Privacy policy of Schule Schloss Salem

This data protection declaration defines the type, scope and purpose of personal data management in the school’s online presence, associated websites, functions and content. This includes our social media accounts. In principle, the use of our website is possible without providing personal data. Should personal data be collected when visiting our websites, it is processed in accordance with the General Data Protection Regulation (VO (EU) 2016/679; DS-GVO) and the Federal Data Protection Act of July 30, 2017 (BDSG-neu) as well as the Telemedia Act (TMG). The processing of personal data occurs in accordance with the privacy policy that follows.

This privacy policy applies to the use of the website at the address www.schule-schloss-salem.de. Linked content from other providers, is the subject of the privacy policy on the linked website which is decisive.
Data transmission via the Internet may be subject to security lapses that cannot be prevented by the technical design of this website. A complete protection of personal data is not possible when using the Internet.

I. Responsible party

The responsible party in terms of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations for the collection and use of your personal data on our website and when using this service is:

Schule Schloss Salem gGmbH
Schlossbezirk 1
88682 Salem, Deutschland
Tel.: +49 7553 919-0
E-Mail: info[at]schule-schloss-salem[dot]de

Data Protection Officer: Herr Rainer Müller
datenschutz[at]schule-schloss-salem[dot]de

II. Webhosting

1. Hosting the Website
Our website is operated on a web server of Host Europe GmbH (Host Europe GmbH, Postfach 92 02 54, 51152 Cologne, Germany).

2. data collected
When our websites are accessed, data is automatically collected and stored in log files on our host's server. These data may have some personal relevance. Among the data collected are:

  • Name of the retrieved website
  • Date and time of the retrieval/access
  • Amount of data transferred
  • Message confirming successful retrieval
  • Type of internet browser
  • Version of the Internet browser
  • the operating system running under the browser with patch level
  • the previously visited page
  • requesting provider
  • IP addresses
  • websites from which the user's system accesses our website
  • Websites that are accessed by the user's system via our website.

This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

3. legal basis for data processing
The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f DS-GVO.

4. purpose of the collection by the host
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session.
The host uses the collected data to operate the website and to ensure IT security and the security of our information technology systems. In case of concrete indications of what, the log data may be analyzed subsequently.
An evaluation of the data for marketing purposes does not take place in this context.

These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 lit. f DS-GVO.

5. duration of storage by the host
Data stored by the host is automatically deleted after two weeks.

6. possibility of objection and elimination
The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

III. support of the website

Our website is technically maintained by 3m5. Media GmbH (3m5. Media GmbH, Loschwitzer Straße 37, 01309 Dresden, Germany). Employees of 3m5. Media may have access to the data you enter on our site. This includes the following categories of data:

  • Personal master data
  • communication data
  • protocol data.

Access to the data takes place exclusively on behalf of Schule Schloss Salem gGmbH in the context of website maintenance. Your data will not be passed on under any circumstances. With regard to the secure order processing of your personal data in the newsletter tool, there is a legally valid agreement for contracted data processing with 3m5. Media.

IV. General information on data processing

Schule Schloss Salem maintains state-of-the-art technical measures as well as the current recommendations of the Federal Office for Security and Information Technology to ensure data security, in particular to protect your personal data against risks during data transmission and against unauthorized third parties accessing your data.
For these reasons, the site uses SSL encryption for security and to protect the transmission of confidential content. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. The encryption is achieved using the RSA/SHA256 algorithm with a 2048 bit key length.

1. scope of the processing of personal data
In principle, you can use the Schule Schloss Salem website without disclosing your personal data. We collect and use personal data of our users only to the extent necessary to provide a functional website and our content and services. If the opportunity for the input of personal or business data (email addresses, name, addresses) is given, the input of these data takes place voluntarily. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of the data is legally permitted.

2. legal basis for the processing of personal data
When consent is given for the processing of personal data, the legal basis for this is provided by Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR).
When processing personal data that is necessary for the fulfillment of the contact and the creation, of a school/boarding school contract, Art. 6 (1) lit. b DS-GVO serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual steps.
Insofar as processing of personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6 (1) lit. c DS-GVO serves as the legal basis.
In the event that vital interests of the subject of the data, or other persons, make processing of personal data necessary, Art. 6 (1) (d) DS-GVO serves as the legal basis.
If the use of the data is necessary to protect a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the affected person do not outweigh the first-mentioned interest, then Art. 6 (1) lit. f DS-GVO serves as the legal basis for data processing.

