transmission of personal data (see on this Art. 4 No. 2 GDPR).

2.3. The general legal basis for processing personal data

2.3.1. General legal basis

In principle, processing personal data is prohibited as a matter of principle, and only permitted as an exception. The permissibility of data processing can only follow from the fact that the data processing can be supported by a suitable legal basis. Considered as such are exclusively:

Insofar as we have obtained consent from the data subject for the processing operations, Art. 6 par. 1 lit. a GDPR serves as the legal basis;
When processing personal data is necessary for performing a contract for which the data subject is a contractual party, Art. 6 par. 1 lit. b GDPR serves as the legal basis; This also applies for processing operations that are necessary to perform pre-contractual measures.
To the extent that processing personal data is required for fulfilling a legal obligation to which we are subject, Art. 6 par. 1 lit. c GDPR serves as the legal basis;
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 par. 1 lit. d GDPR serves as the legal basis;
Insofar as the processing is required for the performance of a task in the public interest or in the exercise of official authority conferred on us, Art. 6 par. 1 lit. GDPR serves as the legal basis for the processing;
If the processing is necessary for safeguarding the legitimate interests of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 par. 1 lit. f GDPR serves as the legal basis for the processing.

2.3.2. Special legal bases for processing special categories of personal data according to Art. 9 GDPR.

It is prohibited to process personal data from which emerges racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as processing genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person's sex life or sexual orientation.

By way of exception, our processing of these special categories of personal data can also be authorized to the extent that there is a suitable legal basis for this. Considered as such are in particular:

Insofar as the data subject has explicitly consented to processing the special categories of special data for one or more specified purposes, this is the legal basis for the processing (Art. 9 par. 2 lit. a GDPR; This does not apply to the extent that under Union or Member State law, the prohibition on processing special categories of personal data may not be suspended.
In the event that the data subject has apparently publicly disclosed the data, Art. 9 par. 2 lit. e GDPR is the legal basis for the processing;
Insofar as the processing is necessary for the assertion, exercise, or defense of legal claims, the processing is permissible according to Art. 9 par. 2 lit. f GDPR;
Processing the data is permissible to the extent that this is based on Union or Member State law, which is proportionate to the aim pursued, respects the essence of the right to have data protected, and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject, on grounds necessitated by a substantial public interest; cf. Art. 9 par. 2 lit. g GDPR.

2.4. Objection to, and revocation of consent to process your data

If you have granted your consent for processing your data, you may revoke this at any time. Such a revocation influences the permissibility of processing your personal data after you have stated  this revocation towards us.

Insofar as we rely on a weighing of interests for processing your personal data, you may object to this processing. This is the case if the processing is, in particular, not necessary for performing a contract with you, which we illustrate in the description of the functions set out below, respectively. When exercising such an objection, we request that you present the reasons for why we should not process your personal data as performed by us. In the event of a founded objection, we will evaluate the situation and either discontinue or adapt the data processing, or demonstrate to you our compulsory reasons worthy of protection on the basis of which we continue with the processing. You can of course object at any time to the processing of your personal data for purposes of advertising and data analysis.

2.5. Data erasure and storage period

Your personal data will be erased or its access restricted by us as soon as there is no longer a purpose for the storage; in this regard, restricting access means eliminating every connection of the data to you. In addition, storage can take place if this is provided for by European or national legislatures in regulations, statutes, or other provisions to which the controller is subject. A restriction of access or erasure of the data is also carried out then if a prescribed storage period mentioned in the standards expires, unless the necessity of continued storage of the data exists for concluding or performing a contract.

  1. Purposes and legal bases for processing your personal data and additional information for specific data processing

3.1. Visiting our website

3.1.1. Description and scope of our data processing

With every retrieval of our website, our system automatically gathers data and information from computer systems of the retrieving computer (personal data that your browser transmits to our server). This is also in effect if you do not register or otherwise transmit information to us. In this connection, the following data will be gathered:

IP address of the user
Date and time of the inquiry and/or access
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page) · access status/HTTP status code
Data quantity transferred in each case
Website from which the request comes (from which the user's system reaches our website)
Website that is retrieved by the user's system via our website
Information about the browser type and the version used
Operating system and its user interface
Language and version of the browser software

The data will be stored in the log files of our system. There will be no storage of this data together with other personal data of the user.

