Pricacy policy

Last update: 16 October 2019

1. Name and address of the responsible person

The person responsible within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states of the European Union as well as other data protection regulations:

Katharina Fehring Kallivoka
Grizata
28080 Sami / Kefalonia
Griechenland

Contact

2. General information on data processing

2.1. Scope of processing of personal data

We only process personal data of our users if this is necessary to provide a functional website as well as our contents. The processing of personal data of our users takes place regularly only after consent of the user. An exception applies in those cases where prior consent cannot be obtained for effective reasons and processing of the data is permitted by law.

2.2.Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6(1)a GDPR serves as the legal basis.

In the processing of personal data required for the performance of a contract to which the data subject is a party, Art. 6(1)b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre‐contractual measures.

As far as a processing of personal data is necessary for the fulfilment of a legal obligation to which we are subject, Art. 6(1)c GDPR serves as legal basis.

If processing is necessary to maintain a legitimate interest on our part or that of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6(1)f GDPR serves as the legal basis for processing.

2.3. Data erasure and storage time

The personal data of the person affected will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.

2.4. Types of processed data

  • Personal data (e.g. names, addresses)
  • Content data (e.g. text input, pictures, videos)
  • Contact data (e.g. email, telephone number)
  • Meta/Communication data (e.g. device information, IP addresses)
  • Usage data (e.g. visited websites, interest in contents, access times)
  • Contract data (e.g. bank details, invoices, payment history)

2.5. Categories of persons affected

  • Business and contractual partners
  • Prosepective custmers
  • Communication partners
  • Customers
  • Visitors and users of this website

2.6. Purpose of processing

  • Office and organisational procedures
  • Provision of my websites and online services
  • Contact requests and communication
  • Usage analytics (e.g. access statistics)
  • Security measures
  • Contractual services and performances
  • Managing of and responding to inquiries

2.7. Safety precautions

In accordance with Art. 32 GDPR, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the current state of technology, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons.

2.8. Cooperation with contract data processors and third parties

If, in the course of our data processing, we disclose personal data to other persons and companies (contract data processors or third parties), transfer them to them or otherwise grant them access to the personal data, this will only take place on the basis of a legal permission pursuant to Art. 6(1)b GDPR, your consent pursuant to Art. 6(1)a GDPR, a legal obligation pursuant to Art. 6(1)c GDPR or on the basis of our legitimate interest pursuant toArt. 6(1)f GDPR.

If third parties are commissioned by us with the processing of personal data, this is done on the basis of Art. 28 GDPR within the framework of a contract on data processing.

3. Providing our website

3.1. Description and scope of data processing

Every time you visit our website, our systems automatically collect data and information from the computer system of the calling user. The following data is processed:

3.2. Legal basis for the data processing

The legal basis for the temporary storage of data is Art. 6(1)f GDPR.

3.3. Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the web pages to the user’s computer. For this the IP address of the user must remain stored for the duration of the session. These purposes are also our legitimate interest in data processing according to Art. 6(1)f GDPR.

3.4. Storage duration

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

3.5. Possibility of objection and elimination

The processing of data for the provision of the website is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

4. Creation of log files

4.1. Description and scope of the data processing

By simply requesting this website no log files are created, but there will be an analysis of the request via Matomo, which you can object here. If you use the contact form and the script behind it suspects your actions as a spam attempt, your current IP address will be logged for 7 days. In this case you will be informed about the logging. Further information on the contact form can be found in the corresponding section.

4.2. Legal basis for the data processing

The legal basis for logging your IP address in the event of a suspected spam attempt is our legitimate interest in protecting our information technology systems in accordance with Art. 6(1)f GDPR.

4.3. Purpose of the data processing

In order to protect our information technology systems from misuse, suitable defensive measures are taken on the basis of the stored IP address. An evaluation for marketing purposes does not take place.

4.4. Storage duration

The data in the created log files will be deleted after 7 days at the latest.

4.5. Possibility of objection and elimination

Logging of security‐critical actions in log files is absolutely essential for the secure operation of our systems. Consequently, the user has no right of objection.