3. data deletion and storage period
The personal data of the affected person shall be deleted or blocked as soon as the purpose of storage ceases to apply. In addition, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Blocking or deletion of data also takes place when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

V. Use of cookies

1. description and scope of data processing
When calling up our website, users are informed by an info banner about the use of cookies for analysis purposes and their consent to the processing of personal data used in this context is obtained.

Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user calls up a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

We use cookies to optimize our websites. For this purpose, so-called session cookies are used, which enable recognition within a visit to our pages. Session cookies are automatically deleted by a browser after a visit to a website.
The user's session ID is stored in the cookies.

Furthermore, we use cookies that are used to recognize your device across sessions. Cookies stored on your device for this purpose are not deleted after the individual session. These are cookies that enable an analysis of the surfing behavior and targeted advertising aimed at the user.
In this way the following data can be transmitted:

  • Origin (country and city)
  • language
  • Operating system of the calling computer
  • Device (PC, tablet or smartphone)
  • Browser and add-ons used
  • Resolution of the computer
  • Visitor source (e.g. facebook, search engine or referring page)
  • entered search terms
  • Frequency of page views
  • Use of website functions
  • total visit time and time spent on individual pages
  • the original source of the visitor
  • other websites visited.

The user data collected in this way is pseudonymized by technical precautions. Therefore, a link between the data to the calling user is not possible. This data is not stored together with other personal data of the user.

2. legal basis for data processing
The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f DS-GVO.

The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 (1) lit. a DS-GVO if the user has consented to this.

3. purpose of data processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.

The user data collected through technically necessary cookies are not used to create user profiles.

For the analysis of our website, we use cookies from Google Analytics.

The analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimize our offer.

In these purposes also lies our legitimate interest in the processing of personal data according to Art. 6 para. 1 lit. f DS-GVO.

4. duration of storage, possibility of objection and elimination
Cookies are stored on the user's computer and transmitted from it to our site. Therefore, a user has full control over the use of cookies. By changing settings in the Internet browser the transmission of cookies may be restricted or disabled. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website in full.

VI. contact form and e-mail contact

1. description and scope of data processing
Our website contains a contact form that can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored. The following data may be transmitted to us in the course of the contact request:

  • Salutation
  • Title
  • First name
  • Surname
  • Name of the child
  • Date of birth of the child
  • Child's address
  • E-mail address
  • Phone number
  • A personal message.

The following data is also stored at the time the message is sent:

  • the IP address of the user
  • the date and time of registration.

For the processing of data, consent is obtained during the submission process and reference is made to this privacy policy.

Alternatively, it is possible to contact us via the e-mail address provided. In this case, the user's personal data transmitted with the e-mail will be stored.
In order to ensure sufficient data security when transmitting forms, we use the reCAPTCHA service of the company Google Inc. This primarily serves to distinguish whether the input is made by a natural person or improperly through an automated input.

For more information in this regard, please refer to the Google Services section of this privacy policy.

2. legal basis for data processing
The legal basis for the processing of this data is Art. 6 (1) lit. a DS-GVO if the user has given his consent.

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f DS-GVO. If the e-mail contact is made for the purpose of agreeing a school/boarding school contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b DS-GVO.

3. purpose of data processing
The processing of personal data from the input mask solely allows the contact to be processed. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. duration of storage
The personal data from the input mask of the contact form and those sent by e-mail or telephone are deleted after 36 months.

5. possibility of objection and elimination
The user has the option to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

The right of objection may be exercised through an informal e-mail to info[at]schule-schloss-salem[dot]de.

All personal data stored in the course of contacting us will be deleted in this case.

VII. Newsletter

1. Description and scope of data processing
Our website offers the possibility to subscribe to a school newsletter. By subscribing to the newsletter, agreement is given to receive it and to the procedures described.

Content of the newsletter: We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter "newsletter") only with the consent of the recipient or a legal permission. Insofar as the contents of the Newsletter are specifically described in the context of a registration, they are decisive for the consent of the users. Otherwise, our newsletters contain information about the school and its services.

