Data protection and data security for our contractual partners/members and for consumers are a top priority for DLG e.V. and DLG Service GmbH. That is why the protection of your personal data is very important to us and a matter of particular concern.

We collect, store and use your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR). In this statement, we would like to inform you about the types of data we process, the purposes for which we do so, and the rights you are entitled to.

DLG e.V. and DLG Service GmbH work closely together in this regard. The two companies have jointly determined the processing of your data. They are therefore jointly responsible for the protection of your personal data in all the work processes described below.

 Table of Contents

I. Name and address of the data controllers
II. Contact details of the data protection officer
III. Provision of the website and creation of log files
IV. Use of cookies
V. Email contact
VI. Applications via email and the careers page
VII. Company profiles
VIII. Use of company profiles on professional networks
IX. Hosting
X. Plugins used
XI. Newsletter
XII. Rights of the data subject

I. Joint controllers within the meaning of Article 26 of the GDPR:

 

Managing Director: Dr Lothar Hövelmann / Authorised Managing Directors: Tobias Eichberg, Jens Kremer
DLG e.V.: Register of Associations, Frankfurt am Main – Registration No.: 5030, VAT No.: DE114234905
DLG Service GmbH: HRB 90872, VAT No.: DE277385289

The contracting parties have divided the tasks between themselves as follows:

Each contracting party shall also ensure the lawfulness of the data processing it carries out in accordance with Article 6(1) of the GDPR, as well as compliance with the information obligations under Articles 13 and 14 of the GDPR.

Data subjects may exercise their data protection rights with both DLG e.V. and DLG Service GmbH.

II. Contact details of the Data Protection Officer

We reserve the right to make changes to this privacy policy at any time. The privacy policy is updated regularly and all changes are automatically published on our website.

III. Provision of the website and creation of log files

1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:

• Information about the browser type and version used
• The user’s operating system
• The user’s internet service provider
• Date and time of access
• Websites from which the user’s system accessed our website
• Websites accessed by the user’s system via our website
• Search terms used to find our site

This data is stored in our system’s log files.

2. Purpose of data processing

The primary processing of personal data takes place to establish a connection between your device and our website. The data is stored in log files to ensure the website functions properly. We also use the data to optimise the website and to ensure the security of our IT systems. The data is not analysed for marketing purposes in this context. These purposes also constitute our legitimate interest in data processing pursuant to Article 6(1)(f) of the GDPR.

3. Legal basis for data processing

The legal basis for the temporary storage of the data is Article 6(1)(f) of the GDPR.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of data collected for the provision of the website, this is the case once the respective session has ended.

5. Right to object and right to erasure

The collection of data for the provision of the website and the storage of data in log files is strictly necessary for the operation of the website. Consequently, the user has no right to object.

IV. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the web browser or by the web browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string of characters that enables the browser to be uniquely identified when the website is visited again.

We use cookies to make our website more user-friendly. Some elements of our website require that the browser accessing the site can be identified even after a page change.

We also use cookies on our website that enable us to analyse users’ browsing behaviour.

This allows us to track the frequency of page views and movement on our website. You can find more information on this in the ‘Plugins’ section.

2. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be provided without the use of cookies. For these, it is necessary for the browser to be recognised even after a page change.

Analytical cookies are used for marketing and statistical purposes. These cookies tell us how the website is used, enabling us to continuously optimise our offering. This helps us improve the quality of our website and its content.

3. Legal basis for data processing

The legal basis for the processing of personal data using technically non-essential cookies is Article 6(1)(a) of the GDPR.

The legal basis for the processing of personal data using technically necessary cookies is Article 6(1)(f) of the GDPR.

4. Duration of storage, right to object and option to delete

Cookies are stored on the user’s computer and transmitted from there to our site. As a user, you therefore have full control over the use of cookies. By changing the settings in your web browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to use all of the website’s functions to their full extent.

If you are using Safari version 12.1 or later, cookies are automatically deleted after seven days. This also applies to opt-out cookies set to prevent tracking.

V. Email & telephone contact | Contact form

1. Description and scope of data processing

On our website, you can contact us via the email addresses and telephone numbers provided or via the contact form. In this case, the personal data transmitted by the user will be stored. The data will be used exclusively for the purpose of processing the conversation.

The following personal data is regularly processed in this context:

• Surname
• First name
• Academic title
• Time and date of contact
• Reason for contact and other content data
• Email address
• Telephone number (including extension)
• Company and legal form
• Industry
• Details specifying the sector and activity (e.g. agricultural business, livestock farming, politics, role within the company, etc.)

