Information on data protection
The protection of your personal data is an important concern for us ("DACHSER"). The processing of your personal data, such as your name, address, email address or telephone number, always takes place in accordance with the General Data Protection Regulation (GDPR) and the country-specific data protection regulations applicable to DACHSER. If provisions of the GDPR are mentioned, the corresponding provisions in other country-specific data protection regulations are also implied in each case.
Our privacy policy will inform you of the type, scope and purpose of the personal data we collect and process. We will also inform you of your legal rights. In cases where we would like to offer you specific services via our website or otherwise, and where there is no legal basis for necessary data processing in this context, we will obtain your consent.
The rights of the data subject and reporting of data protection incidents
You may exercise your rights as a data subject - such as the right to information, rectification, erasure, restriction of processing, data portability and the right to object - online here. You may report data protection incidents such as unauthorised access, information, disclosure, processing, loss of personal data online here.
The responsible person for the purposes of data protection law is:
DACHSER SE
Thomas-Dachser-Straße 2
87439 Kempten
Germany
Tel.: +49 831 5916 0
Fax: +49 831 5916-1312
The name and contact details of the data protection officer at DACHSER SE are:
DACHSER SE
Data protection officer
Thomas-Dachser-Str. 2
87439 Kempten, Germany
This website collects a series of general data and information each time it is accessed. This general data and information is stored in the log files of the server. The data which may be recorded is:
The browser types and versions used,
The operating system used by the accessing system,
The website from which an accessing system reaches our website (known as referrers),
The sub-websites that are accessed via an accessing system on our website,
The date and time of access to the website,
The Internet Protocol (IP) address,
The Internet service provider of the accessing system and
Other similar data and information used to avert danger in the event of attacks on our information technology systems.
In using this general data and information, DACHSER does not draw any conclusions about you. No profiling occurs. Instead, we need this information in order to deliver the content of our website correctly, to optimise the content of our website as well as the advertising for it, to ensure the long-term viability of our information technology systems and the technology of our website, and to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.
This anonymously obtained data and information is used statistically by DACHSER for the purpose of increasing the level of data protection and data security within our company. We store the anonymous data from the server log files separately from all personal data provided by you. The legal basis for the temporary storage of data and log files is art. 6, para. 1, line f) GDPR.
You can contact us via the contact form provided on our website or via the email address provided in the company information. If you contact DACHSER via one of these channels, we will automatically store the personal data you provide. Such personal data transmitted to DACHSER on a voluntary basis will be stored for the purpose of processing your request and/or contacting you.
DACHSER assigns the enquiries and the associated personal data for processing and use to the competent authority within the DACHSER Group, generally to the national subsidiary in the country of the requester, and exchanges the data with the latter. So, for example, enquiries and the corresponding data from the website for Switzerland (www.dachser.com/ch) are exchanged with the DACHSER national subsidiary in Switzerland (DACHSER Spedition AG). In this context, data may also be transmitted to national subsidiaries in third countries.
The legal basis for the processing of the data is art. 6, para. 1, line b) GDPR and in all other cases the protection of legitimate interests pursuant to art. 6, para. 1, line f) GDPR. For the transfer of data to a third country, the legal basis is art. 49, para. 1, line b) GDPR.
On the DACHSER website, users are given the opportunity to subscribe to DACHSER newsletters (e.g. "eLetter"). Which personal data is transmitted to DACHSER when ordering the newsletter is determined by the input mask used for this purpose.
DACHSER uses the newsletter to regularly inform customers and business partners of news regarding our services and products, current press reports, information about our brand and the content currently on our website. The newsletter can only be received by the data subject if
(1) the data subject has a valid email address and
(2) the data subject registers to receive the newsletter. For legal reasons, a confirmation email will be sent to any email address entered for the first time by a data subject for the purposes of receiving the newsletter. This is a double opt-in procedure. This confirmation email is used to check whether the owner of the email address has authorised the receipt of the newsletter as a data subject. The legal basis for sending the newsletter is art. 6, para. 1, line a) GDPR.
When registering for the newsletter, we store the IP address assigned by the Internet service provider (ISP) of the computer system used by the data subject at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to be able to trace (possible) misuse of the email address of a data subject at a later time and therefore serves as legal protection for DACHSER. In the context of sending the newsletter, DACHSER will use Atrivio GmbH, Albert-Einstein-Str. 6, 87437 Kempten, Germany to collect, process, use and/or store this data for that purpose.