3.1.2. Purposes of the data processing

The temporary storage of the data mentioned, in particular, the IP address by the system, is necessary in order to allow for delivery of the website to the user's computer. For this purpose, the user’s IP address must remain stored for the duration of the session. This also serves the purposes of analyzing and furthermore ensuring system security, integrity, and stability, and additional administrative purposes.

The storage in log files is done in order to ensure the functionality of the website. In addition, the data aids us in optimizing the website and ensuring the security of our information technology systems. In this context, no analysis of the data for marketing purposes is carried out.

3.1.3. Legal bases for data processing

The legal basis for the temporary storage of data is Art. 6 par. 1 lit. f GDPR. Our legitimate interest follows from the above-listed purposes for data collection. In no event do we use the data gathered for the purpose of drawing conclusions about you as a person.

3.1.4. Duration of the storage

The data will be deleted as soon as it is no longer necessary for achieving the purpose of its collection. In the case of collecting the data for making the website available, this is the case when the respective session ends.

In the case of storing the data in log files, this is the case after no later than seven days. Storage beyond this point is possible. In this case, the user's IP addresses will be altered (the last or both of the last octets of the IP address will be set to zero or deleted), so that an attribution to the retrieving client is no longer possible.

3.1.5. Objection and deletion option

The collection of data for making the website available and the storage of data in log files is absolutely necessary for operating the website. Consequently, the user does not have an option to object.

3.2. Use of session cookies

3.2.1. Description and scope of our data processing

Our website uses so-called session cookies (also called transient cookies). Cookies are text files that are stored on the Internet browser, or by the Internet browser on the user's computer system. If a user retrieves a website, a cookie can be stored in the user’s operating system. This cookie contains a distinctive character string that allows for an unambiguous identification of the browser when the website is once again retrieved. Some elements of our website necessitate that the retrieving browser can also be identified after a transition from one page to another, which requires the use of transient cookies (session cookies). These store a so-called session ID with which various queries of your browser can be attributed to a common session. In this way, your computer can be recognized again when you come back to our website. We use cookies in order to configure our website in a more user-friendly manner, since some elements of our website require that the retrieving browser can also be identified again after a transition from one page to another. The session cookies will be deleted when you log out of close the browser.

3.2.2. Purposes of the data processing

The purpose of using technologically-required transient cookies is in part to enable the user's use of the website in the first place, and to simplify this use. Some of the functions of our website cannot be offered without the use of cookies. For these it is necessary that the browser can also be identified again after a change from one page to another. This applies, for example, for accepting language settings, or recognizing input and search terms. The user data collected by means of technologically-required cookies are not used to create a user profile.

3.2.3. Legal bases for data processing

The legal basis for the temporary storage of data is Art. 6 par. 1 lit. f GDPR. Our legitimate interest follows from the above-listed purposes for data collection. In no event do we use the data gathered for the purpose of drawing conclusions about you as a person. The legal basis for processing personal data and using cookies for analysis purposes is Art. 6 par. 1 lit. a GDPR, where the user’s consent in this regard is provided.

3.2.4. Duration of the storage; objection and deletion option

Cookies are stored on the user's computer and the transmission is made from there to our site. Therefore, as the user, you have full control over the use of cookies. You can deactivate or limit the transfer of cookies by changing the settings in your Internet browser. Already stored cookies can be deleted at any time. This can also take place automatically. If cookies for our website are deactivated, it is possible that the features of our website can no longer be fully used.

3.3. Online applications

3.3.1. Description and scope of our data processing

On our website we offer you the possibility of submitting an online application. By providing your data on our career page www.sonntag-partner.de/de/karriere/,  you are expressing your interest in starting an employment relationship with us.

The website offers you the option of entering your personal basic data (form of address, name, addresses and contact information) into an entry form in order to transmit this data to us. In so doing, it is only your first and last name and email address that is required so that we may contact you.

Furthermore, you can upload your files to our server that contain your application, and hence, personal data. Within the framework of the application process, it is obligatory that you upload an application letter. In addition, you will have the option to transmit additional files to us, such as a resume or certificates. In this respect, you determine the scope of the personal data that we process. This applies in particular for transmitting an application photo to us, which is done on a purely voluntary basis and only according to your express consent. Your data will be collected without modification in our applicant management system Persis.

