Data protection

DATA PROTECTION

Privacy policy – BVB FanShop

Content
I.       Name and address of the controller
II.      Contact details of the Data Protection Officer
III.     General information on data processing
IV.     Provision of the website and creation of log files
V.      Use of cookies
1.      Technically required cookies
2.      Cookies for the analysis of user behavior
3.      Cookies for advertising purposes and social media
VI.     Online Shop
VII.    Payment services
1.      PayPal
2.      Credit card
VIII.   Contact form and e-mail contact
IX.     Newsletter
X.      Transfer of data within the group of undertakings
XI.     Your rights
1.      The right to revoke the declaration of consent under data protection law (Art. 7 para. 3 GDPR)
2.      Right of access (Art. 15 GDPR)
3.      Right to rectification (Art. 16 GDPR)
4.      Right to erasure or "right to be forgotten" (Art. 17 GDPR)
5.      Right to restriction of processing (Art. 18 GDPR)
6.      Notification obligation (Art. 19 GDPR)
7.      Right to data portability (Art. 20 GDPR)
8.      Automated individual decision-making (Art. 22 GDPR)
9.      Right to object (Art. 21 GDPR)
10.    Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

I.    Name and address of the controller
The controller within the meaning of the General Data Protection Regulation (hereinafter referred to as the "GDPR") is

Borussia Dortmund GmbH & Co. KGaA
Rheinlanddamm 207-209
44137 Dortmund
Germany
Managing Directors: Hans-Joachim Watzke (Vorsitzender), Thomas Treß, Carsten Cramer
Tel.: 02 31 - 90 20 0
E-Mail: [email protected]
Website: www.bvb.de

II.    Contact details of the Data Protection Officer
You can reach the data protection officer at:

BHG Datenschutz Consulting
Rechtsanwalt Ulf Haumann LL.M
Kaiserstr. 21-23
44135 Dortmund
Germany
Tel.: 02 31 - 90 20 0
E-Mail: [email protected]
Website: www.bvb.de

III.    General information on data processing
The protection of your personal data is very important to us. We process your data primarily in order to provide you with a functional and easy-to-use website. We want to ensure that you can use our content and offers via these websites.

In addition, we only process your data if and to the extent permitted by law. Please refer to the following remarks for further information.

IV. Provision of the website and creation of log files
Every time you visit our website, our system automatically collects data and information from your computer system. We collect the following data:
(1) Information about the browser type and the version
(2) Your operating system
(3) Your IP address
(4) Date and time of access
(5) Websites from which your system accesses our Website

This data is stored in the log files of our system. The aforementioned data is not stored together with other personal data.

It is necessary for our system to temporarily store the IP address so that the website can be provided to your computer. Your IP address must remain stored for the duration of the respective use of the website. The storage in log files therefore serves the functionality of the website. We also use this data to optimise our website and secure our information technology systems. The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit f GDPR (our legitimate interest in operating the website). As part of the balancing of interests, we have weighed our legitimate interest in the processing of data for the operation of the website against your interest in the protection of personal data.

The data will be stored for as long as is necessary to achieve the purpose for which it was collected. Where data is required to provide the functionality of the website, it is not required once the respective session has ended. Your data will then be deleted automatically. If the data is stored in log files, it will be deleted after seven days at the latest. If the aforementioned data is further stored, your IP address will be deleted or pseudonymised, so that it is no longer possible refer it to the internet access used to visit our website. We only pass on data and information from your computer system to third parties under special circumstances and if the requirements for a change in the purpose of the data processing are met.  

The collection of data for the provision of the website and the storage of data in log files is necessary for the operation of the website.

