Privacy
Summary
We take the protection of your data seriously and generally endeavor to collect and store as little data as possible. Nevertheless, a certain amount of storage and analysis of user data is necessary to ensure and improve the operation of this website. In principle, this website can be used without having to provide any personal data. Data is also not assigned to a specific person – unless you tell us your name, for example in an email or via one of our forms.
If you use one of the services offered on this website, this regularly requires the collection, processing and storage of personal data, such as your name, address, email address or telephone number. This collection, processing and storage generally takes place either on the basis of your prior express consent or a corresponding legal authorization and on the basis of the provisions of the European General Data Protection Regulation and the German Federal Data Protection Act.
Here, we would like to inform you about the nature, scope, and purpose of the data we collect, process, store, and use through this website, as well as your rights in this context.
We use SSL transport encryption (“HTTPS”) on this site. This serves, among other things, to protect confidential content, for example when you send us enquiries. You can tell that the connection is actually encrypted by looking at the address line of your browser, which always begins with “https://” and confirms the existing transport encryption with a green lock symbol.
For the sake of form, we would like to point out that data transmission over the Internet (e.g. when communicating by email) may have security gaps. Complete protection of data against access by third parties is not possible.
controller within the meaning of the General Data Protection Regulation
The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is
Spotlight GmbH
Am Hauptbahnhof 6
53111 Bonn
(hereinafter “controller” or “we” or “us”).
Definitions and General Information on Data Protection
Personal Data
Personal data are individual details about the personal or factual circumstances of a specific or identifiable natural person. This includes information such as name, address, telephone number and email address, but also the IP address that can be assigned to a connection. Information that is not directly associated with the identity of a person – such as favorite websites or the number of users of a site – is not personal data.
Scope of processing of personal data
We generally only collect and use our users’ personal data to the extent that this is necessary to provide a functional website and our content and services. The collection and use of our users’ personal data generally only occurs with the user’s consent. An exception applies in cases where prior consent cannot be obtained for actual reasons and the processing of the data is permitted by law.
Legal basis for the processing of personal data
If we obtain consent from the data subject for processing personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.
When processing personal data that is necessary to fulfill a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
To the extent that processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.
If processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) (f) GDPR serves as the legal basis for processing.
Data deletion and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose for which it was stored no longer applies. Storage may also take place if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which we are subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or fulfillment of a contract.
Provision of the Website and Creation of Log Files
Every time you visit our website, we collect data and information through an automated system.
The following data is collected:
The following data is collected:
2. The user’s operating system
3. The user’s internet service provider (“Provider”)
4. The user’s IP address
5. Date and time of access
6. Websites from which the user’s system accesses our website (“Referrer”)
7. Websites accessed by the user’s system via our website
This data is stored in the log files of our system. This data is not stored together with other personal data of the user. When using this general data and information, we do not draw any conclusions about the person concerned.
Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.
Purpose of data processing
The temporary storage of the IP address by the system is necessary to deliver the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. Storage in log files is carried out to ensure the functionality of the website. Additionally, the data helps us optimize the website and ensure the security of our information technology systems. These purposes also constitute our legitimate interest in data processing according to Art. 6 (1) lit. f GDPR.
Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. If the data is collected to provide the website, this is the case when the respective session has ended.
If the data is stored in log files, this will be the case after six weeks at the latest. Storage beyond this period is possible. In this case, the users’ IP addresses are deleted or altered so that it is no longer possible to assign the calling client.
Possibility of objection and removal
The collection of data to provide the website and the storage of data in log files is essential for the operation of the website. Consequently, the user has no option to object.
Cookies und Nutzungsprofile
Within the framework of the legal provisions, we can
1. to provide user-friendly services that are not possible without the cookie setting
2. for advertising and market research purposes and
3. to improve our services and internet offerings
Evaluate usage profiles under a pseudonym, but only if you have not exercised your legal right to object to this use of your data. Some of our services require us to use so-called cookies.