2. Purpose of data processing

In the event of contact being made by email or telephone, this also constitutes the necessary legitimate interest in the processing of the data.

3. Legal basis for data processing

Where the user has given consent, the legal basis for data processing is Article 6(1)(a) of the GDPR.

The legal basis for processing data transmitted in the course of sending an email is Article 6(1)(f) of the GDPR.

If the email contact is aimed at concluding a contract, the additional legal basis for processing is Article 6(1)(b) of the GDPR.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent by email, this is the case when the relevant conversation with the user has ended. The conversation is deemed to have ended when it can be inferred from the circumstances that the matter in question has been conclusively resolved.

5. Right to object and right to erasure

The user has the right to withdraw their consent to the processing of personal data at any time. If the user contacts us by email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. To do so, please send us a written request to object to the storage of your data to the contact details provided above. In this case, all personal data stored in the course of establishing contact will be deleted.

VI. Applications via email and the careers page

Our website contains a link to our careers page. When you click on the ‘Job Vacancies’ tab, our careers page www.dlg.org/de/ueber-uns/stellenangebote opens. We collect your first name and surname, your email address, your title, academic qualifications, telephone number and the data you have provided in your CV or cover letter. The processing of personal data serves solely to process your application. The legal basis for the processing of your data is the initiation of a contractual relationship at the request of the data subject, Article 6(1)(b) of the GDPR and Section 26(1) of the BDSG. Once the application process has been completed, the data will be stored for up to six months. Your data will be deleted no later than six months after this period. In the event of a legal obligation, the data will be stored in accordance with the applicable provisions. As an applicant, you have the right to object to the processing of your personal data at any time. To do so, simply send us a written request for the deletion of your personal data to the contact details provided above. All personal data stored in the course of electronic applications will then be deleted once the retention periods have expired.

VII. Company Presence

The controllers of corporate social media accounts. These include, for example,

• Instagram: Instagram, Part of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
• Facebook (Meta): Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Dock, Dublin, D02 X525, Ireland.
• Twitter: Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
• YouTube: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

On our corporate websites, we provide information and offer users the opportunity to communicate. If you carry out an action on our corporate website (e.g. comments, posts, likes, etc.), you may thereby make personal data (e.g. your real name or user profile photo) public. However, as we generally have little or no influence over the processing of your personal data by the companies jointly responsible for the corporate presence, we cannot provide any binding information regarding the purpose and scope of the processing of your data.

Our corporate presence on social media is used for communication, the exchange of information and the presentation of our company to (potential) customers, interested parties and applicants. In this context, posts on our corporate presence may contain the following content:

• Information about services
• Contact details
• News

Users are free to publish personal data through their activities. Further information on data processing can be found in the specific privacy policy of the respective corporate presence.

The legal basis for data processing is Article 6(1)(a) of the GDPR.

You may object to the processing of your personal data collected in connection with your use of our company websites at any time and exercise your rights as a data subject as outlined above. Please send us an informal email to this effect.

For further information on the processing of your personal data by Instagram, Facebook, Twitter and YouTube, and the corresponding options for objecting, please see here:

• Instagram: https://help.instagram.com/519522125107875
• Facebook: https://de-de.facebook.com/policy.php
• Twitter: https://twitter.com/de/privacy
• YouTube: https://policies.google.com/privacy?hl=de&gl=de#infocollect

VIII. Use of company profiles on professional networks

1. Scope of data processing

We make use of company profiles on professional networking sites. We maintain a company profile on the following professional networking sites:

• XING, XING SE, Dammtorstraße 30, 20354 Hamburg, Germany
• LinkedIn: LinkedIn, Unlimited Company, Wilton Place, Dublin 2, Ireland

On our page, we provide information and offer users the opportunity to communicate. The company profile is used for job applications, information/PR and active sourcing.

We do not have any information regarding the processing of your personal data by the companies jointly responsible for the corporate profile. Further information on this can be found in the privacy policy of

XING: https://privacy.xing.com/de/datenschutzerklaerung
LinkedIn: https://www.linkedin.com/legal/privacy-policy

If you carry out an action on our company profile (e.g. comments, posts, likes, etc.), you may thereby make personal data (e.g. your real name or photo from your user profile) public.

2. Purpose of data processing

Our company page serves to inform users about our services. In doing so, every user is free to publish personal data through their activities.