5. Usage of cookies

5.1. Description and scope of the data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie can contain a characteristic string of characters that enables a unique identification of the browser when the website is called up again.

The following data will be stored in the cookies and will be transferred to our website:

Cookie name Required Expiration Purpose
piwik_ignore no 2 years will be set by the Matomo instance on statistik.huessenbergnetz.de to store if you have objected to the web analysis by Matomo
MATOMO_SESSID yes until the end of the session will be set by the Matomo instance on statistik.huessenbergnetz.de when displaying the opt‐out and stores a session key to protect the form against CSRF attacks

5.2. Legal basis for the data processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6(1)f GDPR. If we use optional cookies on our website, the user’s prior consent will be obtained. In this case, Art. 6(1)a GDPR is the legal basis.

5.3. Purpose of the data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our websites cannot be offered without the use of cookies. For this it is necessary that the browser is recognized even after a page change.

The user data collected by technically necessary cookies are not used to create user profiles.

The usage of cookies fo this purposes is our legitimate interest in accordance with Art. 6(1)f GDPR.

5.4. Storage duration, possibility of objection and elimination

Cookies are stored on the user’s computer and transmitted to our website. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, in particular the information banner about the cookie usage is displayed again each time it is accessed.

6. Contact form and email contact

6.1. Description and scope of the data processing

On this website contact forms are available, which can be used for electronic contact. If a user takes advantage of this possibility, the data entered in the input mask will be transmitted to us and saved. This data is:

  • name of the user
  • email address of the user
  • subject of the message
  • message text

At the time the message is sent, the following data is also stored:

  • date and time of sending

In the event of suspected misuse of the contact form (e.g. spam), the following data will also be stored:

  • IP address of the requesting system

Alternatively, it may be possible to contact us via an e‐mail address provided. In this case, the user’s personal data transmitted by e‐mail will be stored.

For the processing of data from contact forms, your consent is obtained within the scope of the sending process and reference is made to this privacy policy.

In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

6.2. Legal basis for the data processing

The legal basis for the processing of the data is Art. 6(1)a GDPR, if the user has given his or her consent.

The legal basis for the processing of data transmitted in the course of sending an e‐mail is Art. 6(1)f GDPR.

6.3. Purpose of the data processing

The processing of the personal data from the input mask serves us alone for the treatment of the establishment of contact. In the event of contact by e‐mail, this also constitutes the necessary legitimate interest in the processing of the data.

6.4. Storage duration

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those that were sent by e‐mail, this is the case when the respective conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

6.5. Possibility of objection and elimination

The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e‐mail, he or her can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

To revoke your consent and/or to object to the storage, please simply send a corresponding request via the contact form to us.

All personal data stored in the course of contacting us will be deleted in this case.

7. Web analysis by Matomo (formerly PIWIK)

7.1. Description and scope of the data processing

On our website we use the open source software tool Matomo (formerly PIWIK) to analyse the surfing behaviour of our users. The Matomo installation used is operated by Hüssenbergnetz, Matthias Fehring, Zum Südholz 8, 34439 Willebadessen‐Eissen, Germany at statistik.huessenbergnetz.de. Privacy policy of Hüssenbergnetz: www.huessenbergnetz.de/en/privacy-policy/. There is a contract between us and Hüssenbergnetz pursuant to Art. 28 GDPR on commissioned data processing.

If details of a website are requested, the following data are stored:

  • anonymized IP address of the requesting system of the user
  • the requested website
  • the website from which the user has accessed the requested website (HTTP referer)
  • the subpages that are accessed from the accessed website
  • date and time of the request
  • duration of stay on the website
  • the frequency of visiting the website
  • the browser used, its version, language used and installed plugins
  • the operating system used and its version
  • the device used and its screen resolution
  • country and approximate city from which the request comes
  • average loading time of the accessed page

The software is configured in such a way that the IP addresses are not completely stored but masked (e.g. 144.76.0.0 instead of 144.76.81.150). In this way it is no longer possible to assign the shortened IP address to the calling computer. In addition, no cookies are used for the recognition of users.