Cookies are small amounts of data (text files) that your Internet browser stores on your computer. Cookies can store information about your visit to our website, which enables us to recognize your browser and distinguish it from the browsers of other data subjects.
Die meisten Browser sind standardmäßig so eingestellt, dass sie Cookies akzeptieren. Sie können jedoch Ihren Browser jederzeit so konfigurieren, dass er Cookies ablehnt oder vorher eine Bestätigung von Ihnen erfragt. Wenn Sie Cookies ablehnen, kann dies allerdings zur Folge haben, dass nicht alle Angebote und Funktionen dieser Website für Sie störungsfrei funktionieren oder nutzbar sind.
[borlabs-cookie type=”btn-cookie-preference” title=”Cookie settings” /]
Contact us by email or contact form
Our website may contain a form that can be used to contact us electronically. Alternatively, you can contact us using the email address provided.
If you contact us using the contact form, your first name, surname and email address will always be sent to us. The user’s IP address and the date and time will also be saved.
Your consent to the processing of the data will be obtained during the sending process and reference will be made to this privacy policy. If you contact us by email, your email address and your message will be sent to us and stored by us.
Legal basis for data processing
The legal basis for processing the data if the user has given their consent is Art. 6 (1) (a) GDPR. The legal basis for processing the data transmitted when sending an email is Art. 6 (1) (f) GDPR. If an email contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.
Purpose of data processing
The processing of personal data from the input mask of the contact form serves us solely to process the contact. In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
Duration of storage
The data will be deleted after the commercial and tax retention periods have expired.
Possibility of objection and removal
You have the right to withdraw your consent to the processing of your personal data at any time. If you contact us via email, you can object to the storage of your personal data at any time. In such a case, the conversation cannot continue. The withdrawal can be made by sending an email or by contacting us by phone or post. All personal data stored during the contact process will be deleted in this case.
Disclosure of Data to Third Parties
If we disclose data to other persons and companies, transmit it to them, or otherwise grant them access to the data, this will only be done based on a legal authorization (e.g., when the transfer of data to third parties, such as payment service providers, is required for the fulfillment of a contract according to Art. 6 (1) lit. b GDPR), if you have consented, if a legal obligation requires it, or based on our legitimate interests (e.g., when using service providers, web hosts, etc.). If we commission third parties to process data based on a so-called “Data Processing Agreement,” this is done in accordance with Art. 28 GDPR.
In simple terms: Currently, we do not share your personal data with third parties without your explicit consent.
Transfers to Third Countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing or transferring data to third parties, this will only be done if it is necessary to fulfill our (pre-)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we will only process or allow the processing of data in a third country if the special conditions of Articles 44 et seq. of the GDPR are met. This means, for example, that the processing is carried out based on specific guarantees, such as the officially recognized determination of an EU-equivalent level of data protection (e.g., for the USA through the “Privacy Shield”) or adherence to officially recognized specific contractual obligations (so-called “Standard Contractual Clauses”).
Hosting
The hosting services we use provide the following: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services, which we utilize for the operation of this online offering.
In this context, we or our web host process inventory data, contact data, content data, contract data, usage data, metadata, and communication data of customers, interested parties, and visitors of this online offering based on our legitimate interest in the efficient and secure provision of this online offering pursuant to Art. 6 (1) lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement).
CDN and External Services on This Website
However, we use content delivery networks and external services (e.g., for web fonts or maps) from third-party providers to operate our websites. In these cases, data such as your IP address may be transmitted to these providers.
We currently integrate the following external providers:
ajax.googleapis.com/ jQuery
On this page, we use Ajax and jQuery technologies to optimize loading speeds. In this context, program libraries are loaded from Google servers. The Google CDN is used for this purpose. If you have previously accessed jQuery from the Google CDN on another website, your browser will use the cached copy. If this is not the case, a download will be required, during which data will be transmitted from your browser to Google Inc. (“Google”). Your data will be transferred to the USA. For more details, please refer to the provider’s website.