3. Legal basis for data processing

The legal basis for the processing of your data in connection with the use of our company website is Article 6(1)(f) of the GDPR.

4. Duration of storage

We store your activities and personal data published via our corporate website until you withdraw your consent. Furthermore, we comply with the statutory retention periods.

5. Right to object and right to erasure

You may object at any time to the processing of your personal data that we collect in connection with your use of our website and exercise your data subject rights as set out in Section XII of this privacy policy. To do so, please send us an informal email to the email address provided in this privacy policy.

IX. Hosting

The website is hosted on servers by a service provider commissioned by us.

Our service provider is
medianet elektronische Kommunikation & Marketing GmbH
Humboldtstraße 65
60318 Frankfurt am Main
Tel. +49 69 – 2740160

The website server is physically located in Germany. The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website.

The information stored is:

• Browser type and browser version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Date and time of the server request
• IP address

This data is collected on the basis of Article 6(1)(f) of the GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website – for this purpose, the server log files must be recorded.

X. Plugins used

We use plugins for various purposes. The plugins used are listed below:

Use of Facebook Pixel

1. Scope of processing of personal data

We use the Facebook Pixel on our website, provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and its representative in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal H, D2 Dublin, Ireland (hereinafter referred to as ‘Facebook’). This enables us to track users’ actions after they have viewed or clicked on a Facebook advertisement. As a result, personal data may be stored and analysed, in particular the user’s activity (specifically which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and operating system), data on the advertisements displayed (in particular which advertisements were shown and whether the user clicked on them), and also data from advertising partners (in particular pseudonymised user IDs). This enables us to measure the effectiveness of Facebook advertisements for statistical and market research purposes.

In doing so, data may be transferred to Facebook’s servers in the USA.

The data collected in this way is anonymous to us, meaning we do not see the personal data of individual users. However, this data is stored and processed by Facebook. Facebook may link this data to your Facebook account and also use it for its own advertising purposes, in accordance with Facebook’s Data Use Policy.

Further information on the processing of data by Facebook can be found here: https://de-de.facebook.com/policy.php

2. Purpose of data processing

The Facebook Pixel is used to analyse and optimise advertising campaigns.

3. Legal basis for the processing of personal data

The legal basis for the processing of users’ personal data is, in principle, the user’s consent in accordance with Article 6(1)(a) of the GDPR. To ensure appropriate safeguards for the protection of the transfer and processing of personal data outside the EU, data is transferred to and processed by Instagram on the basis of appropriate safeguards in accordance with Article 46 et seq. of the GDPR, in particular through the conclusion of so-called standard data protection clauses in accordance with Article 46(2)(c) of the GDPR.

4. Duration of storage

Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.

5. Right to withdraw consent and right to erasure

You have the right to withdraw your consent under data protection law at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

You can prevent the collection and processing of your personal data by Facebook by blocking the storage of third-party cookies on your computer, using the ‘Do Not Track’ function of a compatible browser, disabling the execution of script code in your browser, or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

Further information on options for objecting to and removing data from Facebook can be found at: de-de.facebook.com/policy.php

6. Risk notice

Your personal data is also transferred to the USA. There is no adequacy decision for the USA pursuant to Article 45(3) of the GDPR. Furthermore, there are no appropriate safeguards pursuant to Article 46 of the GDPR. We would like to draw your attention to the fact that data transfers without an adequacy decision and without appropriate safeguards entail certain risks, which we would like to highlight below:

US intelligence agencies use certain online identifiers (such as IP addresses or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence agencies have already collected information about you which could be used to trace the data transferred here back to you.

Providers of electronic communications services headquartered in the USA are subject to surveillance by US intelligence agencies pursuant to 50 U.S. Code § 1881a (“FISA 702”). Accordingly, providers of electronic communications services headquartered in the USA are obliged to make personal data available to the US authorities in accordance with 50 U.S. Code § 1881a. Even encryption of the data in the electronic communications service provider’s data centres cannot offer adequate protection, as an electronic communications service provider has a direct obligation to grant access to or hand over imported data that is in its possession, custody or under its control. This obligation may also expressly extend to the cryptographic keys without which the data cannot be read.

The fact that this is not merely a ‘theoretical risk’ is demonstrated by the judgment of the ECJ of 16 July 2020, C‑311/18.

Use of Google (Universal) Analytics

1. Scope of the processing of personal data

We use Google Analytics, a web analytics service provided by Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter referred to as ‘Google’).

