Datenschutzerklärung

I. General information
II. Detailed information on the collection of personal data

  1. Visiting the Website

  2. Cookies

  3. Execution of closed contracts

  4. Contact form, contacting by e-mail, fax, or telephone

  5. client account

  6. direct marketing

  7. Newsletter

  8. YouTube

  9. Google AdWords

  10. Google Analytics

  11. Facebook-, Twitter- and Pinterest-buttons

  12. Single Sign-On and Payment-Providers

    III. Data subject rights

    1. Right of access pursuant to Art. 15 GDPR

    2. Right of rectification pursuant to Art. 16 GDPR

    3. Right of erasure pursuant to Art. 17 GDPR

    4. Right of restriction to processing pursuant to Art. 18 GDPR

    5. Right of notification pursuant to Art. 19 GDPR

    6. Right to data portability Art. 20 GDPR

    7. Right of objection pursuant to Art. 21 GDPR

    8. Automated individual decision-making, including profiling, pursuant to Art. 22 GDPR

    9. Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR

    10. Right to an effective judicial remedy against a controller or processor pursuant to Art. 79 GDPR

    Contact details of the controller:

    Taverimoto GmbH

    Schilteck 1, 78713 Schramberg, Germany

    Tel.: +41 79 426 00 34

    E-Mail: info@taverimoto.com

     

    II. Detailed information on the collection of personal data

    1. Visiting the website

    1. a) Purpose of data collection and processing

      Every time a user accesses a page of our website and every time a user accesses a file stored on our website, access data regarding this process are saved in a log file. Each data set consists of: 

      1. the web page from which the file was requested,

      2. the name of the file,

      3. the date and time of the request,

      4. the transmitted data volume,

      5. the transfer status (file transmitted, file not found, etc.),

      6. a description of the type of operating system and web browser used,

      7. Hostname of the accessing computer and

      8. the client IP address.

      We use these data to properly operate our website, especially in order to determine how the website is used, if there are malfunctions of the website, and to make adjustments or improvements. The client IP address is used to transmit the quested data; once it is no longer required for technical reasons, it will be anonymised by deleting the last numeric block (Ipv4) or the last octet (Ipv6).

      1. b) Retention Period

        The data are saved every time a user accesses a page of our website and when he accesses our online presence and they will be deleted once they are no longer required for the purpose they were collected for, which is the case at the latest with expiration of three months after the visit of the Website

        1. c) Legal Basis

        The legal basis for the temporary storage of the above data is Art. 6 (1) lit. f EU General Data Protection Regulation (hereinafter referred to as “GDPR”). The justified interest is making our website available and the examination of misuse.

        1. d ) Objection and right to deletion

          By waiving the use of our website, the data subject can object to the processing and, subject to the conditions described in more detail in the section "Rights" below, demand the deletion of data collected from him in this way by means of an informal declaration.

          2. Cookies

          2. a) Purpose of data collection and processing

            In order to make visiting our website and placing orders possible from a technical point of view, we transmit so-called cookies to the end device of the data subject.  Cookies are small text files that identify the end device of the data subject, usually by recording the name of the domain that is sending the cookie files, information on the age of the cookie, and an alphanumeric identification code. By saving the cookie on the end device that is used – without accessing the operating system – the device can be recognised, and we are able to make any previously selected settings available immediately. We use this information to tailor our website and the services offered to the data subjects needs and to make accessing our website quicker.

            2. b) Retention Period

              The time for which the different cookies are stored varies but does not exceed two years. They are saved on the data subject used device device, not on our server, which is why the actual time of deletion depends on browser software settings. Please see the instructions for your browser to find out how you can delete cookies placed by us manually or automatically.

              2. c) Legal Basis

                The legal basis for storage of the above data is Art. 6 (1) lit. f GDPR. The justified interest for placing cookies is, on the one hand, optimising the quality of our website through an analysis, and on the other hand, making visiting our website possible; in particular, some functions on our website cannot be used without cookies, since the user and his existing settings would otherwise not be recognized when switching pages, language settings would be lost and searches could not be performed. Furthermore, storage is permissible on the legal basis pursuant to Art. 6 (1) lit. b GDPR to execute a contract.