Akismet Anti-Spam Check
Our online offering uses the “Akismet” service, provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. The use is based on our legitimate interests pursuant to Art. 6 (1) lit. f) GDPR. This service is used to distinguish genuine human comments from spam comments. To do this, all comment data is sent to a server in the USA, where it is analyzed and stored for comparison purposes for four days. If a comment is classified as spam, the data is stored beyond this period. This data includes the entered name, email address, IP address, comment content, referrer, information about the browser and computer system used, as well as the time of submission.
For more information on the collection and use of data by Akismet, please refer to Automattic’s privacy policy: https://automattic.com/privacy/.
Users are welcome to use pseudonyms or refrain from entering their name or email address. They can completely prevent the transmission of data by not using our comment system. This would be a pity, but unfortunately, we do not see any alternatives that work as effectively.
Retrieving Profile Pictures from Gravatar
We use the Gravatar service from Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA, within our online offering, particularly in the blog.
Gravatar is a service where users can register and upload profile pictures along with their email addresses. When users leave posts or comments on other online platforms (especially in blogs) using the respective email address, their profile pictures can be displayed next to the posts or comments. For this purpose, the email address provided by users is encrypted and transmitted to Gravatar to check if a profile is associated with it. This is the sole purpose of transmitting the email address, and it will not be used for any other purposes but will be deleted afterward.
The use of Gravatar is based on our legitimate interests pursuant to Art. 6 (1) lit. f) GDPR, as we offer contributors the opportunity to personalize their posts with a profile picture through Gravatar.
By displaying the images, Gravatar obtains the user’s IP address, as this is necessary for communication between a browser and an online service. For more information on the collection and use of data by Gravatar, please refer to Automattic’s privacy policy: https://automattic.com/privacy/.
If users do not want a user image associated with their email address to appear in the comments, they should use an email address that is not registered with Gravatar for commenting. We also point out that it is possible to use an anonymous or even no email address if users do not want their email address to be transmitted to Gravatar. Users can completely prevent the transmission of data by not using our comment system.
Retrieving Emojis and Smilies
In our WordPress blog, graphic emojis (or smilies), which are small graphic files expressing emotions, are used and retrieved from external servers. The providers of these servers collect the users’ IP addresses. This is necessary to transmit the emoji files to the users’ browsers. The emoji service is provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Privacy policy of Automattic: https://automattic.com/privacy/. The servers used are s.w.org and twemoji.maxcdn.com, which, to our knowledge, are Content Delivery Networks (CDNs), meaning servers that are solely responsible for the fast and secure delivery of the files and delete users’ personal data after transmission.
Use of Facebook Social Plugins
Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering pursuant to Art. 6 (1) lit. f GDPR), we use social plugins (“plugins”) from the social network facebook.com, operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins may display interactive elements or content (e.g., videos, graphics, or text posts) and are recognizable by one of the Facebook logos (white “f” on a blue tile, the terms “Like”, “Gefällt mir”, or a “thumbs up” symbol) or are marked with the label “Facebook Social Plugin.” The list and appearance of the Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
Facebook is certified under the Privacy Shield Agreement, thereby providing a guarantee of compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
When a user accesses a feature of this online offering that contains such a plugin, their device establishes a direct connection with Facebook’s servers. The content of the plugin is transmitted directly from Facebook to the user’s device and integrated into the online offering. In the process, usage profiles of the users may be created from the processed data. We have no influence on the extent of the data collected by Facebook using this plugin, and therefore inform users according to our current knowledge.
By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online offering. If the user is logged into Facebook, Facebook can associate the visit with their Facebook account. When users interact with the plugins, for example, by clicking the Like button or leaving a comment, the corresponding information is transmitted directly from their device to Facebook and stored there. Even if a user is not a member of Facebook, it is still possible for Facebook to obtain and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany.
The purpose and scope of data collection, as well as the further processing and use of the data by Facebook, and the related rights and privacy settings for users, can be found in Facebook’s privacy policy: https://www.facebook.com/about/privacy/.