V.    Use of cookies and other technologies (website analysis/tracking)
We use cookies in some areas of our website, e.g., in order to recognise visitors' preferences and to be able to optimally design the website accordingly. This facilitates navigation and offers a high degree of user-friendliness. Cookies also help us to identify particularly popular areas of our website. These are text files that are stored by your internet browser on your computer system. When you visit our website, a cookie may be stored on your system. These contain an individual character string that allows information to be retained for a certain period of time and identifies your terminal device. In the following sections on point 1 ("Necessary cookies"), on point 2 ("Statistical technologies") and on point 3 ("Marketing technologies"), we explain in detail which types of cookies we use, and which data is processed there in each case.
Insofar as the following explanations not specifying different deletion periods, the following applies in summary to the storage period, irrespective of the type and purpose of the cookies:
You have unrestricted control over the use of cookies. These are stored on your computer and the data is transmitted from it to our site. Most browsers are set by default to accept cookies, but by changing the browser settings, the transmission of cookies can be disabled or restricted. Cookies that have already been stored can be deleted at any time. This can also be done automatically by setting your browser accordingly.
If cookies are generally deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.
When you access our website, you will be informed by an information banner about the above-mentioned use of cookies and referred to this data protection declaration. We ask you here for your consent to the use of cookies, which you give us by clicking on the button "I agree".
You can object to the use of cookies at any time. You can do this by either not agreeing to the use of cookies in the banner displayed or by changing your browser settings accordingly.

1. Necessary cookies
These services, technologies and cookies are necessary to ensure central functions of the portal as well as the fulfilment of contracts with customers and cooperation partners. The following data is stored and transmitted in the cookies:
(1) Session ID
(2) Login ID
(3) Shopping cart ID
We require cookies for the following applications for technical reasons:
(1) Personalised addressing
(2) Shopping cart content is retained over several browser calls.
The data collected through technically necessary cookies are not used to create user profiles.

They are used on the legal basis of Art. 6 para. 1 sentence 1 lit. b) (contract initiation or fulfilment), lit. c) (if legal obligations exist) and/or lit. f) DSGVO (overriding legitimate interests). The latter interests are in particular the monitoring of the technical performance of the website as well as our interest in the economic use of partner sales channels. They can therefore not be deactivated via our Consent Management System or by you as a website user.
If you object to the use of these cookies or configure your browser accordingly, our website will not recognise your browser and certain content may not be accessible or data (e.g., from an input mask) may be lost.
For the storage period of technically necessary cookies, the same applies as mentioned under point V.

1.1 Tag Management System
The processing operations within this category control the playout of services, technologies, and cookies without storing the data collected as part of these services. Similarly, no data is collected or stored by the tag management systems themselves. The system is used to technically implement your choice regarding privacy settings.
The following technologies and service providers are used:
- Google Tag Manager

1.2 Technically Required Website Technologies
The processing operations within this category are used to ensure the smooth use of the website and its functions. Without their use, it is not possible to use functions such as the shopping cart compilation.
The following technologies and service providers are used:
- Own website cookies

1.3 Consent Management Platform (CMP)
The processing procedures within this category enable users to individually control their data transfer. The Consent Management Platform is used to query and document the user's decision and to transfer it to other systems.
The following technologies and service providers are used for this purpose:
- e.g., Cookiebot
(https://www.cookiebot.com/en/privacy-policy/)

1.4 Basic Web Analytics (excl. Customer IDs)
The processing operations within this category are used for the following purposes: for non-personal traffic analysis, incident monitoring & alerting, fraud detection, IT management, reach measurement, product development and improvement and navigation tracking.
The following technologies and service providers are used:
- Google Analytics
https://policies.google.com/technologies/partner-sites?hl=en

2. Statistical technologies
We also use cookies on our website that enable an analysis of your surfing behaviour. The data collected in this context is pseudonymised by technical precautions. The data can then no longer be assigned to you. This data is not stored together with your other personal data.
The following data can be transmitted in this way:
(1) Frequency of page views
(2) Use of website functions
Analysis cookies are used to improve the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimise our offer. These purposes are also our legitimate interest in processing the personal data according to Art. 6 (1) lit. f DS-GVO.
If you object to the use of these cookies or configure your browser accordingly, this will not bring about any disadvantages for you. All functions of the website will continue to be available.
What has been said under V. applies to the storage period of cookies for the analysis of surfing behaviour.