Your data will be used exclusively within our company to fill an appropriate position and forwarded directly to the responsible decision-making parties. Your data is protected against unauthorized access during the transmission phase. The applicant management system in which your data is stored is secured against access so that only selected employees authorized for this purpose from the relevant personnel areas and departments have access to your data and/or can process the data. Our employees are obligated to maintain confidentiality and compliance with data protection according to the relevant statutory provisions.

By enabling your profile, you are stating your consent that you may be contacted within the context of the application process. This can be done via email, regular mail and also by telephone, insofar as you have made the necessary data available. If you do not agree with this, you may block your profile at any time, or have it deleted completely from our system. With a block or deletion of the data, accessing and using your data is no longer possible. Your data will be used exclusively for the recruitment process.

3.3.2. Purposes of the data processing

The data requested from you exclusively serves the purpose of searching for positions and filling vacancies.

3.3.3. Legal bases for data processing

The legal basis for processing your application is, for one thing, conducting a pre-contractual step that is done upon your request, since the application serves to create the basis of an employment relationship, Art. 6 par. 1 lit. b GDPR in conjunction with § 26 BDSG. Processing personal data that you provide is required for concluding a contract (forming the basis of an employment relationship). It is essential that you make your personal data available to us so that we can evaluate a decision about your application concerning our available job opportunities. If you do not make your personal data available to us for processing and storing, no contract can be concluded.

Moreover, and more particularly, insofar as processing special categories of personal data is involved (particularly data concerning your religion or philosophical beliefs, your sexual orientation, your ethnic origin, health data, etc., with respect to which you voluntarily provide information or that may be deduced, for instance, from a transmitted photograph (job application photo)), the legal basis for processing this data is your express consent according to Art. 6 par. 1 lit. a in conjunction with Art. 9 par. 2 lit. a GDPR, which you can submit within the context of your online application. We wish to note that if you do not submit the relevant consent, it may not be possible to process your application, or not without further consultation with you.

3.3.4. Duration of the storage

The data you submit will be processed for the duration of the respective application procedure until the position is filled. When the processing of your personal data for the application procedure is no longer necessary, this data will be deleted after a period of six months. This time period follows from the fact that we must be able to defend ourselves against legal claims that you could possibly assert against us under the General Equal Opportunities Act, insofar as we reject your application; in this respect, the legal basis is Art. 6 par. 1 lit. f GDPR, in which case our legitimate interests follow from these purposes as described.

Furthermore, if upon our request you consent to our storing your application data in our applicant pool in order to enable your consideration for positions at a later point in time, your data will be deleted after the expiration of two years; the legal basis for storing the data until this point in time is your consent under Art. 6 par. 1 lit. a, where applicable, in conjunction with Art. 9 par. 2 lit. a GDPR.

3.3.5. Objection and deletion option

You are at all times authorized to revoke the consent for using your personal data and to demand the erasure of your data. You can state your revocation and/or request for erasure via e-mail sent to bewerbung@sonntag-partner.de, or by means of a message to the point of contact set out under item 1.1.

If the data is required to perform a contract or carry out pre-contractual steps, a premature erasure of the data is only possible insofar as this is not in conflict with contractual or statutory obligations with regard to erasure.

3.4. Use of analysis tools, Web Fonts and Captcha services

3.4.1. Use of Google Analytics

This website uses Google Analytics, a website analysis service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, which are text files that are stored on your computer and allow for an analysis of your use of the website. The information generated by the cookie about your use of this website are generally transmitted to, and stored in a Google server in the U.S. However, in the event of activating IP anonymization on this website, your IP address will be shortened by Google within the member states of the European Union or in other contracting parties to the Agreement on the European Economic Area. Only in exceptional cases will a full IP address be transferred to a Google server in the United States and shortened there. Google will use this information on behalf of the operator of this website in order to analyze your use of the website, to compile reports about website activities, and to provide additional services associated with website use and Internet use to the website operator.

The IP address transmitted within the context of Google Analytics from your browser will not be merged with other data of Google.

You can prevent the storage of cookies by means of an appropriate setting in your browser software; however, we wish to note that in this case it is possible that you will no longer be able to fully use all of the features of this website. In addition, you may prevent the collection of the data generated by the cookie and related to your use of the website by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de. As an alternative to the browser add-on, you can also prevent the collection by Google analytics for browsers on mobile terminal devices by clicking on this link. An opt-out cookie will be set that prevents the future collection of your data when visiting this website. The opt-out is only applicable in this browser and only for our website and will be stored on your device. If you delete the cookies in this browser, you must once again set the opt-out cookie.