7.2. Legal basis for the data processing

The legal basis for processing the personal data of the users of our websites is our legitimate interest in optimizing our website according to Art. 6(1)f GDPR.

7.3. Purpose of the data processing

The processing of users’ personal data enables us to analyse the surfing behaviour of our users. We are able to compile information about the use of the individual components of our website by evaluating the data obtained. This helps us to constantly improve our online offer and its user‐friendliness. For these purposes, it is also in our legitimate interest to process the data in accordance with Art. 6(1)f GDPR. By anonymizing the IP address, users’ interest in protecting their personal data is sufficiently taken into account.

7.4. Storage duration

The data will be deleted as soon as they are no longer needed for our recording purposes. This is always the case after 367 days.

7.5. Possibility of objection and elimination

Since the collected data is stored anonymized, no personal reference can be made from it. It is therefore not possible to delete specific data of individual users.

We also offer our users the possibility of an opt‐out from the analysis procedure. To do this, simply click on the corresponding box in the next section. In this way, another cookie is set which signals the Matomo installation at statistik.huessenbergnetz.de not to store the user’s data in the future. If the user deletes the corresponding cookie from his own system in the meantime, he must set the opt‐out cookie again. The opt‐out applies to all websites and online services analyzed by statistik.huessenbergnetz.de.

Alternatively, you can tell us by setting your web browser that you object to Matomo’s collection. Your browser has to send the so called “Do Not Track (DNT)” HTTP header field. You will usually find the corresponding option in the data protection settings of your browser.

7.6. Matomo‐Opt‐Out

8. Hosting

8.1. Description and scope of the data processing

We use computing power and infrastructure of Hüssenbergnetz, Matthias Fehring, Zum Südholz 8, 34439 Willebadessen‐Eissen, Germany. A contract exists between us and Hüssenbergnetz pursuant to Art. 28 GDPR on commissioned data processing. Hüssenbergnetz will have access to the same data as listed in this privacy policy.

Information on Hüssenbergnetz’s data protection can be found in the provider’s privacy policy. Information on the technical and operational measures implemented by Hüssenbergnetz in accordance with Art. 32 GDPR can be found in this PDF document.

8.2. Legal basis for the data processing

The legal basis for the processing of personal data is our legitimate interest pursuant to Art. 6(1)f GDPR in an efficient and secure provision of our website and online services.

8.3. Purpose of the data processing

The processing of personal data by Hüssenbergnetzs enables us to provide our own website. Only the purchase of infrastructure and server services makes our website possible.

8.4. Storage duration

If Hüssenbergnetz creates log files to protect its own infrastructure and information technology systems, these will be deleted after 7 days at the latest.

8.5 Possibility of objection and elimination

The processing of data by Hüssenbergnetz is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

9. Embedded Google Maps

9.1. Description and scope of the data processing

On this website we integrate digital maps of the service "Google Maps" of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The connection to the servers of Google Maps is activated only after the interaction of the user by clicking on a preview image of the maps, above the preview image a reference to this privacy policy is displayed. Since Google Maps is an ad‐financed service, the data is processed primarily for market research and advertising purposes. Google may create user profiles based on your behaviour and the resulting interests, especially if you are logged in to Google when you visit Google Maps.

After clicking on the preview image, the user’s browser establishes a connection to Google’s servers and transmits the user’s IP address in particular. Optionally, you may already have given Google permission to query your exact location. Consent to the detection of the location is usually obtained by adjusting your browser or mobile device. The transferred data can be processed in the USA. You can find Google’s privacy policy at https://www.google.com/policies/privacy/. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

9.2. Legal basis for the data processing

The legal basis for the processing of personal data is our legitimate interest in an optimised and economic operation of our website in accordance with Art. 6(1)f GDPR.

9.3. Purpose of the data processing

The processing of personal data by Google enables us to integrate the provider’s map service directly into our website. This should allow the visitor a more comfortable use of our website and information as well as us an economic operation.