2.1 Website statistics and analysis
In addition to the basic web analysis, pseudonymous usage profiles are also collected in the extended web analysis with your consent. By "pseudonymous usage profiles" we mean profiles that are pseudonymised via IP anonymisation and can be linked to online transaction data from the online shop.
For this purpose, we use Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google"). This uses cookies. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States.
Google will use this information on our behalf for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In doing so, pseudonymous usage profiles can be created from the processed data.
We only use Google Analytics with IP anonymisation activated. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser will not be merged with other Google data.
You may refuse the use of cookies by selecting the appropriate settings on your browser. You can also prevent the collection of data generated by the cookie and related to your use of the website by Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
For more information on Google's use of data for advertising purposes, settings and opt-out options, please visit the Google websites: https://www.google.com/intl/de/policies/privacy/partners/ ("Data use by Google when you use our partners' websites or apps"), http://www.google.com/policies/technologies/ads ("Data use for advertising purposes"), http://www.google.com/settings/ads ("Manage the information Google uses to show you ads") and http://www.google.com/ads/preferences/ ("Determine what ads Google shows you").
As an alternative to the browser add-on or within browsers on mobile devices, please click this link to prevent the collection by Google Analytics within this website in the future. This will place an opt-out cookie on your device. This cookie stores that we are not allowed to use your data for Google Analytics. If you delete your stored cookies, you must click this link again.
For the storage period of the cookies, the same applies as mentioned under point V.

3. Marketing technologies
We use third-party cookies to learn more about your surfing behaviour (webtracking) so that we only show you advertising that you want to see. In this respect, the processing of your data is based on a legitimate interest and on the basis of Art. 6 (1) lit. f DS-GVO.
When you enter our website, you will be shown a banner with which we ask for your consent. In this respect, additional legitimacy basis is Art. 6 para. 1 lit a) DS-GVO.

3.1 Personal advertising and remarketing on third-party sites, social channels, search engines or sites of cooperation partners.
The processing operations within this category are used to play interest-based advertising to the user on third-party sites, social media, search engines or sites of cooperation partners. This is to increase the content relevance of the advertising for our visitors.

3.1.1 Google Ads
We use Google Ads on our website, an online advertising tool from Google that enables so-called "remarketing". This enables tailored advertising based on your surfing habits on other websites in the Google Display Network (Google, so-called "Google Ads" and other websites).
Your surfing behaviour on our website is analysed so that you can be shown advertising on other websites that matches your interests. For this purpose, Google uses cookies, which can be used to identify your browser on a specific computer - but not a person or a user. Personal details are not stored.
We only use Google Ads with IP anonymisation activated. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser will not be merged with other Google data.
You can prevent the storage of cookies by setting your browser software; accordingly, you can also prevent the collection of the data generated by the cookie and related to your use of the online offer to Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://policies.google.com/technologies/ads?hl=de.
We also use the so-called "conversion tracking", which is also part of Google Ads. When you click on an advertisement placed by Google, a corresponding cookie is stored on your system. Here too, no personal details or other data are processed that can be used to identify the specific user or a person.
The cookie is used to create statistics on so-called "conversion rates", which, in simple terms, represent the relationship between visits to a page and successful sales.
Cookies for conversion tracking by Google AdWords become inactive after 30 days. How you can deactivate personalised advertising and conversion tracking by Google can be read here:
https://support.google.com/ads/answer/2662922?hl=en

3.1.2 Facebook
We use another conversion tracking and "remarketing" tool, the so-called Facebook Pixel, a service of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, to evaluate our advertising measures on Facebook.
The service allows us, but also Facebook, to track users' actions after they have clicked on a Facebook ad. This enables us to record and evaluate the effectiveness of advertisements for statistical and market research purposes in order to optimise future advertising measures.
The data collected is anonymous for us, so it does not allow us to draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, in accordance with the Facebook data usage policy (https://www.facebook.com/about/privacy/). You may allow Facebook and its partners to serve ads on and off Facebook. A cookie may also be stored on your computer for these purposes.
We only use Facebook pixels if and to the extent that you have given us your express consent to use them. Consent to the use of the visitor action pixel may only be given by users who are older than 13 years of age. If you are younger, we ask you to ask your parent or guardian for permission. If you give your consent, the data processing is based on Art. 6 para. 1 a) DSGVO.
You have the right to revoke your consent at any time with effect for the future.