This website uses Google Analytics with the extension “_anonymizeIp()”. In this way, IP addresses are processed further in a shortened form; consequently, a reference to any person can be excluded. If there is a reference to your person by way of the data collected about you, this will be immediately excluded and as a result, the personal data promptly deleted.

We use Google Analytics in order to analyze and routinely improve the use of our website. By way of the statistics obtained, we can improve our offering and develop it so as to be more interesting for the user.

For the exceptional cases in which personal data is transferred to the U.S., Google is submitting to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for using Google Analytics is Art. 6 par. 1 sentence 1 lit. f GDPR, to the extent personal data is processed by this means.

Information on the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001; Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.

Terms of use: http://www.google.com/analytics/terms/de.html, overview on data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, and the data protection statement: http://www.google.de/intl/de/policies/privacy.

You can find additional information on data protection in connection with Google Analytics in Google Analytics “Help” (https://support.google.com/analytics/answer/6004245?hl=de).

3.4.2. Use of Google Web Fonts

For the uniform presentation of fonts, this website uses so-called Web Fonts that are provided by Google. When retrieving a page, your browser loads the necessary Web Fonts in your browser cachet in order to correctly show text and fonts.

For this purpose, the browser you use must establish a connection to the servers of Google. In this way, Google becomes aware that our website was retrieved via your IP address. The use of Google Web Fonts  is done in the interest of the uniform and attractive presentation of our online offerings. This represents a legitimate interest within the meaning of Art. 6 par. 1 lit. f GDPR.

If your browser does not support Web Fonts, your computer will use a standard font.

In those cases in which your personal data is transferred into the U.S., Google is submitting to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

Information on the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001; Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.

You may find additional information on Google Web Fonts under https://developers.google.com/fonts/faq and in the Google data protection statement: https://www.google.com/policies/privacy/.

3.4.3. Use of Google reCaptcha

We use “Google reCAPTCHA” (hereinafter, “reCAPTCHA”) in our websites. With reCAPTCHA, there is verification as to whether the data entry on our websites (e.g. in a contact form) is made by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor accesses the website. For this analysis, reCAPTCHA analyzes various information (e.g. IP address, access duration for the website visitor on the website or the movements of the mouse made by the user). The data collected in the analysis is forwarded on to Google. The reCAPTCHA analyses run entirely in the background. Website visitors are not informed that an analysis is taking place. The processing is done on the basis of Art. 6 par. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive, automated spying and from SPAM.

Individual parts of your personal data will be transferred to the U.S. for the relevant analyses. For this purpose, Google is submitting to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

Information on the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001; Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.

You may obtain additional information on Google reCAPTCHA and the Google data protection statement at the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

3.5. Integration of Google Maps

This website uses the map service Google Maps via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.

To use the features of Google Maps, it is necessary to store your IP address. This information is generally transferred to a server of Google in the United States and stored there. The provider of this website does not have any influence on this data transfer.

The use of Google Maps is done in the interest of providing an attractive presentation of our online offering and ease of retrieving the locations listed on our website. This represents a legitimate interest within the meaning of Art. 6 par. 1 lit. f GDPR.

You may find additional information on the handling of user data in the data protection statement of Google: https://www.google.de/intl/de/policies/privacy/

In those cases in which your personal data is transferred into the U.S., Google is submitting to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

3.6.1. Description and scope of our data processing

Various options are provided on our websites to make contact with us or our consultants, employees, and responsible departments, in particular, e-mail addresses. In the event you make contact via e-mail, we will store and further process your personal data transmitted with the e-mail, in particular, in order to process your inquiry or the reason for your contacting us. There will be no transfer of the data to third parties. The data will be used exclusively for processing the conversation.

3.6.2. Legal bases for data processing

The legal basis for processing your data when sending an e-mail to us is Art. 6 par. 1 sentence 1 lit. a and lit. f GDPR. The processing is done on the basis of an impliedly provided consent and on the basis of our legitimate interests. If the aim of the e-mail contact is concluding a contract for services, an additional legal basis for the processing is Art. 6 par. 1 sentence 1 lit. b GDPR; in this respect, we make reference to our data protection provisions for client relationships, which you may likewise retrieve from our website.