We use the so-called double opt-in procedure, i.e. after subscribing you will first receive an e-mail asking you to confirm your subscription. This confirmation is necessary so that no one can register with other people's e-mail addresses. Subscriptions to the newsletter are logged in order to be able to prove the subscription process in accordance with legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Changes to personal data stored with the dispatch service provider are also logged.

If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored. The following data may be transmitted in the course of the contact request:

  • Title
  • First name
  • Last name
  • E-mail address.

2. legal basis for data processing
The legal basis for the processing of the data is, if the user has given his consent, Art. 6 para. 1 lit. a, Art. 7 DS-GVO in conjunction with § 7 para. 2 No. 3 UWG or on the basis of the legal permission pursuant to § 7 para. 3 UWG.

The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f DS-GVO. Our interest is directed towards the use of a user-friendly as well as secure newsletter system that serves our business interests as well as meets the expectations of the users and furthermore allows us to prove consent.

3. purpose of data processing
The processing of personal data from the input mask serves only to provide and send the newsletter.

4. duration of storage
Personal data will be stored by the school until permission to do so is revoked.

5. possibility of objection and elimination
The user has the option at any time to revoke his consent to the processing of personal data and to unsubscribe from receiving the newsletter. For this purpose, a corresponding unsubscribe link is found in every mail or newsletter. Revocation may also be achieved at any time via email:

info@schule-schloss-salem.de

The school may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove consent formerly given. The processing of this data will be limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.

6. Newsletter – shipping service provider
The newsletter is sent using the shipping service provider CleverReach GmbH & CoKG, Schafjückenweg 2, 26180 Rastede. The privacy policy of the shipping service provider may be viewed here: www.cleverreach.com. The shipping service provider is used on the basis of the school’s legitimate interests pursuant to Art. 6 para. 1 lit. f DS-GVO and a contract processing agreement pursuant to Art. 28 para. 3 p. 1 DS-GVO.
The dispatch service provider may use the data of the recipients in pseudonymous form, i.e. without assignment to a user, to optimize or improve its own services, e.g. to technically optimize the dispatch and presentation of the newsletters or for statistical purposes. However, the dispatch service provider does not use the data of our newsletter recipients to write to them itself neither may it pass the data on to third parties.

VIII. Data protection information for job applicants

1. Description and scope of data processing
Internal data processing when reviewing an application

We process the data provided as part of an application for the purpose of reviewing suitability for an advertised position. Suitable applications for a position will be forwarded by the Human Resources department to the relevant department / academic management for closer examination. For a comprehensive assessment of an application, we require a curriculum vitae as well as certificates of qualification or corresponding evidence in any case. When entering data, the following fields are mandatory: Last name, first name, address, e-mail address, date of birth, country / nationality, questions about school education / professional qualifications, curriculum vitae and photograph. It is also required that at least one attachment is included. Other information is provided on a voluntary basis.

2. legal basis for data processing
This data processing is based on Art. 6 para. 1 p.1 letter b DS-GVO, Art. 26 BDSG-neu.
For candidates under the age of 18 years, the consent of legal guardians is necessary before concluding a contract.

The legal basis for data storage in our job applicant pool is Art. 6 para. 1 p. 1 lit. a DS-GVO.

3. purpose of data processing
The processing of personal data from the application process is solely for the processing and implementation of the job application process.

4. duration of storage
Job application data is deleted six months after the end of the application process, taking into account Section 61b (1) ArbGG in conjunction with Section 15 AGG. § 15 AGG. The application process ends after a final status has been set for the individual application (rejection/employment).
If the school was unable to consider an application for a specific position, an application may be retained in in the applicant pool. In such cases an e-mail regarding the applicant pool will be sent, and the request may be accepted or rejected by the applicant. This enables the school to contact appropriate candidates should suitable positions become available. The school will only store an application if express consent has been given to do so.
Where consent is given, application data will be stored for a maximum period of 15 months, after which it will be automatically deleted.

5. possibility of objection and elimination
The applicant has the option to revoke his consent to the storage and processing of personal data at any time by e-mail. In such a case, the conversation cannot be continued.

If a job applicant wishes to exercise the right of objection, an informal e-mail to info[at]schule-schloss-salem[dot]de will suffice.

All personal data stored in the course of contacting the school will be deleted or blocked in this case.

