Data Protection

Privacy policy

PAHAGE Feuerfester Produkte GmbH & Co. KG (PAHAGE) appreciates your interest in the website of PAHAGE.

We place great value on the protection of your personal data. To assure the protection of your personal data we have implemented numerous technical and organizational measures to ensure complete protection in accordance with the applicable EU General Data Protection Regulation (EU Regulation 2016/679, GDPR) and the German Federal Data Protection Act (BDSG).

I             Controller for data processing:

PAHAGE Feuerfester Erzeugnisse GmbH & Co. KG

Holtweg 17-19

41749 Viersen Germany

Tel.: +49 2162 89610

Fax: +49 2162 896149

E-Mail: info@pahage.com

Internet: www.pahage.de

 

Authorized representatives:

Stephanie Hoffmann (Managing director)

II            Data protection officer:

Volker Rührup

KMR IT-Innovations GmbH

Karl-Arnold-Str. 29

47877 Willich Germany

Tel.: +49 2154 93682-0

E-Mail: ruehrup@kmr-it.de

Should you have any questions regarding the content of our privacy policy, please contact the above mentioned data protection officer.

III           General information about data processing

1                 Extent of processing of personal data

We process personal data of our website users only to the extent necessary to provide a functioning website and to provision information about our products and services.

The processing of personal data is only done following the user’s consent. An exception applies in those cases where it is not possible for technical reasons to obtain consent beforehand and the processing is permitted by law.

2                 Legal basis for the processing of personal data

Insofar as we obtain the consent of the user for processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) constitutes the legal basis.

If the data is being processed for the fulfilment of a contract of which the user is a contractual party Article 6(1)(b) GDPR constitutes the legal basis. This also applies to processing operations required to carry out pre-contractual actions.

In cases where the processing of personal data is needed to fulfil a legal obligation our company is bound to, Article 6(1)(c) GDPR applies.

In the event that vital interests of the person concerned or another natural person requires the processing of personal data Article 6(1)(d) GDPR applies.

If processing is necessary for the purposes of legitimate interests by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, Article 6(1)(f) GDPR constitutes the legal basis.

3                 Data erasure and storage duration of personal data

The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage can be prolonged if European regulations, national laws or other regulations demand longer storage. Personal data is also blocked or deleted if a storage period specified by the aforementioned regulations or laws expires, unless there is a necessity for longer storage for the purpose of conclusion or execution of a contract of which the user is a contractual party.

4             Data transmission (SSL encryption)

Data transmission over the internet (e.g. when communicating by e-mail) may have security vulnerabilities. We as provider cannot completely protect the transmission of data over the internet as this may be beyond our reach.

For this reason, you are free to submit your personal data to us via other means of communication (e.g. telephone or normal mail).

Our site uses SSL encryption for security reasons and to protect the transmission of sensitive content (e.g. contact form).

You can recognize an encrypted connection by the fact that the address line of your web browser changes from “http:” to “https” and the visible lock in the address bar.

If SSL encryption is enabled, data that you submit to us can not be read by third parties.

IV           Provision of the website and creation of log files

1                 Description of data processing

Each time a user accesses our website our system automatically collects data and information from the computer system of the calling computer.

Following data is collected:

    • Browser type and version which is used to access our site
    • Operating system
    • Internet service provider used to access our site
    • IP address of the user
    • Date and time
    • Website from which the system of the user is referred to us
    • Content pages viewed on our website

2                 Log files

The under no. 1 mentioned information is also stored in log files of our system. This data is not stored together with other personal data of the user.

3                 Legal basis of data processing

Legal basis for the temporary storage of personal data in our log files is Article 6(1)(f) GDPR.

4                 Purpose of data processing

Our website provides information about the products and services of PAHAGE. Users may use our contact form to contact PAHAGE.

4.1             Usage of our website for information

Temporary storage of the user’s IP address is necessary to deliver our website to the user’s computer. For this, the IP address has to be stored for the duration of the user’s session.

Saving of log files is needed to ensure the functioning of our website.

Furthermore, we use this data for optimizing and securing our system. We do not use collected log files for marketing purposes.

Legal basis is Article 6(1)(f) GDPR.

4.2             Usage of our website to contact us and/or for contract enquiries

We collect personal data for the initiation of contract (enquiry using our contact form) as well as for the execution of a contract.