9.4. Storage duration, possibility of objection and elimination

Information on the duration of data storage by Google can be found in the provider’s privacy policy at https://www.google.com/policies/privacy/. Opt‐Out: https://adssettings.google.com/authenticated and http://www.youronlinechoices.com. Google also offers users a browser add‐on to deactivate Google Analytics in their browser: https://tools.google.com/dlpage/gaoptout.

Google also uses cookies on its sites. Cookies are stored on the user’s computer and transmitted to Google. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically.

In the case of requests for information and the assertion of user rights, we would like to point out that these can be asserted most effectively directly on Google. Only Google has access to the users’ data and can take appropriate measures and provide information directly. If you still need help, please contact us.

10. Facebook page

10.1. Description and scope of the data processing

We maintain a page within the social network Facebook, operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. If you visit our Facebook page, and especially if you contact us there, Facebook will process your data for its own purposes. Since Facebook is an ad‐financed service, the data is processed primarily for market research and advertising purposes. Facebook may create user profiles based on your behaviour and the resulting interests, especially if you are logged in to Facebook when you visit our Facebook page on the platform.

Facebook can also process data outside the European Union, but as a provider certified under the Privacy Shield it has committed itself to comply with the European Union’s data protection standards. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

Further information on data processing by Facebook can be found in the provider’s privacy policy at https://www.facebook.com/about/privacy/.

We do not include content directly from Facebook on this page, nor do we automatically forward you to Facebook. You will be taken to the Facebook page via a self‐activated activation of a link from our page. You can recognize these links either by the title or the Facebook logo (f in a square).

10.2. Legal basis for the data processing

The legal basis for the processing of personal data is our legitimate interest in informing users and communicating with users pursuant to Art. 6(1)f GDPR. If Facebook users are asked for consent to data processing, the legal basis for processing is Art. 6(1)a GDPR.

10.3. Purpose of the data processing

Our presence on Facebook allows us to interact directly with our interested visitors and users on Facebook and provide them with information about us, exchange information with them and answer their questions. This is also our legitimate interest pursuant to Art. 6(1)f GDPR.

10.4. Storage duration, possibility of objection and elimination

Information on how long Facebook stores data can be found in the provider’s privacy policy at https://www.facebook.com/about/privacy/. Opt‐Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com.

Facebook also uses cookies on its site. Cookies are stored on the user’s computer and transmitted to Facebook. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically.

In the case of requests for information and the assertion of user rights, we would like to point out that these can be asserted most effectively directly on Facebook. Only Facebook has access to the users’ data and can take appropriate measures and provide information directly. If you still need help, please contact us.

11. TripAdvisor page

11.1. Description and scope of the data processing

We maintain a presence on the TripAdvisor travel rating portal operated by TripAdvisor LLC, 400 1st Avenue, Needham, MA 02494, USA. If you visit our TripAdvisor site, and especially if you contact us there, TripAdvisor will process your data for its own purposes. Since TripAdvisor is an ad‐financed service, the data is processed primarily for market research and advertising purposes. TripAdvisor may create user profiles based on your behaviour and the resulting interests, especially if you are logged in to TripAdvisor when visiting our TripAdvisor page on the platform.

TripAdvisor can also process data outside the European Union. Please note that TipAdvisor has not yet been certified under the Privacy Shield (as of 8 June 2018). This can pose risks for users because, for example, it could make it more difficult to enforce users’ rights.

For more information about TripAdvisor’s data processing, please refer to the provider’s privacy policy at https://tripadvisor.mediaroom.com/UK-privacy-policy.

We do not include content directly from TripAdvisor on this page, nor do we automatically redirect you to TripAdvisor. You reach the TripAdvisor site by activating a link from our site yourself. You can recognize these links either by the label or the TripAdvisor logo.

11.2. Legal basis for the data processing

The legal basis for the processing of personal data is our legitimate interest in informing users and communicating with users pursuant to Art. 6(1)f GDPR. If TripAdvisor asks users to give their consent to the processing of data, the legal basis of the processing is Art. 6(1)a GDPR.