If a user is a member of Facebook and does not want Facebook to collect data about them through this online offering and link it with their Facebook account data, they must log out of Facebook before using our online offering and delete their cookies. Further settings and objections to the use of data for advertising purposes can be made in the Facebook profile settings: https://www.facebook.com/settings?tab=ads or through the U.S. site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are platform-independent, meaning they apply to all devices, such as desktop computers or mobile devices.
Within our online offering, features and content from the service Twitter, provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, can be integrated. These may include content such as images, videos, or text and buttons with which users can express their likes regarding the content, subscribe to the content creators, or follow our posts. If users are members of the Twitter platform, Twitter can associate the call of the above-mentioned content and features with their profiles on the platform. Twitter is certified under the Privacy Shield Agreement, thereby providing a guarantee to comply with European data protection laws.https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active).
Privacy Policy: https://twitter.com/de/privacy
Opt-Out: https://twitter.com/personalization.
Within our online offering, features and content from the service Instagram, provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, can be integrated. These may include content such as images, videos, or text and buttons with which users can express their likes regarding the content, subscribe to the content creators, or follow our posts. If users are members of the Instagram platform, Instagram can associate the call of the above-mentioned content and features with their profiles on the platform.
Privacy Policy: http://instagram.com/about/legal/privacy/.
Within our online offering, features and content from the service Xing, provided by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany, can be integrated. This may include content such as images, videos, or text and buttons with which users can express their likes regarding the content, subscribe to the content creators, or follow our posts. If users are members of the Xing platform, Xing can associate the access to the above-mentioned content and features with their profiles on the platform.
Privacy Policy: https://www.xing.com/app/share?op=data_protection..
Data Deletion
The data we process will be deleted or its processing restricted in accordance with Articles 17 and 18 of the GDPR. Unless explicitly stated otherwise in this privacy policy, the data we store will be deleted as soon as they are no longer necessary for their intended purpose, and there are no legal retention obligations preventing deletion. If the data are not deleted because they are required for other legally permissible purposes, their processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax-related reasons.
In accordance with legal requirements in Germany, retention occurs for 10 years pursuant to §§ 147 (1) AO, 257 (1) Nos. 1 and 4, (4) HGB (books, records, management reports, booking receipts, commercial books, tax-relevant documents, etc.) and 6 years pursuant to § 257 (1) Nos. 2 and 3, (4) HGB (business correspondence).
In accordance with legal requirements in Austria, retention occurs for 7 years pursuant to § 132 (1) BAO (accounting documents, receipts/invoices, accounts, receipts, business papers, income and expense statements, etc.) and for 10 years for documents related to electronically provided services, telecommunications, broadcasting, and television services provided to non-business customers in EU member states, for which the Mini-One-Stop-Shop (MOSS) is used.
Contractual Services
We process the data of our contractual partners, prospects, and other clients, customers, or partners in accordance with Article 6(1)(b) of the GDPR to provide our contractual or pre-contractual services. The data processed, the nature, scope, purpose, and necessity of its processing are determined by the underlying contractual relationship.
The processed data includes the basic data of our contractual partners, contact details, as well as contract and payment data. We generally do not process special categories of personal data, unless they are part of a commissioned or contractual processing.
We process data that is necessary for the establishment and fulfillment of contractual services and point out the necessity of providing such data if it is not obvious to the contractual partners. Disclosure to external individuals or companies only takes place if it is required within the framework of a contract. When processing the data provided to us as part of an order, we act in accordance with the instructions of the clients as well as legal requirements.
As part of the use of our online services, we may store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the interests of the users in protecting against misuse and other unauthorized use. This data is generally not shared with third parties, unless it is necessary for the enforcement of our claims according to Art. 6 (1) lit. f. DSGVO, or there is a legal obligation to do so according to Art. 6 (1) lit. c. DSGVO.
The deletion of data takes place when the data is no longer required for the fulfillment of contractual or legal obligations, as well as for handling any warranty and comparable duties, with the necessity of data retention being reviewed every three years; otherwise, the statutory retention periods apply.