The personal data collected in the context of a subscription to the newsletter will be used exclusively for the following purposes:
- Sending the newsletter
- Advice and advertising
- Designing the newsletter according to requirements
- Compiling the topics of the newsletter in a way that is appropriate for your interests
Subscribers to the newsletter may also be informed by email if this is necessary for the operation of the newsletter service or for registration in this regard, such as for changes to the offer of the newsletter or for changes in technical conditions.
Consent to the storage of personal data, which the data subject has given us for the sending of the newsletter, can be revoked at any time. A link for the purpose of revoking consent can be found in each newsletter. It is also possible to de-register directly at any time by notifying DACHSER of the contact details mentioned under section 1.
Our newsletters contain 'tracking pixels'. A tracking pixel is a miniature graphic that is embedded in those emails sent in HTML format to enable log file recording and log file analysis. This enables a statistical evaluation of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, DACHSER may see if and when an email was opened by a data subject and which links in the email were accessed by data subjects.
Such personal data collected via the tracking pixels contained in the newsletters is stored and evaluated by DACHSER in order to optimise the sending of the newsletters and to better adapt the content of future newsletters to the interests of the data subject. Data subjects are entitled at any time to revoke the declaration of consent made separately for this purpose via the double opt-in procedure. After revocation, this personal data will be erased by DACHSER. A de-registration from receipt of the newsletter is automatically interpreted by DACHSER as a revocation.
This website uses cookies. Cookies are text files that are created and stored on a computer system via an Internet browser. Through the use of cookies, DACHSER can provide you with more user-friendly services that would not be possible without the cookie having been set. Cookies allow us to recognise the users of our website. For example, users of websites that employ cookies do not have to re-enter their login data each time they visit that website, because this task is taken over by the website and the cookie stored on the user's computer system.
The provider of this website uses the services of etracker GmbH from Hamburg, Germany (www.etracker.com) to analyse usage data. By default, etracker does not use cookies. If you explicitly agree to the setting of analysis cookies (statistics cookies), cookies are used that enable statistical analysis of the use of this website by its visitors as well as the display of usage-related content or advertising. Cookies are small text files that are stored by the Internet browser on the user's device. etracker cookies do not contain information that allows a user to be identified.
The data generated by etracker is processed and stored by etracker exclusively in Germany on behalf of the provider of this website and is therefore subject to strict German and European data protection laws and standards. etracker has been independently tested, certified and ePrivacyseal awarded the data protection seal of approval.
Data processing is carried out on the basis of the legal provisions of art. 6, para. 1, line f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our concern within the meaning of the GDPR (legitimate interest) is the optimisation of our online offer and our website. As the privacy of our visitors is important to us, the data that may allow a reference to an individual person, such as the IP address, login or device IDs, will be anonymised or pseudonymised as soon as possible. No other use, combination with other data or transfer to third parties takes place.
You can object to the outlined data processing at any time by clicking on the slider. The objection has no disadvantageous consequences. If no slider is displayed, the data collection is already prevented by other blocking means.
Further information on data protection with etracker can be found here.
We use the podcast hosting service Podigee from the provider Podigee GmbH, Schlesische Straße 20, 10997 Berlin, Germany. The podcasts are loaded by Podigee or transmitted via Podigee.
Use is based on our legitimate interests, i.e. interest in a safe and efficient provision, analysis and optimisation of our podcast offer in accordance with art. 6, para. 1, line f) GDPR.
Podigee processes IP addresses and device information to enable podcast downloads/replays and to determine statistical data such as listen counts. This data will be anonymised or pseudonymised by Podigee prior to being stored in the database, unless it is required to provide the podcasts.
Further information and options for objection can be found in the Podigee privacy policy: https://www.podigee.com/en/about/privacy
DACHSER offers services via the DACHSER Platform tool on its website. The core functions of the DACHSER Platform include determining freight costs online, recording transport orders and tracking shipments using Tracking & Tracing.
DACHSER assigns registrations to the DACHSER Platform, and the associated personal data required for the processing and use, to the competent entity within the DACHSER Group, generally the national branch of the national company of the requester, and exchanges this data with this competent entity. For example, registrations and the data used for registration on the DACHSER Platform on the Switzerland website (www.dachser.com/ch) are exchanged with the DACHSER national company in Switzerland (DACHSER Spedition AG). In this context, data may also be transmitted to national companies in third countries. The applications of the DACHSER Platform can be used by users with or without individual registration. Once registered, the respective national company will activate the user after successful authentication. Registered users have more "credentials" than non-registered users, i.e. registered users have access to more extensive services. The personal data that is transmitted to DACHSER is determined by the respective input screen used for registration.