Google Analytics analyses, amongst other things, the origin of visitors, the length of time they spend on individual pages and the use of search engines, thereby enabling better monitoring of the success of advertising campaigns. In doing so, Google places a cookie on your computer. This allows personal data to be stored and analysed, including the

• user activity (in particular, which pages have been visited and which elements have been clicked on),
• device and browser information (in particular the IP address and the operating system),
• data on the advertisements displayed (in particular which advertisements were shown and whether the user clicked on them) and
• data from advertising partners (in particular pseudonymised user IDs).

We have enabled IP anonymisation on this website. This prevents the personal reference of the information generated by the cookie regarding your use of this website from being transmitted to Google servers in the USA and stored there.

On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services relating to website and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can prevent the storage of cookies by adjusting your browser settings accordingly; however, we would like to point out that in this case you may not be able to use all the functions of our website to their full extent.

Further information on the processing of data by Google can be found here: policies.google.com/privacy

2. Purpose of data processing

We use Google Analytics (Universal Analytics) to analyse the use of our website and to display targeted advertising to people who have already shown an initial interest by visiting our site.

3. Legal basis for the processing of personal data

The legal basis for the processing of users’ personal data is, in principle, the user’s consent in accordance with Article 6(1)(a) of the GDPR.

The legal basis for the transfer of your personal data to the United States of America is Article 49(1)(a) of the GDPR.

If you consent to the use of Google Analytics, it cannot be ruled out that your personal data may not remain within the EU or the EEA. In this respect, your personal data may be processed on servers in the United States of America, whose level of data protection has been recognised by the European Union as not being adequate. To ensure appropriate safeguards for the protection of the transfer and processing of your personal data, which may be processed on servers in the United States of America and may therefore be subject to requests from US security authorities, the transfer of data to Google takes place on the basis of appropriate safeguards in accordance with Article 46 et seq. GDPR, in particular through the conclusion of so-called standard data protection clauses pursuant to Article 46(2)(c) GDPR. A copy of the appropriate safeguards may be requested by sending an informal enquiry to the contact details provided above.

Due to the transfer and processing of your personal data in the USA, there is a possibility that US authorities, intelligence services or the government may gain full access to the transferred data. The scope, purpose and duration of this processing by the aforementioned bodies are then beyond your control. It is highly likely that your rights under the GDPR will no longer be safeguarded or that you will be unable to exercise them.

4. Duration of storage

Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law. Advertising data in server logs is anonymised by Google, which states that it deletes parts of the IP address and cookie information after 9 or 18 months.

5. Right to withdraw consent and request erasure

You have the right to withdraw your consent under data protection law at any time. Withdrawing your consent does not affect the lawfulness of processing carried out on the basis of your consent prior to withdrawal.

You can prevent the collection and processing of your personal data by Google by blocking the storage of third-party cookies on your computer, using the ‘Do Not Track’ function of a compatible browser, disabling the execution of script code in your browser, or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

You can also prevent the collection of data generated by the cookie and relating to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available via the following link: https://tools.google.com/dlpage/gaoptout?hl=de

You can use the following link to disable the use of your personal data by Google: https://adssettings.google.de

Further information on options for objecting to and removing data from Google can be found at: https://policies.google.com/privacy?gl=DE&hl=de

6. Risk notice

Your personal data is also transferred to the USA. There is no adequacy decision for the USA pursuant to Article 45(3) of the GDPR. Furthermore, there are no appropriate safeguards pursuant to Article 46 of the GDPR. We would like to draw your attention to the fact that data transfer without an adequacy decision and without appropriate safeguards entails certain risks, which we would like to highlight below:

US intelligence agencies use certain online identifiers (such as IP addresses or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence agencies have already collected information about you which could be used to trace the data transferred here back to you.

Providers of electronic communications services headquartered in the USA are subject to surveillance by US intelligence agencies pursuant to 50 U.S. Code § 1881a (“FISA 702”). Accordingly, providers of electronic communications services headquartered in the USA are obliged to make personal data available to the US authorities in accordance with 50 U.S. Code § 1881a. Even encryption of the data in the electronic communications service provider’s data centres cannot offer adequate protection, as an electronic communications service provider has a direct obligation to grant access to or hand over imported data that is in its possession, custody or under its control. This obligation may also expressly extend to the cryptographic keys without which the data cannot be read.