3.1.3 Microsoft Bing Ads
On our website, Bing Ads technologies are used to collect and store data from which usage profiles are created using pseudonyms. This is a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. This service enables us to track the activities of users on our website if they have reached our website via ads from Bing Ads. If you arrive on our website via such an ad, a cookie is set on your computer. A Bing UET tag is integrated on our website. This is a code that, in conjunction with the cookie, stores some non-personal information about your use of the website. This includes, among other things, the length of time spent on the website, which areas of the website were accessed and via which advertisement the users accessed the website. Information about your identity is not collected.
The information collected is transferred to Microsoft servers in the USA and stored there for a maximum of 180 days. You can prevent the collection of data generated by the cookie and related to your use of the website, as well as the processing of this data, by deactivating the setting of cookies. This may restrict the functionality of the website under certain circumstances.
In addition, Microsoft may be able to track your usage behaviour across multiple electronic devices through cross-device tracking, which enables Microsoft to display personalised advertising on or within Microsoft websites and apps. You can disable this behaviour at https://account.microsoft.com/privacy/ad-settings/signedout?lang=en-GB.
For more information about Bing's analytics services, please visit the Bing Ads website (https://help.bingads.microsoft.com/#apex/3/en/53056/2). For more information about Microsoft and Bing privacy, please see Microsoft's privacy policy (https://privacy.microsoft.com/en-us/privacystatement.)

3.2 Links to social media services
On our website you will find links to the social media services of Facebook, Twitter, Google+, YouTube, Pinterest and Instagram. You can recognise links to the websites of the social media services by the respective company logo. If you follow these links, you will reach Borussia Dortmund's corporate presence on the respective social media service. When you click on a link to a social media service, a connection is established to the servers of the social media service. This transmits to the servers of the social media service that you have visited our website. In addition, further data is transmitted to the provider of the social media service. These are for example:

- Address of the website on which the activated link is located.
- Date and time when the website was called up or the link was activated
- Information about the browser and operating system used
- IP address
If you are already logged in to the corresponding social media service at the time the link is activated, the provider of the social media service may be able to determine your username and possibly even your real name from the transmitted data and assign this information to your personal user account with the social media service. You can exclude this possibility of allocation to your personal user account if you log out of your user account beforehand.
The servers of the social media services are located in the USA and other countries outside the European Union. The data may therefore be processed by the provider of the social media service in countries outside the European Union. Please note that companies in these countries are subject to data protection laws that do not protect personal data in general to the same extent as they do in the Member States of the European Union.
Please note that we have no influence on the scope, type and purpose of the data processing by the provider of the social media service. For more information on the use of your data by the social media services integrated on our website, please refer to the privacy policy of the respective social media service.


VI.    Online Shop
Large parts of our fan shop and our product range can be viewed without registration or log-in, so that you can inform yourself as simply as possible about our offer and without obligations. You have the possibility to purchase our articles without creating a customer account.
In order to process your order, we need your personal data, which you enter into a designated input mask. These will be transmitted to us and stored by us.

The following data will be collected during the ordering process:
(1) Personal data (name, address, date of birth)
(2) E-mail address
In addition, the following data will be stored at the time of the order:
(1) Your IP address
(2) Date and time of the order

The processing of your data serves the conclusion and the fulfillment of purchase, work and work delivery contracts in connection with our fan articles. In this respect, Art. 6 Para. 1 lit b GDPR (fulfilment of the purchase, work or work delivery contract with you) serves as the legal basis.