IX. Online presence in social media

The school maintains online presence within social networks and platforms in order to communicate with customers, interested parties and users. When calling up the respective networks and platforms, the terms and conditions and data processing policies of the respective operators apply.

Unless otherwise stated in this privacy policy, the data of users is processed if they communicate over the social networks and platforms, e.g. write posts on our online presence or send messages.

X. Use of Google services

Our website, uses services of the company Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 (hereinafter: Google). Google has submitted to the Privacy Shield Agreement and thereby offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Further information about the Google services used by Schule Schloss Salem gGmbH and the related scope of the processing of personal data is found below.

1. Google service
1.1. Google Analytics
This website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on a computer, to help the website analyze how users use the site. These are cookies from Google itself (Google Analytics cookies) and so-called third-party cookies (DoubleClick cookies). The information generated by the cookie about use of this website is usually transmitted to a Google server in the USA and stored there. We point out that on this website Google Analytics has been extended by the code "gat._anonymizeIp();" to ensure anonymized collection of IP addresses (so-called IP masking). If anonymization is active, Google truncates IP addresses within member states of the European Union or in other contracting states to the Agreement on the European Economic Area, which is how identity is protected. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.

In the context of the school’s use of Google Analytics, a legal agreement with Google for order processing has been reached.

1.2. Legal basis for the processing of personal data
The legal basis for the use of Google Analytics is § 15 para. 3 TMG or Art. 6 para. 1 li. F DS-GVO.

1.3. purpose of data processing
On behalf of the operator of this website, Google will use the collected information for the purpose of evaluating user interaction with the website, compiling reports on website activity and providing other services relating to website activity and internet usage, such as Google Analytics reports on performance by demographic characteristics and interests to the website operator. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. In the Google Analytics reports on performance by demographic characteristics and interests, data obtained via interest-based advertising from Google and visitor data from third-party providers (such as age, gender and interests) are used. Google will in no case associate your IP address with other data from Google.

1.4. duration of storage
Sessions are terminated after a specified period of time. By default, sessions end after 30 minutes of no activity, and campaigns end after six months. The time limit for campaigns can be a maximum of two years. For more information on terms of use and privacy, please visit www.google.com/analytics/terms/de.html or policies.google.com.

1.5. possibility of objection and elimination
Cookies may be refused by selecting the appropriate browser settings. It should be noted that this may limit the website’s functionality. Collection of data generated by the cookie and related to your use of the website (including your IP address) to Google may be prevented by downloading and installing the browser plugin available at the following link tools.google.com/dlpage/gaoptout.

Opt-out cookies prevent the future collection of your data when visiting this website. To prevent collection by Universal Analytics across devices, the opt-out must be implemented on all systems used. If you click here, the opt-out cookie will be set: <a href="javascript:gaOptout()"><strong>Disable Google Analytics</strong></a></p>.

2. Google Maps
The school website uses the product Google Maps from Google Inc. a service for displaying an interactive map. By using this website, automatic consent for the collection, processing and use of automatically collected data by Google Inc, its representatives and third parties is given.

Google will not associate an IP address with any other data held by Google. Nevertheless, it would be technically possible for Google to identify individual users on the basis of the data collected. For example, it would be possible that personal data and personality profiles of users of the website could be processed by Google for other purposes. The school has no influence on this.

If personal data should not be stored by Google Maps, it can be disabled by deactivating the JavaScript of your browser. However, in this case the map display would be disabled.

Use of this website and not deactivating the JavaScript function, implicitly confirms consent to the processing of personal data collected by Google in the manner and for the purpose described above.

For more information on the terms of use, legal information on Google Maps and the Google privacy policy, please visit http://www.google.com/intl/de_de/help/terms_maps.html and https://www.google.com/intl/de/policies/privacy/index.html.

3. Google ReCAPTCHA
In order to ensure sufficient data security when submitting forms, we use reCAPTCHA from Google Inc. This serves primarily to distinguish whether the input is made by a natural person or improperly by machine. The service includes the sending of the IP address and possibly other data required by Google for the reCAPTCHA service to Google. The deviating data protection regulations of Google Inc. apply in this case. Further information on the data protection guidelines of Google Inc. can be found at http://www.google.de/intl/de/privacy.
or https://www.google.com/intl/de/policies/privacy/.