The exclusive purpose of data use when using the DACHSER Platform is the provision of the aforementioned services. The legal basis for processing the data when preparing or executing contracts is Art. 6 (1) (b) GDPR and in all other cases the legal basis is the protection of legitimate interests pursuant to Art. 6 (1) (f) GDPR. For transferring data to a third country, the legal basis is Art. 49 (1) (b) GDPR.
DACHSER offers services on its website under the eLogistics tool. The core functions of the eLogistics portal include the online determination of freight costs, the recording of transport orders and the tracking of shipments by means of tracking & tracing.
DACHSER assigns eLogistics registrations and the associated personal data for processing and use to the competent authority within the DACHSER Group, generally to the national branch of the subsidiary in the country of the requester, and exchanges the data with the latter. For example, registrations and the data used for registration for eLogistics on the website for Switzerland (www.dachser.com/ch) are therefore exchanged with the DACHSER national subsidiary in Switzerland (DACHSER Spedition AG). In this context, data may also be transmitted to national subsidiaries in third countries. The eLogistics applications can be used by users without or with individual registration. In the event of registration, the respective national subsidiary activates the user after successful authentication. When registered, users have more "credentials" available compared to use without registration, i.e. users can access more extensive services. The personal data that is transmitted to DACHSER is determined by the respective input mask used for registration.
The purpose for which data is used when accessing the eLogistics services is exclusively the provision of the aforementioned services. The legal basis for the processing of the data is art. 6, para. 1, line b) GDPR and in all other cases the protection of legitimate interests pursuant to art. 6, para. 1, line f) GDPR. For the transfer of data to a third country, the legal basis is art. 49, para. 1, line b) GDPR.
This page uses the Google Maps mapping service. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Parent: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This allows us to display interactive maps directly on the website and allows you convenient use of the mapping function.
By visiting the website, Google receives the information that you have accessed the corresponding sub-page of our website. In addition, the data referred to in section 2 will be transmitted. This occurs regardless of whether Google provides a user account through which you are logged in or whether there is no user account. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish this data to be assigned to your profile on Google, you must log out before activating the button. Google stores your data as usage profiles and uses it for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right. For more information on the purpose and scope of the data collection and its processing by the plugin provider, please refer to the provider's privacy policies.
The legal basis for the processing of your personal data using Google Maps is art. 6, para. 1, line f) GDPR. Data transmission to third countries without an adequacy decision is based on the recognised standard contractual clauses. Details can be found here and here.
For more information on handling user data, please see Google privacy policy.
On our website, we use social plugins ("plugins") from Facebook, Twitter, YouTube, Xing and LinkedIn. We use plugins in particular to enable you to share content on our website with other users of social networks or to point them to such content. You can identify the provider of the respective plugin by its logo or initial letters.
When you visit our site, we do not initially transfer any personal data to the providers of the plugins. However, if you click on the highlighted field, personal data will be transferred directly from you to the provider of the respective plugin and processed by the provider – possibly in third countries, such as the USA. After clicking on the plugin field, a new window of your browser opens and calls up the page of the provider of the respective social network. Data is transferred to the provider of the respective plugin regardless of whether you have an account with the social network of the plugin provider. If you are logged in to the plugin provider, your data collected with us will be directly assigned to your existing account with the plugin provider.
We have no influence on the type and scope of data collected and processed through the use of the plugins, nor are we aware of the full scope of the data collection, the purposes of the processing or the storage periods. According to the provider of the plugins, the transmitted data includes, among other things, information about your browser, about the websites visited and the date and time of the visit. The plugin providers process this information, for example, to create user profiles of you and to display on-demand advertising. You have the right to object to the creation of these user profiles, whereby you must contact the respective plugin provider to exercise the right to object. For further information, please refer to the Internet pages and data protection notices of the respective providers.
The legal basis for the processing of your personal data using the social plugins is art. 6, para. 1, line f) GDPR. When using the services offered by Facebook, Twitter, YouTube and LinkedIn, data can be transferred to third countries worldwide, such as the USA. In these cases, we will ensure an adequate level of data protection in order to implement the requirements of European law. This is usually done using accepted standard contractual clauses and other suitable guarantees as appropriate.
Access to personal data is technically possible for service providers and contractual partners that we use for the operation of our websites. These third-party providers are obliged to use your personal data only to provide the services we request or otherwise in accordance with our instructions.