11.3. Purpose of the data processing

Our presence on TripAdvisor allows us to interact directly with interested parties and users on TripAdvisor and to provide them with information about us, exchange information with them and answer their questions. This is also our legitimate interest pursuant to Art. 6(1)f GDPR.

11.4. Storage duration, possibility of objection and elimination

For the duration of TripAdvisor’s data storage, please refer to the provider’s privacy policy at https://tripadvisor.mediaroom.com/UK-privacy-policy. Cookie policy: https://www.tripadvisor.co.uk/CookiePolicy, Opt‐out: http://info.evidon.com/pub_info/1201?v=1&nt=0.

TripAdvisor also uses cookies on its site. Cookies are stored on the user’s computer and transmitted to TripAdvisor. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically.

In the case of requests for information and the assertion of user rights, we would like to point out that these can be asserted most effectively directly on TripAdvisor. Only TripAdvisor has access to the users’ data and can take appropriate measures and provide information directly. If you still need help, please contact us.

12. PayPal

12.1. Description and scope of the data processing

In addition to SEPA transfers and cash payments, we also offer the payment services of PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal processes your personal data (e.g. names, addresses), payment data (e.g. bank details, invoices), contract data (e.g. subject of contract), usage data (e.g. visits to websites, access times) and meta/communication data (e.g. device information, IP addresses). The data entered is only processed and stored by PayPal, so we do not receive any account-related information but only information as to whether the payment has been made. PayPal may transfer your information to credit bureaus for identity and credit checks. For further information, please refer to PayPal’s terms and conditions and privacy policy. Website: https://www.paypal.com, Privacy policy: https://www.paypal.com/ie/webapps/mpp/ua/privacy-full?locale.x=en_IE

12.2. Legal basis for the data processing

The legal basis for the processing of personal data using PayPal is contract fulfilment and pre-contractual enquiries pursuant to Art. 6(1)b GDPR as well as our legitimate interest in efficient payment processing pursuant to Art. 6(1)f GDPR.

12.3. Purpose of the data processing

The data will be processed by PayPal to fulfill our offered contractual services. The use of PayPal is optional for you.

12.4. Storage duration, possibility of objection and elimination

Information on the duration of data storage by PayPal can be found in the provider’s privacy policy at https://www.paypal.com/ie/webapps/mpp/ua/privacy-full?locale.x=en_IE.

PayPal also uses cookies on its site. Cookies are stored on the user’s computer and transmitted to PayPal. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically.

In the case of requests for information and the assertion of user rights, we would like to point out that these can be asserted most effectively directly on PayPal. Only PayPal has access to the users’ data and can take appropriate measures and provide information directly. If you still need help, please contact us.

13. Airbnb

13.1. Description and scope of the data processing

We also offer our holiday apartment via the platform Airbnb. Airbnb is operated by Airbnb Ireland UC, private unlimited company, The Watermarque Building, South Lotts Road, Ringsend, Dublin 4, Ireland. If you book our holiday home through Airbnb, Airbnb will process your personal data (e.g. names, addresses), payment data (e.g. bank details, invoices), contract data (e.g. subject of contract), usage data (e.g. visits to websites, access times) and meta/communication data (e.g. device information, IP addresses). The data entered will only be processed and stored by Airbnb, so we do not receive any account-related information but only information as to whether booking and payment have been made. Under certain circumstances, Airbnb may transfer your data to credit agencies for identity and credit checks. For further information, please refer to Airbnb’s terms and conditions and privacy policy. Website: https://www.airbnb.com, Privacy policy: https://www.airbnb.ie/terms/privacy_policy, Cookie Policy: https://www.airbnb.ie/terms/cookie_policy

Airbnb may also process data outside the European Union, but as a provider certified under the Privacy Shield, Airbnb has undertaken to comply with the European Union's data protection standards. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnWzAAK

13.2. Legal basis for the data processing

The legal basis for the processing of personal data using Airbnb is contract fulfilment and pre-contractual enquiries pursuant to Art. 6(1)b GDPR as well as our justified interest in efficient marketing of our holiday home and efficient payment processing pursuant to Art. 6(1)f GDPR.