4. disable Google cookie
Google cookies may be permanently disabled by following the link below and changing the cookie management settings accordingly: http://www.google.com/policies/technologies/managing/.
http://www.google.com/policies/technologies/ads/.
Changes to the ad settings can be made at https://www.google.de/settings/ads.
Alternatively, cookie use by third parties can be disabled by visiting the Network Advertising Initiative opt-out page at http://www.networkadvertising.org/choices/ and implementing the opt-out option.

7. YouTube
“You Tube” videos are integrated on the school website. "YouTube" is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By calling up pages of our website that have integrated YouTube videos, data is transmitted to YouTube, stored and evaluated. If a YouTube account exists and the user is logged in, this data will be assigned to the account and the data stored in it.

Google’s data collection objectives can be found at https://www.google.com/intl/de/policies/privacy/. Privacy policy: https://www.google.com/policies/privacy/,

Opt-out: https://adssettings.google.com/authenticated.

XI. Use of social plugins

1. Facebook
Social plugins ("plugins") of the social network facebook.com are used on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DS-GVO) social plugins ("plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins can display interactive elements or content (e.g. videos, graphics or text contributions) and are recognizable by one of the Facebook logos (white "f" on blue tile, the terms "Like", "Like" or a "thumbs up" sign) or are marked with the addition "Facebook Social Plugin". The list and appearance of Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/.

Facebook is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with European data protection law
(https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

When a user calls up a function of this online service that contains such a plugin, his or her device establishes a direct connection with Facebook's servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated by the latter into the online offer. In the process, usage profiles of the users can be created from the processed data. We therefore have no influence on the scope of the data that Facebook collects with the help of this plugin and therefore inform users according to our level of knowledge.

By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online offer. If the user is logged into Facebook, Facebook can assign the visit to his Facebook account. If users interact with the plugins, for example by clicking the Like button or posting a comment, the corresponding information is transmitted from your device directly to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will learn and store his or her IP address. According to Facebook, only an anonymized IP address is stored in Germany.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the related rights and settings options for protecting the privacy of users, can be found in Facebook's privacy policy: https://www.facebook.com/about/privacy/.

If a user is a Facebook member and does not want Facebook to collect data about him or her via this online offer and link it to his or her membership data stored on Facebook, he or she must log out of Facebook and delete his or her cookies before using our online offer. Further settings and objections to the use of data for advertising purposes, are possible within the Facebook profile settings: www.facebook.com/settings or via the US site www.aboutads.info/choices/ or the EU site www.youronlinechoices.com. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.

2. Instagram
Within our online presence, functions and contents of the service Instagram, offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, may be integrated. This may include, for example, content such as images, videos or texts and buttons with which users can make known their liking regarding the content, the authors of the content or subscribe to our posts. If the users are members of the Instagram platform, Instagram can assign the call of the above-mentioned content and functions to the profiles of the users there. Privacy policy of Instagram: instagram.com/about/legal/privacy/.

3. LinkedIn
Within our online presence, functions and contents of the service Linkedin, offered by the company LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA can be integrated. By calling up pages that use such functions, data (IP address, browser data, date and time, cookies) are transmitted to LinkedIn, stored and evaluated. If you have a LinkedIn account and are logged in, this data will be assigned to your personal account and the data stored therein. The privacy policy, what information LinkedIn collects and how they use it can be found at www.linkedin.com/legal/privacy-policy.

XII. Rights of the data subject

If personal data is processed, the affected person is a data subject within the meaning of the GDPR and they have the following rights vis-à-vis the responsible person/organisation:

1. right to information
Confirmation may be requested from the responsible body as to whether personal data are being processed by the school.
If there is such processing, information may be requested about the following:

(1) the purposes for which the personal data are processed;
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) any available information on the origin of the data, if the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

The affected person has the right to request information about whether personal data has been transferred to a third country or to an international organization. In this context, the affected person may request to be informed about the appropriate safeguards pursuant to Art. 46 DS-GVO in connection with the transfer.

2. right to rectification
The applicant has a right to rectification and/or completion vis-à-vis the responsible body if the personal data processed are inaccurate or incomplete. The responsible body shall carry out the rectification without undue delay.