For the purposes specified in this privacy policy, DACHSER will transfer your personal data within the DACHSER Group and pass it on to the respective national subsidiaries. DACHSER companies are also located outside the European Union or the European Economic Area. DACHSER is responsible for informing you about your rights as a data subject within the framework of the applicable data protection laws. You can direct your enquiries and complaints regarding your personal data to DACHSER. The other DACHSER companies within the DACHSER Group, which also process your personal data, work with us and support us in responding to such requests or complaints.
Apart from the above data transfers, we will not transmit, sell or market your personal data to third parties, such as other companies or organizations, unless you have given your express consent to this, or the transfer is necessary to fulfil our contractual obligations to you, the user of the website.
The criterion for the duration of the storage of personal data is the respective legal retention period. After the expiry of the period we routinely erase the relevant data, provided that it is no longer required for the fulfilment of the contract or the initiation of the contract.
If the purpose of storage lapses or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data will be routinely blocked or erased in accordance with the statutory provisions.
As a data subject, you are entitled to the rights set out in articles 15–21 GDPR against DACHSER if the conditions set out therein are met. These are the rights to information (art. 15 GDPR), rectification (art. 16 GDPR), erasure (art. 17 GDPR), restriction of processing (art. 18 GDPR), data portability (art. 20 GDPR) and the right to object (arts. 21 and 22 GDPR). Apart from this, you have the right to lodge a complaint with the supervisory authority pursuant to art. 77 GDPR.
Google Ads allows us to display ads in the Google search engine when users enter certain search terms on Google (keyword targeting). Google Ads is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use Google Ads to measure the number of visits that have come to our website through the display of ads in Google Search and to evaluate which search terms have led to the placement of our ads. Conversion tracking is done exclusively using the cookie-free web analysis tool etracker, which only collects statistical data. We do not use the remarketing function and you will not receive any further advertising from us after visiting our website. The legal basis for this data processing is our legitimate interest in optimising our online offer and our marketing measures. You can object to the aforementioned data processing at any time.
Provided that voluntary consent, which can be revoked at any time, has been given, we use the "Video Cloud" service of Brightcove Inc., 290 Congress Street, Boston, MA 02142, USA ("Brightcove") on some websites to provide and play videos. Brightcove hosts the videos and also provides the player that is embedded with videos on our website. During the connection to Brightcove's servers (when you watch embedded videos on the website), the provider uses cookies and collects device-related data.
Brightcove technologies are used, among other things, to present you with DACHSER videos that match the theme of the relevant websites. In addition, Brightcove Analytics makes it possible to analyse user access to the video content provided in order to improve the attractiveness and functionality of the website. To this end, Brightcove uses cookies and collects device-related data (e.g. browser information), including the IP addresses of users who access the video content provided. They are immediately saved after retrieval in a pseudonymised and non-personalised form. Brightcove does not store any personally identifiable information about users.
You can find Brightcove's privacy policy here: https://www.brightcove.com/en/legal/privacy/
The legal basis for the use of Brightcove Analytics is consent pursuant to Art. 6 (1) sentence 1 lit. a of the German Data Protection Act (DSGVO). You can object to the use of the service via the "Privacy Settings" without losing any of the basic functionalities of the website.
We have taken the necessary precautions pursuant to Art. 44 et seq. GDPR to ensure an adequate level of data protection in the recipient country.
The “Google Tag Manager (GTM)” of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), enables us to manage JavaScript and HTML tags for tracking and analysis with our own and third-party software. Tags are small code elements that help us measure traffic and visitor behaviour, understand the impact of our advertising, set up remarketing and targeting, and test and optimize our website. GTM is just an auxiliary service that facilitates the integration and management of our tags via an interface. GTM only implements tags, which means that it does not use its own cookies (in an empty state) and does not collect any personal data itself.
If deactivation has been carried out at domain or cookie level, it will remain in place for all tracking tags if they are implemented with Google Tag Manager. These processing operations are only carried out if express consent is given in accordance with Art. 6 para. 1 lit. a) GDPR. If you consent to the Advertising category in the cookie consent banner, we reserve the right to use Google Tag Manager for conversion tracking for our Google Ads campaigns. The Google Tag Manager GTM is only an auxiliary service that does not use its own cookies and does not collect any personal data itself.
Further information on Google Tag Manager and Google's privacy policy can be found at https://policies.google.com/privacy?hl=en and https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/.
Data protection notice for the business relationship
1. Definitions
The DACHSER Ireland Limited data protection declaration applies the terminology used by the European regulator with the issuance of the General Data Protection Regulation (GDPR). Please refer to the definition of terms in Article 4 of GDPR. GDPR can be accessed here.