In order for us to be able to fulfil our obligations under the contracts concluded with you, the processing of the above data is absolutely necessary. If you decide not to provide us with the aforementioned data, we will not be able

- To conclude contracts with you,
- To send you goods and
- To settle our services with you,
- To send you tailor-made offers,
- To inform you about promotions and discounts.

Your data will be deleted as soon as they are no longer required for the purpose of their collection. This is the case with the fulfilment of a contract or with the implementation of pre-contractual measures if the data are no longer necessary for the implementation of the contract. We store contract and booking relevant data in accordance with tax and commercial retention periods for a period of ten calendar years after the last booking.
Recipients of data may be banks and the payment service providers described in Section VII for the processing of payments and postal service providers for the dispatch of goods. Authorities and offices may be recipients within the scope of their tasks, insofar as we are obliged or entitled to transmit data.

VII.    Payment services
If you conclude contracts with us via our shop, we include third-party payment services, based on the payment method you choose. Since payment is related to the contractual relationship with you, the legal basis for all payment methods is Art. 6 Para. 1 lit b GDPR.

1.    PayPal
If you choose to pay through PayPal, we will provide PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, e-mail: [email protected] with the data collected during registration and information about the transaction and other information related to the transaction, such as the amount sent or requested, the amount paid for products or services, merchant information, including information about payment instruments used for the transaction, device information, technical user data and location data.

This presupposes that you have created an account there or have agreed to the processing of your personal data as a guest there. Please also refer to the privacy policy issued by PayPal (Europe) S.à r.l. et Cie, S.C.A..

2.    Credit card
Payment by credit card is made by entering your credit card number, expiration date and, if applicable, CVC number in the corresponding input fields of the order dialog. This data, as well as your personal details and information about the transaction and other information in connection with the transaction will be transmitted to the respective payment service provider. When (online) paying by credit card, your credit card data (MasterCard, VISA, American Express, AmEx, card number, check digit and validity period) will be collected and stored at Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA, and only passed on to the companies involved in the payment process, e.g:
- MasterCard, Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium,
- at VISA at your card-issuing bank or Visa Europe Management Services Limited,
    German Branch, Hamburger Allee 2-4 WestendGate, 60486 Frankfurt,
- American Express Services Europe Limited, Branch Office Frankfurt am Main, Branch Office of a limited liability company under the laws of the United Kingdom with registered office in London, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main,
The data is also transferred to your card-issuing bank as part of the payment process if necessary.

We use the Secure Socket Layer (SSL) encryption method, a very high security standard on the Internet. As soon as you have entered your data during payment and clicked on the confirmation button, your details will be sent in encrypted form. This means that they are not accessible to third parties.

VIII.    Contact form and e-mail contact
You can contact us via various contact forms available on our website or by e-mail.

If you enter data into the input mask of the contact form provided for this purpose, it will be transmitted to us and processed by us. This involves the following data:
(1) Topic/reason for contact
(2) Salutation
(3) First name
(4) Name
(5) Telephone number
(6) Message
As soon as your message is sent, the following other data will also be stored:
(1) Your IP address
(2) Date and time of registration

For the processing of data for the purpose of correspondence, we ask for your consent before sending the message and refer to this privacy policy. The legal basis for data processing in this respect is Art. 6 para. 1 lit a GDPR.

The processing of other data (e.g. connection data) during the sending process should prevent misuse of the contact form and guarantee the security of our information technology systems. The legal basis in this respect is Art. 6 para. 1 lit f GDPR.
If contact is established via the e-mail address provided, the personal data transmitted with your e-mail will be stored. The legal basis for the processing of your data is Art. 6 para. 1 lit f GDPR, as we have a legitimate interest in this. If the establishment of contact by form or e-mail is in connection with the initiation of a contract or the fulfilment of a contract, Art. 6 para. 1 lit b GDPR is also the legal basis for the processing.