Administration, financial accounting, office organization, contact management
We process data as part of administrative tasks, the organization of our operations, financial accounting, and compliance with legal obligations, such as archiving. In doing so, we process the same data that we handle in the course of providing our contractual services.
The legal bases for processing are Art. 6 para. 1 lit. c DSGVO and Art. 6 para. 1 lit. f DSGVO. The processing affects customers, prospects, business partners, and website visitors. The purpose and our interest in processing lie in administration, financial accounting, office organization, and data archiving, i.e., tasks that serve the maintenance of our business activities, the performance of our duties, and the provision of our services. The deletion of data in relation to contractual services and communication corresponds to the details mentioned for these processing activities.
We disclose or transfer data to the tax authorities, advisors such as tax consultants or auditors, as well as other fee offices or payment service providers.
Furthermore, based on our business interests, we store information about suppliers, organizers, and other business partners, e.g., for later contact. These predominantly business-related data are generally stored permanently.
Agency services
We process the data of our customers as part of our contractual services, which include conceptual and strategic consulting, software and design development/consulting or maintenance, implementation of advertising campaigns and processes/handling, server administration, data analysis/consulting and training services.
In this context, we process master data (e.g., customer data), contact data (e.g., email and phone numbers), content data (e.g., text inputs, photographs, and videos), contractual data (e.g., contract subject, duration), payment data (e.g., bank details, payment history), usage and metadata (e.g., as part of the analysis and success measurement of marketing activities).
We generally do not process special categories of personal data, unless these are part of a commissioned processing.
The affected parties include our customers, prospects, as well as their customers, users, website visitors, employees, or third parties. The purpose of the processing is the provision of contractual services, billing, and customer service. The legal bases for processing are derived from Art. 6 para. 1 lit. b DSGVO (contractual services), Art. 6 para. 1 lit. f DSGVO (analysis, statistics, optimization, security measures). We process data that is necessary for the establishment and fulfillment of contractual services and indicate the necessity of providing such data.
Disclosure to external parties only occurs if it is necessary within the scope of a contract. When processing the data entrusted to us in the context of an order, we act in accordance with the instructions of the clients and the legal requirements of a data processing agreement pursuant to Art. 28 DSGVO, and we process the data solely for the purposes specified in the contract.
We delete the data after the expiration of statutory warranty and comparable obligations. The necessity of data retention is reviewed every three years; in the case of statutory archiving obligations, deletion occurs after their expiration (6 years, according to § 257 para. 1 HGB, 10 years, according to § 147 para. 1 AO). In the case of data disclosed to us by the client within the framework of an order, we delete the data in accordance with the contract’s provisions, generally after the completion of the order.
Rights of the Data Subject
If personal data is processed by us, you are a data subject within the meaning of the GDPR, and you have the following rights against us (“the controller”):
Right of access
You can request confirmation from the data controller as to whether personal data concerning you is being processed by us.
If such processing is taking place, you can request the following information from the data controller:
1. the purposes for which the personal data are being processed;
2. the categories of personal data being processed;
3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
4. the planned duration of the storage of the personal data concerning you or, if specific information is not possible, the criteria used to determine the storage duration;
5. the existence of the right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
6. the existence of the right to lodge a complaint with a supervisory authority;
7. all available information about the source of the data if the personal data has not been collected from the data subject;
8. the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, and – at least in these cases – meaningful information about the logic involved, as well as the significance and the intended consequences of such processing for the data subject.
You have the right to request information about whether your personal data is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in relation to the transfer.
Right to rectification
You have the right to rectification and/or completion from the controller if the personal data processed concerning you is incorrect or incomplete. The controller must carry out the rectification without delay.
Right to erasure
You can request the controller to delete the personal data concerning you without delay, and the controller is obliged to delete this data without delay if one of the following reasons applies:
1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
You withdraw your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) of the GDPR, and there is no other legal basis for the processing.2.