2. Name and address of the controller and of the data protection officer
For the purposes of GDPR, other applicable regulations in member states of the European Union, and other regulations pertaining to data protection, the controller is:
DACHSER Ireland Limited, Blackchurch Business Park, Rathcoole, Co. Dublin, D24 C796, Ireland, Tel.: +35 1 4013333, E-mail: data-protection.ireland@dachser.com, Website: www.dachser.ie
3. General information about data processing
3.1 Scope of processing of personal data
We generally collect and process our business partners’ personal data only insofar as this is necessary for the purposes of entering into a contract or executing our orders and contracts. Once our contractual responsibilities have been met, we process data only after consent has been given. The exception is when consent cannot be obtained in advance for practical reasons, or when legislation permits or requires that data be processed.
3.2. Handling of personal data
The collection, processing, or use of personal data is generally prohibited, unless a legal standard explicitly permits such data handling. According to GDPR, personal data may generally be collected, processed, or used:
when a contractual relationship already exists with the data subject.
as part of entering into or performing a contract with the data subject.
if and to the extent that the data subject has given consent.
3.3 Legal basis for the processing of personal data
To the extent we obtain consent from the data subject for processing their personal data, the legal basis is Article 6 Paragraph 1a of GDPR.
Whenever the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is Article 6 Paragraph 1b of GDPR. This is also true for processing operations when taking steps prior to entering into a contract.
To the extent that processing is necessary for compliance with a legal obligation to which our company is subject, the legal basis is Article 6 Paragraph 1c of GDPR.
To the extent that processing is necessary for the purposes of a legitimate interest pursued by our company or by a third party, and that the interests or fundamental rights and freedoms of the data subject do not override the aforementioned interest, the legal basis for that processing is Article 6 Paragraph 1f of GDPR.
3.4. Categories of affected persons and their data
To carry out business activities and fulfill all related obligations, the following data categories are present to the extent necessary:
Customer data and contacts, as well as data provided by customers on their customers to the extent necessary for order processing and customer service.
Data from service providers, suppliers, and their contacts to the extent necessary for order processing on behalf of customers, service providers, and suppliers.
When using personal data and determining the amount of data to collect, the following are observed: the basic principles of informational self-determination; other data protection standards, particularly the principles of preventive prohibition, of limitation of purpose, of transparency, and of obligations to inform and notify; the basic principles of data avoidance and data minimization; and the rights to rectification, blocking, erasure, and objection.
Personal data is collected and processed to the extent permissible under law. Account is taken of the special conditions for collecting and processing sensitive data in accordance with Article 9 Paragraph 1 of GDPR. Only such information may generally be processed and used as is necessary for performing operational tasks and is related directly to the purposes of the processing.
In the event that other parties request information concerning data subjects, this will be passed on without the data subject’s consent only when there is either a legal obligation to do so or the company has a justificatory, legitimate interest in passing the information on and the identity of the requesting party is beyond doubt.
3.5 Recipients of personal data
Only in the context of fulfilling the logistics service you commissioned is personal data transferred to involved third parties such as subsidiaries, partners, or subcontractors. Personal data concerning people involved in the logistics service may also be transferred to the party commissioning the logistics service (e.g. proof of delivery).
Above all, we will not sell your personal data to third parties nor market it in any other way.
3.6 Data transfer to third countries
Data is transferred to third countries exclusively to fulfill commissioned logistics services. In the spirit of data minimization, only the data required for the purposes of sending and delivering goods to the customer’s customers is transferred to national and international DACHSER Group companies and external service providers. Data transfer to a third country that does not have an appropriate level of data protection is permitted for the purposes of fulfilling a contract between the data subjects and the unit responsible for processing, provided the data transfer is necessary for the performance of the contract.
3.7 External service providers / order processing / maintenance
To the extent necessary, agreements with external service providers are in place in accordance with Article 28 of GDPR or with the EU standard contractual clauses.
3.8 IT Security concept
In recognition of the fundamental importance of information security, and besides the raft of technical and organizational measures already taken, DACHSER has also put relevant guidelines in place.
The DACHSER IT Center’s information security management system (ISMS) has been ISO 27001 certified since 2011.
3.9 Erasure of data and duration of storage
A data subject’s personal data is erased or blocked as soon as there is no longer a reason to store it. In addition, data may be stored if European or national legislators have provided for this in Union regulations, laws, or other legislation to which the controller is subject. Data will also be blocked or erased once a storage period specified in the aforementioned legislation ends, unless there is a need to continue to store the data in order to enter into or perform a contract.