We process personal data from the input mask or e-mails exclusively to process the establishment of contact. Data will not be passed on to third parties in this respect.

We will delete your data as soon as it is no longer required for achieving the purpose for which it was collected. For personal data from the input mask of the contact form and for data transmitted by e-mail, this is the case when the respective correspondence with you has ended. Correspondence is terminated when it can be inferred from the circumstances that the relevant facts have been conclusively clarified, but no later than one year after the last correspondence with you.

Personal data that was additionally collected during the sending process will be deleted after a period of seven days at the latest.

You can revoke your consent to the processing of your personal data at any time. If you contact us by e-mail, you can object to the storage of your personal data at any time. All you have to do is send an informal message to the contact details listed above.

In these cases, however, it is not possible to process your message.

If the data are necessary for the fulfilment of a contract or for the execution of pre-contractual measures, a premature deletion can take place only, as far as contractual or legal obligations permit this.

IX.    Newsletter
You can subscribe to our free newsletter. For this purpose, you enter your data in the input mask provided and these will be transmitted to us. Your e-mail address will be collected during registration.

As soon as your message is sent, the following other data will also be stored:
(1) Your IP address
(2) Date and time of registration

Before sending your data, we ask you to give your consent to this processing of the data and we refer to this privacy policy. Your data will be processed with your consent. In this respect, Art. 6 para. 1 lit a GDPR is the legal basis.

After registration you will receive an e-mail in which you will be asked to confirm your registration. This confirmation is necessary so that nobody can register with external e-mail addresses. The registrations for the newsletter are logged in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time and your IP address used.

Since the processing of the data after the first registration is necessary to deliver the ordered newsletter, Art. 6 para. 1 lit b and Art. 6 para. 1 lit f GDPR also serve as a legal basis.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the e-mail address used. This processing is therefore also permissible on the basis of Art. 6 para. 1 lit f GDPR.
No data will be passed on to third parties in connection with data processing for the dispatch of newsletters. The data will be used exclusively for sending the newsletter.

You can cancel your subscription to the newsletter at any time or object to further newsletters being sent. Each newsletter contains a corresponding link to the unsubscribe form. This also enables us to revoke your consent to the storage of your data. However, you can also cancel your consent at any time by sending an informal letter to the above contact details.

We will delete your data as soon as they are no longer required for the purpose of their collection. Your e-mail address will be stored as long as the newsletter subscription exists. All other personal data collected as part of the registration process will generally be deleted after a period of seven days after collection.

X.    Transfer of data within the group of undertakings
If you give us your consent, address and order data will also be collected and processed for our own marketing purposes and for those of the group companies BVB Merchandising GmbH; Sports & Bytes GmbH; BVB Event & Catering GmbH; besttravel Dortmund GmbH, all located at Rheinlanddamm 207-209, 44137 Dortmund, as well as the Ballspielverein Borussia 09 e.V. Dortmund, Strobelallee 50, 44139 Dortmund. This is based on the legal basis of Art. 6 para. 1 lit a GDPR.
Under certain circumstances, we may also process your data on the basis of legitimate interest within the group. The legal basis in this respect is Art. 6 Para. 1 lit f. GDPR.

You can object to data processing on the basis of the legitimate interest by stating reasons or revoke your consent to data processing. All you have to do is send an informal message to the above-mentioned contact details.

We will delete your data as soon as they are no longer required for the purpose of their collection.

XI.    Your rights
In the following we would like to inform you about your rights according to the General Data Protection Regulation.

1.    The right to revoke the declaration of consent under data protection law (Art. 7 para. 3 GDPR)
You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal. You will be informed of this before giving your consent.