                3. d) Objection and right to deletion

                  The data subject can block the use of cookies in the end devices he uses or can delete these after their use. It may be possible, however, that individual features of our website will not be accessible in that case. Please see the instructions for your browser as to how to block and delete any cookies that were already saved.

                  3. Execution of closed contracts

                  3. a) Purpose of data collection and processing

                    Name, address(es), bank details, e-mail addresses, phone or fax numbers, client IP address at the time a customer orders is placed are all collected, stored, and processed in order to conclude or execute contracts, which especially includes the billing and implementation of the contract. The personal data will only be transmitted to third parties if doing so is required for execution of the contract, such as when commissioning a shipping company or availing ourselves of a payment service provider.

                    3. b) Retention Period

                      The data will be deleted when the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed. This time limit is five years for personal data that are subject to section 147 Tax Code (AO) and ten years for personal data that are subject to section 257 German Commercial Code (HGB). The period starts at the end of the calendar year in which the data were collected.

                      3. c) Legal Basis

                      The legal basis for the storage of the above data is Art. 6(1) lit. b and c GDPR, in order to fulfil the obligations arising from the contract and to provide the services required for the performance of the contract.

                      3. d) Objection and right to deletion

                        As statutory retention periods apply in these cases and because the data are stored and have to remain stored to execute contracts, there are no options for objection or erasure in these cases.

                        4. Contact form, contacting by e-mail, fax, or telephone

                        4. a) Purpose of data collection and processing

                          We provide a contact form on the website. The data subject can use it to contact us electronically and we can then process the enquiry. The following data are collected and saved: name, address, e-mail address, phone number, date and time of the request, and the description of the enquiry, if applicable contract details if the enquiry deals with concluding or implementing a contract.

                          A user can contact us by e-mail, fax, or phone. We will then save the data transmitted to us and provided by the data subject in order to process the request. These data include name, address, e-mail address, phone and/or fax number, date and time of the request, and the description of the enquiry, if applicable contract details, if the enquiry deals with concluding or implementing a contract.

                          These data will not be shared with third parties. They are saved to handle the enquiry of the data subject.

                          4. b) Retention Period

                            As soon as the data are no longer required to achieve the purpose, they will be deleted, which is the case as soon as the enquiry has been dealt with and if the matter was resolved, and if no contractual or fiscal retention periods prevent such deletion. This time limit is five years for personal data that are subject to section 147 Tax Code (AO) and ten years for personal data that are subject to section 257 German Commercial Code (HGB). The time limits start at the end of the calendar year in which the data were collected.

                            4. c) Legal Basis

                              The above data are, pursuant to the legal basis under Art. 6 (1) lit. a GDPR, only saved after consent was granted in the enquiry, based on Art. 6 (1) lit. b GDPR to conclude or execute a contract, and pursuant to Art. 6 (1) lit. f GDPR. The justified interest of the controller is being able to process the enquiry and to prevent any abuse of the contact form.

                              4. d) Objection and right to deletion

                                The data subject has at all times the right to withdraw the consent to data processing and to object to such data being stored. The data pertaining to that process will then be erased. If a contract was concluded, the above explanations regarding “contract conclusion” shall apply.

                                5. Customer Account

                                5. a) Purpose of data collection and processing

                                  The data subject can register with us by providing personal data which is transmitted to us and stored hereafter. The data that is entered in the input mask or otherwise collected will be stored. These date are name, address(es), date of birth, e-mail address, IP address, date and time of registration. The registration is necessary for the provision of certain contents and services and also serves to prove and fulfil our contract with the data subject.

                                  5. b) Retention Period

                                    As soon as the data are no longer required to achieve the purpose, they will be deleted. In the case of registration without further conclusion of contract, this is the case if the registration is deleted or the data is changed. In the event of registration leading to a further conclusion of contract, the data will be deleted as soon as the statutory and tax provisions permit the deletion of contract data. This time limit is five years for personal data that are subject to section 147 Tax Code (AO) and ten years for personal data that are subject to section 257 German Commercial Code (HGB). The period starts at the end of the calendar year in which the data were collected.