Article 6(1)(a),(b) and (f) GDPR forms the legal basis.

5                 Duration of storage

5.1             Usage of our website for information

Personal data is only stored for as long as is needed for the execution of the purpose Section IV, 4.2 (data minimisation).

The data is deleted as soon as it is no longer required for the achieving of the purpose of its collection. With respect to data collection for the provision of our site, this is the case when the respective session is finished. With respect to the storage of data in log files, this is the case at the latest after 7 days. Longer storage is possible if needed for security or optimization reasons. In this case, the IP address of the users are deleted or altered so that no assignment is possible to the visiting user any more.

5.2             Usage of our website to contact us and/or for contract enquiries

Personal data is stored for the duration of a contractional agreement to the extent necessary for the execution of the contractional agreement. If the contractional agreement is no longer valid, collected personal data is deleted if no other legal bindings require longer storage (legal bindings may be tax laws for example). In theses cases the personal data will be stored for the duration of these legal retention periods. After these retention periods personal data will be deleted.

6                 Right to object

6.1             Usage of our website for information

The collection of data for provision of our web site and the storage of log files is absolutely necessary for the operation of our site.

Therefore, the user has no possibility to object.

6.2             Usage of our website to contact us and/or for contract enquiries

In principle, our web site can be viewed without the need to collect personal data. If personal data is collected as mentioned above, we assure you, that your data will not be disclosed to third parties without your express consent.

This does not apply when disclosure is required for purposes of law enforcement, safeguarding of public order or the protection of our systems.

V            Usage of cookies

Our site uses cookies. Cookies are small text file which are stored on the computer system of our users through their internet browser. If a user accesses our web site a cookie can be stored on the operating systems of the user. In this cookie a characteristic string is stored. With this string a user can be identified across multiple content pages of our site or on later visits.

1                 Purpose of data processing by means of cookies

We use cookies to provide you an easier access to our offers. Some elements require the usage of cookies. For example, the language selection is stored inside a cookie. If you visit our site on a later occasion the previous language is used again.

Furthermore, we use cookies to ensure the quality of our site and content. We can use these cookies to track usage of our content pages and therefore optimize them. We do not use this data for profiling.

2                 Data stored and transmitted by the means of cookies

We store and possibly transmit following data in cookies:

  • Language selection
  • Log-In-information
  • Frequency of visits
  • Use of web site features

 

3                 Pseudonymisation

Data transmitted through cookies is pseudo anonymised by technical means. Therefore, no assignment of collected data to a visiting user is possible any more. This data is not stored alongside other collected personal data.

4                 Disabling, restriction and deletion of cookies

Cookies are stored on the user’s computer und transmitted to our web site. Therefore, you as a user have full control over the use of cookies. You can change the settings of your internet browser to disable or restrict the use of cookies. Cookies already present on the user’s computer can be deleted. This can be done automatically. How to achieve this please review the manual of your internet browser. If cookies for our web site are disabled you may no longer be able to use all features of our site.

5                 Information

When visiting our site for the first time the user is informed of the use of cookies and his consent for the processing of personal data in this context is obtained. A reference is made to this Privacy Policy.

6                 Legal basis

Article 6(1)(f) GDPR constitutes the legal basis for the processing of personal data using cookies. Article 6(1)(a) GDPR constitutes the legal basis for the processing of personal data using cookies for the purpose of analysis.

VI         Contact form and e-mail contact

On our web site a contact form is present that you can use to contact us electronically.

1             Scope of data processing

If the user uses our contact form, the data entered in the input mask is transmitted to us and stored.

Following data points are transmitted:

  • First and surname
  • Telephone number (optional)
  • E-Mail address
  • Subject
  • Message

At the moment of submission following data is also stored:

  • IP-address
  • Date and time of submission

Alternatively, you can contact us via the provided e-mail addresses. In this case the data submitted by you is stored. This data is not disclosed to a third party.

We only use this data for the purpose of your enquiry.

2                 Purpose of data processing

The processing of personal data submitted through the contact form is solely used to process the making of contact. If the contact is made by e-mail, this entails the required legitimate processing of the data.

The additional transmitted data is used to prevent misuse of our contact form and to ensure the security of our IT systems.

3                 Objection

You can always revoke your consent to the processing of personal data. If you contact us by the means of e-mail, you can object to the storage of your personal data at any time. In such a case the conversation cannot be prolonged. All collected data will be deleted in this case.