2.    Right of access (Art. 15 GDPR)
Pursuant to Art. 15 GDPR, you have the right to request confirmation from us as to whether we process personal data relating to you. If this is the case, you have the right to information about this personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- to whom this personal data has been disclosed or is still being disclosed, in particular when this is done vis-à-vis recipients in third countries or international organisations;
- if possible, the envisaged period for which the personal data will be stored, or,  if this is not possible, the criteria for determining that period;
- the existence of a right to request rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to our processing;
- the right to lodge a complaint with a supervisory authority;
- if the personal data is not collected from you, all available information about the source of the data;
- whether there is automated decision-making, including profiling, in accordance with Article 22(1) and (4) of the GDPR and, if so, meaningful information on the logic involved and the scope and envisaged consequences of such processing on you.

If personal data are transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards in place to ensure that the provisions of the GDPR are complied with by those recipients.

3.    Right to rectification (Art. 16 GDPR)
You can ask us to correct any inaccurate data concerning you immediately. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data - also by means of a supplementary statement.

4.    Right to erasure or "right to be forgotten" (Art. 17 GDPR)
You have the right to obtain from us the erasure of data without undue delay where one of the following grounds applies:
- The data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw the consent on which the processing was based and there is no other legal basis for the processing.
- You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing.
- You object to the processing pursuant to Article 21(2) GDPR for direct marketing purposes.
- The data were unlawfully processed.
- The data have to be erased for compliance with a legal obligation in Union or German law.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR

If we have made your data public and are obliged to delete it, we will take appropriate measures, taking into account the available technology and the costs of implementation, to inform those responsible that you have requested the erasure.

5.    Right to restriction of processing (Art. 18 GDPR)
According to Art. 18 GDPR, you have the right to obtain from us restriction of processing where one of the following applies:
- you dispute the accuracy of your data, until we are able to verify its accuracy.
- the processing is unlawful and you oppose to the erasure of your data and instead request that the use of your personal data be restricted.
- we no longer need the data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims.
- You object to the processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override yours.  

If processing has been restricted, we may only store this data. Any further processing is then only permitted with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

You may revoke your consent given in this context at any time.

You will be notified by us before the restriction of processing is lifted.

6.    Notification obligation (Art. 19 GDPR)
We are obliged to inform all recipients to whom your data has been disclosed of any rectification or deletion of your data or any restriction of processing, unless this proves impossible or involves disproportionate effort.  

We will inform you of these recipients if you so request.

7.    Right to data portability (Art. 20 GDPR)
You have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right for us to disclose such information to a third party, provided that
- the processing of the data is based on your consent or on a contract and
- processing is carried out using automated means.
You may request that we transfer your data directly to the third party as far as this is technically feasible. This right must not impair the rights and freedoms of others.

8.    Automated individual decision-making (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision has legal effect on you or significantly affects you in a similar manner.

This does not apply if:
- you have expressly consented to this in advance, or
- the decision is necessary for the conclusion or performance of a contract between us or
- legislation in force permits this and that such legislation contains suitable measures to safeguard your rights and freedoms and legitimate interests.

In the first two cases, we will implement suitable measures to safeguard your rights and freedoms and your legitimate interests. This includes that you may notify us at any time using the contact details provided above if you believe that automated decision-making limits your rights and freedoms and you may appeal the automated decision at any time. In addition, you may request that the automated decision be reviewed by our employees.

9.    Right to object (Art. 21 GDPR)
If we process your data on the basis of a legitimate interest (Art. 6 para. 1 lit f GDPR), you have the right to object to this if the reasons for this arise from your particular situation. This also applies to profiling based on these provisions. In this case, we will no longer process your data unless we can prove compelling legitimate grounds for the processing. This must outweigh your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If we process your data for the purpose of direct marketing, you may object to the processing of your data. This also applies to profiling insofar as it is related to such direct marketing.

After your objection, your data will no longer be processed for these purposes.

If you wish to object, simply send an informal message to the above contact details.

10.    Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
You have the right to complain to a supervisory authority, in particular in the Member State where you are staying, at your place of work or at the place where the alleged infringement occurred, if you consider that the processing of the data concerning you is contrary to the GDPR. Other administrative or judicial remedies which you may have remain unaffected.

Viewed