                                    5. c) Legal Basis

                                      The above data is stored on the legal basis pursuant to Art. 6 (1) lit. b GDPR to conclude or execute a contract, or pursuant to Art. 6 (1) lit. f GDPR. The legitimate interest of the person responsible is to be able to provide certain content and services for the benefit of the user.

                                      5. d) Objection and right to deletion

                                        The data subject has the right at any time to delete the registration or to adapt the data. The deletion or change of the account takes place by communication to the contact specified under number I. No objection or removal of the registration and the data is possible if the registration was used to establish or execute a contractual relationship; only the account can be deleted here. The deletion of the account takes place by means of the aforementioned steps.

                                        6. Direct Marketing

                                        6. a) Purpose of data collection and processing

                                        We will use the data received from the data subject in connection with the sale of a product or service for direct marketing of our offer to the extent permitted by law.

                                        6. b) Retention Period

                                          As soon as the data are no longer required to achieve the purpose, they will be deleted, which is the case once the data subject objected to direct advertising or if the lapse of time after the last advertisement that referred to the right to objection so demands, which is the case after twelve months after the last advertisement measure.

                                          6. c) Legal Basis

                                            The legal basis for advertisement after purchasing goods or using a service is 6 (1) lit. f GDPR. The justified interest is direct advertising to increase sales.

                                            6. d) Objection and right to deletion

                                              The data subject may withdraw his consent to such receipt with effect for the future at any time.

                                              7. Newsletter

                                              7. a) Purpose of data collection and processing

                                                The data subject has the option of subscribing to a newsletter. Once the data subject registers for the newsletter, the data provided by the data subject in that registration form will be transmitted to us. These are the e-mail address that is provided, the IP address, time and the date of registration. Furthermore, within the framework of the double opt-in procedure, it is collected and stored that and which link from which IP address was clicked when. The collected data are required to be able to send the newsletter and to prove a registration.

                                                7. b) Retention Period

                                                  The data will be deleted as soon as the data are no longer required to achieve their purpose and once the data subject has unsubscribed from the newsletter. Afterwards, the data will be stored for ten years after the last newsletter was sent as means of proof in case of enquiries regarding existing consents, subject to limitation periods

                                                  7. c) Legal Basis

                                                    The legal basis for storage of the above data is Art. 6 (1) lit. a GDPR; they shall only be stored based on prior consent granted as part of the registration. The consent may be withdrawn at any time, which does not affect the lawfulness of processing personal data based on such consent before its withdrawal.

                                                    7. d) Objection and right to deletion

                                                      The data subject can object to the data being used for sending newsletters at any time with effect for the future by unsubscribing from the newsletter. It can do this by declaration towards us. If the data subject wishes to unsubscribe from the newsletter, he can do so using the ‘unsubscribe link’ that is provided in every e-mail and that he only needs to click on.

                                                      8. YouTube

                                                      8. a) Purpose of data collection and processing

                                                        We use the YouTube embedding feature to display and play videos from YouTube, YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA, represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). When a page with a YouTube video is accessed, a connection is established to YouTube's servers, which is assigned to the user's personal profile and communicates the pages visited on the website when he is logged in with his YouTube account. You can prevent this by logging out of the YouTube account beforehand.

                                                        8. b) Retention Period

                                                          Information on data protection and the storage of personal data on "YouTube" can be found in the provider's data protection policy at https://www.google.de/intl/de/policies/privacy.

                                                          8. c) Legal Basis

                                                            The use of YouTube serves to safeguard our legitimate interest in an appealing presentation of our online offering in accordance with Art. 6 (1) lit. f GDPR, which is predominant in the weighing of interests.

                                                            8. d) Objection and right to deletion

                                                              At https://adssettings.google.com/authenticated you will find an opt-out function.