4. Rights of the data subject
If your personal data is processed, you are a data subject for the purposes of GDPR and you have the following rights with regard to the controller:
4.1 Right of access
You can obtain from the controller confirmation as to whether or not we are processing personal data concerning you.
Where that is the case, you can obtain access to information from the controller about the following:
the purposes of the processing of the personal data;
the categories of personal data being processed;
the recipients or categories of recipient to whom the personal data concerning you have been or will be disclosed;
the envisaged period for which the personal data concerning you will be stored, or, if it is not possible to provide specific information, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data concerning you, and of the right to request restriction of processing of personal data concerning you or to object to such processing;
the right to lodge a complaint with a supervisory authority;
any available information as to the source of the data, where the personal data is not collected from the data subject;
the existence of automated decision-making, including profiling, referred to in Article 22 Paragraphs 1 and 4 of GDPR and, at least in those cases, meaningful information about
the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to know whether personal data concerning you is transferred to a third country or to an international organization. In this context, you can obtain information on the appropriate safeguards in accordance with Article 46 relating to the transfer.
4.2 Right to rectification
To the extent that personal data concerning you is incorrect or incomplete, you have the right to obtain rectification or completion of the data from the controller. The controller must rectify the data without undue delay.
4.3 Right to restriction of processing
Where the following conditions apply, you can obtain restriction of processing of personal data concerning you from the controller:
you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise, or defense of legal claims; or
you have objected to processing in accordance with Article 21 Paragraph 1 of GDPR pending verification whether the legitimate grounds of the controller override yours.
Where processing of personal data concerning you has been restricted, this data may, with the exception of storage, be processed only with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a member state.
If data processing was restricted in line with the abovementioned conditions, you will be informed by the controller before the restriction of processing is lifted.
4.4 Right to erasure
4.4.1 Duty to erase
You can demand that the controller erases personal data concerning you without undue delay, and the controller is obligated to erase this data without undue delay where one of the following grounds applies:
the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
you withdraw your consent on which the processing is based in accordance with Article 6 Paragraph 1a or Article 9 Paragraph 2a of GDPR, and there is no other legal ground for the processing;
you object to the processing in accordance with Article 21 Paragraph 1 of GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Article 21 Paragraph 2 of GDPR;
the personal data concerning you has been unlawfully processed;
the personal data concerning you has to be erased for compliance with a legal obligation in Union or member state law to which the controller is subject;
the personal data concerning you was collected in relation to the offer of information society services referred to in Article 8 Paragraph 1 of GDPR.
4.4.2 Informing third parties
Where the controller has made the personal data concerning you public and is obligated in accordance with Article 17 Paragraph 1 of GDPR to erase that data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers processing the personal data that as the data subject you have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
4.4.3 Exceptions
There is no right to erasure to the extent that processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation that requires processing by Union or member state law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with Article 9 Paragraph 2h and 2i as well as Article 9 Paragraph 3 of GDPR;
for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes in accordance with Article 89 Paragraph 1 of GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise, or defense of legal claims.
4.5 Right to be informed
If you have exercised your right to rectification, erasure, or restriction of processing with regard to the controller, the controller is obligated to communicate any rectification or erasure of personal data concerning you or restriction of its processing to each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to request information about the recipients from the controller.
4.6 Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data was provided, where:
the processing is based on consent in accordance with Article 6 Paragraph 1a of GDPR or Article 9 Paragraph 2a of GDPR or on a contract in accordance with Article 6 Paragraph 1b of GDPR; and
the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4.7 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based on Article 6 Paragraph 1e or 1f of GDPR, including profiling based on those provisions.
The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms or the processing is for the establishment, exercise, or defense of legal claims.
Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you can exercise your right to object by automated means using technical specifications.
4.8 Right to withdraw data protection declaration of consent
You have the right to withdraw your data protection declaration of consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
4.9 Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
is necessary for entering into, or performance of, a contract between you and the controller;
is authorized by Union or member state law to which the controller is subject and that also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests; or
is based on your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9 Paragraph 1 of GDPR, unless Article 9 Paragraph 2a or 2g of GDPR applies and suitable measures to safeguard your rights and freedoms and your legitimate interests are in place.
In relation to the cases referred to in points (1) and (3), the data controller will implement suitable measures to safeguard your rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.
4.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Article 78 of GDPR.