13.3. Purpose of the data processing

The data will be processed by Airbnb in order to fulfil our contractual services. The use of Airbnb is optional for you.

13.4. Storage duration, possibility of objection and elimination

Information on the duration of data storage by Airbnb can be found in the provider’s privacy policy at https://www.airbnb.ie/terms/privacy_policy.

Airbnb also uses cookies on its site. Cookies are stored on the user’s computer and transmitted to Airbnb. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. Cookie Policy: https://www.airbnb.ie/terms/cookie_policy

In the case of requests for information and the assertion of user rights, we would like to point out that these can be asserted most effectively directly on Airbnb. Only Airbnb has access to the users’ data and can take appropriate measures and provide information directly. If you still need help, please contact us.

14. Rights of the data subjects

If your personal data is processed you are affected within the meaning of the GDPR and you have the following rights towards the person responsible:

14.1. Right to access

You have the right to request a confirmation from the person responsible as to whether personal data concerning you will be processed by us. If such processing has taken place, you can request the following information from the person responsible:

  1. the purposes for which the personal data are processed;
  2. the categories of personal data processed;
  3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
  4. the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
  5. the existence of a right to have your personal data concerning you corrected or deleted, a right to have processing restricted by the controller or a right to object to such processing;
  6. the existence of a right of appeal to a supervisory authority;
  7. any available information on the origin of the data if the personal data are not collected from the data subject;

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transmission.

14.2. Right to rectification

You have a right of rectification and/or completion towards the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.

14.3. Right to restriction of processing

Under the following conditions, you may request that the processing of personal data concerning you be restricted:

  1. if you dispute the accuracy of the personal data concerning you for a period of time that enables the data controller to verify the accuracy of the personal data;
  2. the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
  3. the controller no longer needs the personal data for the purposes of the processing, but you do need them to assert, exercise or defend legal claims, or
  4. if you have filed an objection to the processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of personal data concerning you has been restricted, these data may only be processed — apart from being stored — with your consent or for the purpose of asserting, exercising or defending rights or for the protection of the rights of another natural or legal person or on grounds of an important public interest of the European Union or a member state.

If processing has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.

14.4. Right to erasure

14.4.1. Obligation to delete

You may request the data controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:

  1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You revoke your consent, on which the processing was based pursuant to Art. 6(1)a GDPR or Art. 9(2)a GDPR, and there is no other legal basis for the processing.
  3. You file an objection to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection to the processing pursuant to Art. 21(2) GDPR.
  4. The personal data concerning you have been processed unlawfully.
  5. The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
14.4.2. Exceptions

The right to erasure does not exist if the processing is necessary

  1. to exercise freedom of expression and information;
  2. for the fulfilment of a legal obligation required for processing under the law of the European Union or of the Member States to which the controller is subject or for the fulfilment of a task in the public interest or in the exercise of official authority conferred on the controller;
  3. to assert, exercise or defend legal claims.

14.5. Right to be notificated

If you have made use of your right of rectification, erasure or restriction of the processing towards the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of the processing, unless this proves impossible or involves a disproportionate effort.

The person concerned has the right to be informed of these recipients.

14.6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine‐readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was provided, if

  1. the processing is based on consent pursuant to Art. 6(1)a GDPR or on a contract pursuant to Art. 6(1)b GDPR and
  2. the processing is carried out by means of automated procedures.

In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to transferability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.

14.7. Right to object

You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data in accordance with Art. 6(1)e or f GDPR.

The data controller no longer processes the personal data concerning you, unless he can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

14.8. Right to revoke the consent to the privacy policy

You have the right to revoke your consent to the privacy policy at any time. The revocation of consent will not affect the legality of the processing carried out on the basis of the consent until revocation.

14.9. Right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or suspect of infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR.

The supervisory authority to which the complaint has been lodged will inform the complainant of the status and results of the complaint, including the possibility of a legal remedy under Art. 78 GDPR.