4                 Duration of storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection. For the personal data transmitted by the contact form and the data sent by e-mail, this is the case once the respective conversation with the user is finished. The conversation is finished when it is clear from the circumstances that the respective mattes has been finally settled. The personal data that was additionally collected during the transmission is deleted at the latest after seven days.

5             Legal basis

Article 6(1)(a) GDPR constitutes the legal basis for the processing of personal data.

Article 6(1)(f) GDPR constitutes the legal basis for the processing of data that is transmitted with the sending on an e-mail. If the e-mail contact aims at the initiation of a contract, Article 6(1)(b) GDPR is an additional legal basis.

VII        Job application via e-mail

1             Scope of data processing

If a user applies for a job via e-mail, the user’s personal data transmitted by e-mail will be stored.

There is no transfer of the data to third parties. The data will be used exclusively for processing the

application.

2                 Purpose of data processing

The processing of personal data is solely for processing the application and for the first assessment of the applicant.

3                 Objection

The user has the possibility at any time to revoke his consent to the processing of the personal data. He may object at any time to the storage of his personal data. In such case, the application cannot be processed further. All personal data saved during the application will be deleted in this case.

4                 Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. If no employment contract is concluded with the applicant, the application documents will be deleted two months after the announcement of the rejection decision. The cancellation period may be extended due to other legitimate interests. These legitimate interests include, for example, the desire of the applicant to be taken into account in later job assignments. Furthermore, the storage period can be extended for securing evidence in a procedure under the German General Equal Treatment Act (AGG).

5             Legal basis

Article 6(1)(a) GDPR constitutes the legal basis for the processing of personal data.

Article 6(1)(f) GDPR constitutes the legal basis for the processing of data that is transmitted with the sending on an e-mail. If the e-mail contact aims at the initiation of a contract, Article 6(1)(b) GDPR is an additional legal basis.

VIII       Google Maps

Our web site uses Google Maps software from Google LLC in order to provide geographic information and directions.

To use Google Maps data has to be transmitted to Google. This data is collected directly from the user’s computer system. You can prevent the transmission to Google by disabling “Javascript” in the settings of your internet browser. In this case you will not be able to use the map and directions on our site under section “Contact”.

If you do not disable “Javascript” and continue to use the service of map generation and directions on our web site you express consent to the processing of your personal data by Google.

Further information regarding data protection can be found in Google’s Data Protection Policy.

(See https://www.google.de/contact/)

 

 

 

IX           Rights of data subjects

1             Transparent information, communication and modalities for the exercise of the rights of the data subject

1.1          The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 GDPR and any communication under Articles 15 to 22 and 34 GDPR relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

1.2          The controller shall facilitate the exercise of data subject rights under Articles 15 to 22 GDPR. In the cases referred to in Article 11(2) GDPR, the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22 GDPR, unless the controller demonstrates that it is not in a position to identify the data subject.

1.3          The controller shall provide information on action taken on a request under Articles 15 to 22 GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

1.4          If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

1.5          Information provided under Articles 13 and 14 GDPR and any communication and any actions taken under Articles 15 to 22 and 34 GDPR shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a)           charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b)           refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

1.6          Without prejudice to Article 11 GDPR, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21 GDPR, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

1.7          The information to be provided to data subjects pursuant to Articles 13 and 14 GDPR may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

1.8          The Commission shall be empowered to adopt delegated acts in accordance with Article 92 GDPR for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

2             Information to be provided where personal data are collected from the data subject

2.1          Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a)           the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b)           the contact details of the data protection officer, where applicable;

(c)           the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d)           where the processing is based on point (f) of Article 6(1) GDPR, the legitimate interests pursued by the controller or by a third party;

(e)           the recipients or categories of recipients of the personal data, if any;

(f)            where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 GDPR, or the second subparagraph of Article 49(1) GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2.2          In addition to the information referred to in paragraph 2.1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a)           the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b)           the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c)           where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d)           the right to lodge a complaint with a supervisory authority;

(e)           whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f)            the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.3          Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.2.

2.4          Paragraphs 2.1, 2.2 and 2.3 shall not apply where and insofar as the data subject already has the information.