The fact that this is not merely a ‘theoretical risk’ is demonstrated by the judgment of the ECJ of 16 July 2020, C‑311/18.

Use of Datawrapper

1. Scope of the processing of personal data

We use Datawrapper (Datawrapper GmbH, Raumerstraße 39, 10437 Berlin) to create interactive charts from statistics. We do not record any personal data and do not carry out any tracking. For embedding and display, it is necessary to transmit the IP address to a CDN (which is not stored but only used to provide the service), as well as a cookie set by the CDN.

2. Purpose of data processing

The transmission of the IP address and the setting of the cookie serve to significantly improve the website’s response speed and user experience.

3. Legal basis for the processing of personal data

The legal basis for the processing of your data in connection with the use of Datawrapper is a legitimate business interest pursuant to Article 6(1)(f) of the GDPR.

4. Duration of storage

The data is required solely for the technical implementation of the embedding and is deleted from all systems after a maximum of 24 hours.

5. Right to withdraw consent and right to erasure

You have the right to withdraw your consent under data protection law at any time. Withdrawing your consent does not affect the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal.

Further information on data protection at Datawrapper is available here:

https://www.datawrapper.de/privacy

XI. Newsletter

1. Description and scope of data processing

On our website, you have the option to subscribe to a free newsletter. When you register for the newsletter, your company name, first name and surname, your business or home address, and your email address are transmitted to us via the input form.

In connection with the data processing required for sending newsletters, the data is passed on to the service provider:

Inxmail GmbH
Wentzingerstr. 17
79106 Freiburg/GERMANY

Sales and support via:

crm consults GmbH
Felsweg 14
35435 Wettenberg

2. Purpose of data processing

The collection of the user’s email address serves to deliver the newsletter.

3. Legal basis for data processing

The legal basis for processing the data following the user’s subscription to the newsletter is Article 6(1)(a) of the GDPR, provided the user has given their consent.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. The user’s email address will therefore be stored for as long as the newsletter subscription remains active.

5. Right to withdraw consent and right to erasure

The user concerned may cancel their subscription to the newsletter at any time. A link for this purpose is provided in every newsletter.

XII. Rights of data subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right of access

You may request confirmation from the controller as to whether personal data concerning you is being processed by them. If such processing is taking place, you may request the following information from the controller:

• the purposes for which the personal data is processed;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the envisaged period for which the personal data concerning you will be stored, or, if this is not possible, the criteria used to determine that period;
• the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
• the existence of a right to lodge a complaint with a supervisory authority;
• any available information as to the source of the data, where the personal data are not collected from the data subject;
• the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) of the GDPR and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to rectification

You have the right to request from the controller the rectification and/or completion of your personal data if the personal data concerning you is inaccurate or incomplete. The controller must carry out the rectification without undue delay.

3. Right to restriction of processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
• the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims; or
• if you have objected to the processing pursuant to Article 21(1) of the GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.

Where the processing of your personal data has been restricted, such data – apart from storage – may only be processed with your consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of an important public interest of the Union or of a Member State. If the restriction of processing has been imposed in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a) Obligation to erase

You may request that the controller erases personal data concerning you without undue delay, and the controller is obliged to erase such data without undue delay where one of the following grounds applies:

• The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
• You withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing.
• You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
• The personal data concerning you has been processed unlawfully.
• The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.

b) Information to third parties

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, the controller shall, taking into account available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers who process the personal data that you, as the data subject, have requested the erasure of all links to such personal data or of copies or replications of such personal data.

c) Exceptions

The right to erasure does not apply where the processing is necessary

• for the exercise of the right to freedom of expression and information.
• to comply with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, in so far as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
• for the establishment, exercise or defence of legal claims.

5. Right to information

If you have exercised your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed by the controller of these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and
• the processing is carried out by automated means.
• In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other individuals must not be adversely affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

8. Right to withdraw consent

You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

9. Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

This does not apply if the decision

• is necessary for the conclusion or performance of a contract between you and the controller,
• is authorised by Union or Member State law to which the controller is subject, and that law provides for appropriate measures to safeguard your rights and freedoms and your legitimate interests; or
• is based on your explicit consent.

However, such decisions must not be based on special categories of personal data as referred to in Article 9(1) of the GDPR, unless Article 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to safeguard your rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in points 1 and 3, the controller shall take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

The supervisory authority responsible for the controllers is

Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Telephone: 0611-1408 0
Email: [email protected]