3. right to restriction of processing
The restriction of the processing of personal data may be requested under the following conditions:

(1) if the accuracy of the personal data concerning you is contested, for a period enabling the responsible body to verify the accuracy of the personal data;
(2) the processing is unlawful and the affected person objects to the erasure of the personal data and request instead the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of processing, but the affected person needs it for the establishment, exercise or defense of legal claims; or
(4) if the affected person objects to the processing pursuant to Article 21 (1) DS-GVO and it has not yet been determined whether the responsible body has legitimate grounds to override his/her wish.
If the processing of personal data has been restricted, such data may - apart from being stored - only be processed with the affected person’s consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, the affected person will be informed by the responsible body before the restriction is lifted.

4. right to deletion
4.1. Obligation to delete

The responsible body may be requested to erase personal data without undue delay, if one of the following reasons applies:

(1) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) Consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) DS-GVO is revoked and there is no other legal basis for the processing.
(3) The affected person objects to the processing pursuant to Art. 21 (1) DS-GVO and there are no overriding legitimate grounds for the processing.
(4) The personal data have been processed unlawfully.
(5) The erasure of the personal data is necessary for compliance with a legal obligation under European Union law or the law of the Member States to which the responsible body is subject.
(6) The personal data has been collected in relation to information society services offered pursuant to Article 8(1) DS-GVO.

4.2. Information to third parties
If the responsible body has made the personal data public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable measures, including technical measures, to inform data controllers processing the personal data that the data subject, has requested erasure of all links to or copies or replications of such personal data, taking into account the available technology and the cost of implementation.

4.3. Exceptions
The right to erasure does not exist insofar as the processing is necessary for

(1) for the exercise of the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under the law of the European Union or the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the responsible body;
(3) for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes pursuant to Art. 89(1) DS-GVO, insofar as the aforementioned right is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
(5) for the assertion, exercise or defense of legal claims.

5. right to information
If the affected person has asserted the right to rectification, erasure or restriction of processing against the responsible body, it is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
The affected person has the right to be informed about these recipients.

6. right to data portability
The affected person has the right to receive personal data that have been provided to the responsible body in a structured, commonly used and machine-readable format. This data to may be transferred to a second responsible body without hindrance from the first to whom the personal data was provided, provided that.

(1) the processing is based on consent pursuant to Art. 6(1)(a) DS-GVO or Art. 9(2)(a) DS-GVO or on a contract pursuant to Art. 6(1)(b) DS-GVO and
(2) the processing is carried out with the help of automated procedures.

In exercising this right, the affected person also has the right to obtain the personal data being transferred, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected by this.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the responsible body.

7. right of objection
The affected person has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data which is carried out on the basis of Article 6(1)(e) or (f) DS-GVO; this also applies to profiling based on these provisions.

The responsible body shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the affected person, or the processing serves the purpose of asserting, exercising or defending legal claims.

If the personal data is processed for the purposes of direct marketing, one has the right to object at any time. This also applies to profiling, insofar as it is related to such direct marketing.

An objection to data processing for direct marketing purposes, will result in the personal data no longer be processed for these purposes.

One has the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise the right to object by means of automated procedures using technical specifications.

8. right to revoke the declaration of consent under data protection law
One has the right to revoke the declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

9. automated decision in individual cases including profiling
One has the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects or has similarly significantly impacts. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between the affected person and the responsible body
(2) is permitted by legislation of the European Union or the Member States to which the responsible body is subject and that legislation contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the individual; or
(3) is made with the express consent of the affected person.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to protect the rights and freedoms as the individual’s legitimate interests.

With regard to the cases mentioned in (1) and (3), the responsible body shall take reasonable steps to safeguard the rights and freedoms as well as the individual’s legitimate interests, which include, at a minimum, the right to obtain the intervention of a person on the part of the responsible body, to express his or her point of view and to contest the decision.

10. right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, one has the right to lodge a complaint with a supervisory authority, in particular in the Member State of residence, workplace or the place of the alleged infringement, if considered that the processing of personal data infringes the GDPR.

The supervisory authority to which the complaint has been lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

The competent supervisory authority is:

State Commissioner for Data Protection and Freedom of Information
Königsstrasse 10a
70173 Stuttgart / Deutschland
Tel.: 0711/615541-0 / FAX: 0711/615541-15
E-Mail: poststelle@lfdi.bwl.de

Building Character.
This website uses cookies to ensure you get the best experience on our website. Learn more
Decline Allow cookies