3.6.3. Purposes of the data processing

The processing of the personal data from the e-mail sent to us serves only to handle your communication with us. This is considered to be, in particular, the required, legitimate interest for our processing your data. The other personal data processed during the sending process serve to prevent misuse of the contact form and the security of our information technology systems.

3.6.4. Duration of the storage

We will delete your data as soon as we no longer require it for achieving the purposes described. For the personal data sent via e-mail this is the case when the respective conversation with you is completed. The conversation is generally completed then if one may gather from the circumstances that the reason for your making contact with us is conclusively resolved.

3.6.5. Objection and deletion option

You have the option at all times to revoke your consent for processing the personal data. If you contact us via e-mail, you can object to the storage of your personal data at any time. However, in such a case, it is possible that the conversation with you cannot be continued. In this case, all of the personal data that was stored in the course of the contact will be deleted.

  1. Transfer of your data to a third party

We do not share any personal data with companies, organizations, or persons outside of our company, except in one of the following circumstances:

4.1. With your consent

We will transmit personal data to companies, organizations, or persons outside of our company if we have received your consent for this; this refers, in particular, to the previously presented circumstances when using our online offers.

4.2. Processing by other parties. We make personal data available to other companies affiliated with our group of companies, as well as our third-party business partners, other reliable companies, or persons who process this data on our behalf. This is done on the basis of our instructions and in accord with our data protection statement and other appropriate confidentiality and security measures.

4.3. For legal reasons, we will transmit personal data to companies, organizations, or persons outside our company if we may assume in good faith that access to this data or its use, storage, or transfer is reasonably necessary in order to, in particular, comply with applicable laws, regulations, or legal procedures, or to comply with a regulatory order.

  1. Transfer of your data to a third country or an international organization

Insofar as not expressly described within the context of this data protection statement, there will not be a transfer of your personal data to third countries or international organizations.

  1. Automated decision-making

No automated decision-making will be carried out.

  1. Rights

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in relationship to us, the controller:

7.1. Right of access

You can request from the controller a confirmation as to whether we are processing personal data related to you. If such processing exists, you may request from the controller disclosure about the following information:

(1) the purposes for which the personal data is processed;
(2) the categories of personal data that are processed;
(3) the recipients or categories of recipient to whom personal data related to you was disclosed or will be disclosed;
(4) the planned duration of storing the personal data related to you, or if not possible to provide specifics on this, criteria used to determine that time period;
(5) the existence of the right to request rectification or erasure of personal data related to you, a right to restrict the processing of personal data by the controller or to object to such processing;
(6) the existence of the right to file a complaint with a supervisory authority;
(7) all available information about the source of the data if the personal data was not collected from the data subject;
(8) the existence of automated decision-making, including profiling according to Art. 22 par. 1 and 4 GDPR and—at least in those cases—meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request disclosure about whether the personal data related to you is transmitted to a third country or to an international organization. In this connection, you may request to be informed about the applicable safeguards according to Art. 46 GDPR in the context of this transfer.

7.2. Right to rectification

You have the right vis-à-vis the controller to have personal data related to you rectified if incorrect, and/or completed, if it is incomplete. The controller must promptly undertake the rectification.

7.3. Right to restrict processing

Under the following prerequisites, you may request that the processing of personal data related to you be restricted:

(1) you contest the accuracy of the personal data related to you for a time period that allows the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you reject the erasure of the personal data and instead request the restriction of its use;
(3) the controller no longer needs the personal data for the purposes of processing, however, you require the data for asserting, exercising, or defending legal claims, or
(4) you file an objection to processing according to Art. 21 par. 1 GDPR, and it is not yet determined whether the legitimate interests of the controller outweigh your grounds.

Where processing of personal data related to you has been restricted, this data may only be processed—with the exception of storage—with your consent, or for asserting, exercising or defending legal claims, or for the protection of the rights of another natural person or legal entity, or for reasons of important public interest of the Union or of a Member State. If the restriction on processing was limited according to the above-mentioned prerequisites, you will be informed before the restriction on processing is lifted.