3             Information to be provided where personal data have not been obtained from the data subject

3.1          Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a)           the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b)           the contact details of the data protection officer, where applicable;

(c)           the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d)           the categories of personal data concerned;

(e)           the recipients or categories of recipients of the personal data, if any;

(f)            where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 GDPR, or the second subparagraph of Article 49(1) GDPR, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

3.2          In addition to the information referred to in paragraph 3.1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

(a)           the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b)           where the processing is based on point (f) of Article 6(1) GDPR, the legitimate interests pursued by the controller or by a third party;

(c)           the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

(d)           where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(e)           the right to lodge a complaint with a supervisory authority;

(f)            from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;

(g)           the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3.3          The controller shall provide the information referred to in paragraphs 3.1 and 3.2:

(a)           within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b)           if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c)           if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

3.4          Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 3.2.

3.5          Paragraphs 3.1 to 3.4 shall not apply where and insofar as:

(a)           the data subject already has the information;

(b)           the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) GDPR or in so far as the obligation referred to in paragraph 3.1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;

(c)           obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or

(d)           where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

4             Right of access by the data subject

4.1          The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a)           the purposes of the processing;

(b)           the categories of personal data concerned;

(c)           the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d)           where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e)           the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f)            the right to lodge a complaint with a supervisory authority;

(g)           where the personal data are not collected from the data subject, any available information as to their source;

(h)           the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

4.2          Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

4.3          The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4.4          The right to obtain a copy referred to in paragraph 4.3 shall not adversely affect the rights and freedoms of others.

5             Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

6             Right to erasure (‘right to be forgotten’)

6.1          The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a)           the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b)           the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;

(c)           the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;

(d)           the personal data have been unlawfully processed;

(e)           the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f)            the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

6.2          Where the controller has made the personal data public and is obliged pursuant to paragraph 6.1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

6.3          Paragraphs 6.1 and 6.2 shall not apply to the extent that processing is necessary:

(a)           for exercising the right of freedom of expression and information;

(b)           for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c)           for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;

(d)           for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 6.1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e)           for the establishment, exercise or defence of legal claims.

7             Right to restriction of processing

7.1          The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a)           the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b)           the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c)           the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d)           the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

7.2          Where processing has been restricted under paragraph 7.1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

7.3          A data subject who has obtained restriction of processing pursuant to paragraph 7.1 shall be informed by the controller before the restriction of processing is lifted.

8             Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

9             Right to data portability

9.1          The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a)           the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and

(b)           the processing is carried out by automated means.

9.2          In exercising his or her right to data portability pursuant to paragraph 9.1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

9.3          The exercise of the right referred to in paragraph 9.1 of this Article shall be without prejudice to Article 17 GDPR. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9.4          The right referred to in paragraph 9.1 shall not adversely affect the rights and freedoms of others.

10           Right to object

10.1        The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

10.2        Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

10.3        Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

10.4        At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 10.1 and 10.2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

10.5        In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

10.6        Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

11           Automated individual decision-making, including profiling

11.1        The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

11.2        Paragraph 11.1 shall not apply if the decision:

(a)           is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b)           is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c)           is based on the data subject’s explicit consent.

11.3        In the cases referred to in points (a) and (c) of paragraph 11.2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

11.4        Decisions referred to in paragraph 11.2 shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

12           Restrictions

12.1        Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34 GDPR, as well as Article 5 GDPR in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 GDPR, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a)           national security;

(b)           defence;

(c)           public security;

(d)           the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e)           other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f)            the protection of judicial independence and judicial proceedings;

(g)           the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h)           a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i)            the protection of the data subject or the rights and freedoms of others;

(j)            the enforcement of civil law claims.

12.2        In particular, any legislative measure referred to in paragraph 12.1 shall contain specific provisions at least, where relevant, as to:

(a)           the purposes of the processing or categories of processing;

(b)           the categories of personal data;

(c)           the scope of the restrictions introduced;

(d)           the safeguards to prevent abuse or unlawful access or transfer;

(e)           the specification of the controller or categories of controllers;

(f)            the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g)           the risks to the rights and freedoms of data subjects; and

(h)           the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

13           Right to file a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, the data subject has the right to file a complaint with a supervisory authority, in particular in the Member State of his or her residence, place of work or location of alleged violation, if the data subject is of the opinion that the processing of the personal data concerning him or her violates the GDPR.

The supervisory authority with which the complaint was filed shall inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.