3. You object to the processing pursuant to Art. 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) of the GDPR.3.
4. The personal data concerning you has been unlawfully processed.
5. The deletion of the personal data concerning you is required to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
6. The personal data concerning you was collected in relation to the offer of information society services pursuant to Art. 8(1) of the GDPR.
If the controller has made the personal data concerning you public and is required to delete it pursuant to Art. 17(1) of the GDPR, they shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform controllers who process the personal data that you, as the data subject, have requested the deletion of all links to, or copies or replications of, this personal data.
The right to erasure does not apply insofar as the processing is necessary:
1. for the exercise of the right to freedom of expression and information;
2. for the fulfillment of a legal obligation which requires processing under Union law or the law of the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;2.
3. for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) of the GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89(1) of the GDPR, insofar as the right mentioned in paragraph 1 is likely to make it impossible or seriously impair the achievement of the objectives of such processing, or
5. for the establishment, exercise, or defense of legal claims.5.
Right to restriction of processing
Under the following conditions, you can request the restriction of the processing of personal data concerning you:
1. if you contest the accuracy of the personal data concerning you for a period that allows the controller to verify the accuracy of the personal data;1.
2. if the processing is unlawful and you oppose the deletion of the personal data and instead request the restriction of its use;
3. if the controller no longer needs the personal data for the purposes of processing, but you need it for the establishment, exercise, or defense of legal claims, or
4. if you have objected to the processing pursuant to Art. 21(1) of the GDPR, and it has not yet been determined whether the legitimate grounds of the controller override your reasons.
If the processing of personal data concerning you is restricted, such data may only be processed – apart from storage – with your consent, or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.
If the restriction of processing is lifted under the above-mentioned conditions, you will be informed by the controller before the restriction is removed.
Right to be informed
If you have exercised your right to rectification, erasure, or restriction of processing with the controller, the controller is obligated to inform all recipients to whom the personal data concerning you has been disclosed about the rectification or erasure of the data or the restriction of processing, unless this proves to be impossible or involves a disproportionate effort. You have the right to be informed about these recipients by the controller.
Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that
1. the processing is based on consent pursuant to Art. 6(1)(a) of the GDPR or Art. 9(2)(a) of the GDPR, or on a contract pursuant to Art. 6(1)(b) of the GDPR, and
2. the processing is carried out by automated means.
In exercising this right, you also have the right to obtain the direct transfer of the personal data concerning you from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on Art. 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
After an objection, the controller shall no longer process the personal data concerning you, unless they can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling, insofar as it is related to such direct marketing.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the possibility to exercise your right to object in relation to the use of information society services – notwithstanding Directive 2002/58/EC – through automated means, where technical specifications are used.
Right to withdraw the data protection consent declaration
You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out based on the consent until the withdrawal.
Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
1. is necessary for the entering into or performance of a contract between you and the controller,
2. is permissible based on Union or Member State law to which the controller is subject, and such law provides appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, or
3. is based on your explicit consent.
However, such decisions may not be based on special categories of personal data under Art. 9(1) of the GDPR, unless Art. 9(2)(a) or (g) applies and appropriate measures have been taken to safeguard your rights and freedoms as well as your legitimate interests.
In the cases referred to in (a) and (c), the controller takes appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, which at a minimum include the right to obtain the intervention of a person by the controller, to state your point of view, and to contest the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your residence, place of work, or the place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
Exercise of your rights
If you wish to exercise any of these rights, you can contact our Data Protection Officer at any time. We recommend sending your request via email to INFO@SOPHIA-TRAN.DE.
Data security
We use the widely adopted SSL (Secure Socket Layer) procedure in connection with the highest encryption level supported by your browser during your visit to the website. This is usually a 256-bit encryption. If your browser does not support 256-bit encryption, we instead use 128-bit v3 technology. You can identify whether a page of our website is transmitted encrypted by the closed padlock symbol displayed in the lower status bar of your browser.
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
Updates and changes to this privacy policy
This privacy policy is currently valid as of May 2018. Due to the further development of our website and services or changes in legal or regulatory requirements, it may become necessary to amend this privacy policy.