7.4. Right to erasure

7.4.1. Obligation to erase personal data

You can request from the controller that the personal data related to you is immediately erased, and the controller is obligated to immediately erase this data if one of the following grounds applies:

(1) the personal data related to you are no longer necessary for the purposes for which it was collected or otherwise processed;
(2) you withdraw your consent on which the processing is based according to Art. 6 par. 1 lit. a or Art. 9 par. 2 lit. a GDPR, and there is no other legal grounds for the processing;
(3) you object to the processing pursuant to Art. 21 par. 1 GDPR and there are no overriding legitimate grounds for processing, or you object to the processing pursuant to Art. 21 par. 2 GDPR;
(4) data related to you was unlawfully processed;
(5) the erasure of the personal data related to you is required for compliance with a legal obligation according to Union or Member State law, to which the controller is subject;
(6) the personal data related to you was collected in relation to the services offered of an information society according to Art. 8 par. 1 GDPR.

7.4.2. Information to third parties

If the controller has made the personal data related to you public and is obliged pursuant to Art. 17 par. 1 GDPR to erase this personal data, the controller, taking account of the available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers that are processing the personal data that you, as the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, this personal data.

7.4.3. Exceptions

The right to erasure does not exist insofar as the processing is necessary:

(1) for exercising the right of freedom of expression and information;
(2) for compliance with the legal obligation which requires processing according to Union or Member State law to which the controller is subject, or for the performance of a task within the sphere of public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 par. 2 lit. h and i, and Art. 9 par. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes according to Art. 89 par. 1 GDPR, insofar as the right referred to in Section a) is likely to make the realization of the objectives of this processing impossible or seriously impair these objectives; or,
(5) for the assertion, exercise or defense of legal claims.

7.5. Right to be informed

You have the right to receive the personal data related to you, which you provided to the controller, in a structured, commonly used in machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, if

(1) the processing is based on a consent pursuant to Art. 6 par. 1 lit. a GDPR or Art. 9 par. 2 lit. a GDPR or on a contract pursuant to Art. 6 par. 1 lit. b GDPR; and
(2) processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data related to you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others may not be adversely affected hereby. The right to data portability does not apply for processing personal data that is required for performing a task in the public interest or in exercising official authority vested in the controller.

7.6. Write to data portability

You have the right to receive the personal data related to you, which you provided to the controller, in a structured, commonly used in machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, if

(1) the processing is based on a consent pursuant to Art. 6 par. 1 lit. a GDPR or Art. 9 par. 2 lit. a GDPR or on a contract pursuant to Art. 6 par. 1 lit. b GDPR; and
(2) processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data related to you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others may not be adversely affected hereby. The right to data portability does not apply for processing personal data that is required for performing a task in the public interest or in exercising official authority vested in the controller.

7.7. Right to object

You have the right to object on the grounds relating to your particular situation at any time to the processing of personal data related to you that is based on Art. 6 par. 1 lit. e or f GDPR; this also applies for profiling based on these provisions. The controller will no longer process the personal data related to you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing aids in asserting, exercising or defending legal claims. If personal data related to you is processed for engaging in direct marketing, you have the right to object at any time to processing personal data related to you for the purpose of such marketing; this also applies for profiling to the extent that it is related to such direct marketing. If you object to the processing for purposes of direct marketing, the personal data related to you will no longer be processed for these purposes. You have the option, in connection with using the services of an information society—irrespective of Directive 2002/58/EC—to exercise your right to object by automated means for which technical specifications are used.

7.8. Withdrawal of the declaration of consent under privacy law

You have the right to withdraw your privacy law declaration of consent at any time. The legality of the processing that takes place based on the consent up until the time of revocation is not affected by withdrawal of the consent.

7.9. Right not to be the subject of automated decision-making in an individual case, including profiling

You have the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or significantly affects you in an adverse manner. This does not apply if the decision:

(1) is necessary for entering into, or performance of, a contract between you and the controller,
(2) is authorized by Union our Member State law to which the controller is subject and which also includes suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is made with your express consent.

However, these decisions may not be based on special categories of personal data referred to in Art. 9 par. 1 GDPR unless Art. 9 par. 2 lit. a or g GDPR applies, and suitable measures to safeguard your rights and freedoms and legitimate interests were put into place. With respect to the cases mentioned in (1) and (3), the data controller must implement suitable measures to safeguard your rights and freedoms and legitimate interests, among which is included, at a minimum, the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.

7.10. Right to file a complaint with a supervisory authority

Irrespective of any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work, or the place of the alleged violation if you are of the opinion that the processing of personal data related to you violates the GDPR. The supervisory authority with which the complaint has been filed will inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

 

TOP