                                                              9. Google AdWords

                                                              9. a) Purpose of data collection and processing

                                                                We use the services of Google Adwords to draw attention to our services on external websites. For this purpose, we use Ad Server Cookies, which can be used to measure certain parameters such as the display of ads or clicks by users. If you access our website via a Google ad, Google Adwords stores a cookie on your end device. These cookies usually lose their validity after 30 days and are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values. These cookies enable Google to recognize your Internet browser. If a user visits certain pages of an AdWords customer's website and the cookie stored on his or her terminal has not yet expired, Google and the customer may recognize that the user clicked on the ad and was directed to that page. Each Adwords customer is assigned a different cookie. Cookies cannot, therefore, be traced via the websites of Adwords customers. We do not collect and process any personal data in the aforementioned advertising measures. Google only provides us with statistical evaluations.

                                                                On the basis of these evaluations, we can identify which of the advertising activities used are particularly effective. We do not receive any further data from the use of the advertising media; in particular, we cannot identify users on the basis of this information. Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the extent and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of AdWords Conversion, Google receives the information that you have called the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may find out and store your IP address. You can find out more about Google AdWords' privacy policy at the following Internet address https://policies.google.com/technologies/ads?hl=de

                                                                9. b) Retention Period

                                                                  Cookies are valid for 30 days and are deleted after expiry unless you delete them yourself beforehand - for example by making suitable settings in your browser or manually.

                                                                  9. c) Legal Basis

                                                                    The legal basis for the storage of the above data is Art. 6 (1) lit. f GDPR and section 15 clause 3 Telemedia Act (TMG).

                                                                    9. d) Objection and right to deletion

                                                                      You can block the use of cookies; the corresponding steps can be found in the instructions for your browser software.

                                                                      10. Google Analytics

                                                                      10. a) Purpose of data collection and processing

                                                                        The client IP address is collected for the use of the Google Analytics service. This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on the user's computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States. However, due to the activation of IP anonymisation on this website, Google will previously shorten the IP address of the data subject within Member States of the European Union or in other Contracting States to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating the use of the website, compiling reports on website activity and providing other services to website operators relating to website activity and internet usage.The IP address transmitted by your browser in the context of Google Analytics is not combined with other data from Google.

                                                                        10. b) Retention Period

                                                                          As soon as the data are no longer necessary to achieve the purpose, they are erased, which is the case when the anonymisation carried out within the European Union has been completed. This takes less than a second. The data sent by us and linked to cookies, login data (e.g. user ID) or advertising IDs are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month. Further information can be found at https://www.google.com/analytics/terms/de.html and https://policies.google.com/?hl=de

                                                                          10. c) Legal Basis

                                                                            The legal basis for storage of the above data is Art. 6 (1) lit. f GDPR. The justified interest lies in the fact that we are able to analyse the use of the website by all users in its entirety without drawing conclusions about the behaviour of identifiable persons; this enables us to optimise our website and our offers.

                                                                             10. d) Objection and right to deletion

                                                                              The data subject can prevent the storage of cookies by setting the browser software accordingly; however, we point out to the data subject that in this case not all functions of this website may be fully usable.

                                                                              The data subject may also prevent Google from collecting the data generated by the cookie and relating to the use of the website (including the IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link http://tools.google.com/dlpage/gaoptout? hl=de.

                                                                              11. Facebook-, Twitter- and Pinterest-Buttons

                                                                              11. a) Purpose of data collection and processing

                                                                                Through social network buttons, we do not collect any personal data at all. Nevertheless, for the sake of completeness, we explain the technical background. We only use disabled buttons of social networks like Facebook, Twitter and Pinterest. This means that no data is transmitted to these networks. By clicking on the buttons, the data subject himself decides to activate them and thus establish a connection to the servers of the operators of the social networks and thus transmit data to the servers of the social networks in accordance with the agreement concluded by the data subject with the social network. The activation leads to the loading of contents of the social networks. The type, purpose and scope of data collection and use can be found in the corresponding privacy policy of the social networks.

                                                                                After a second click on the button, the user can send his recommendation to the social networks. If the data subject wishes to recommend several pages, consent is required on each page. If the data subject wants the social network to have permanent access to his/her data, he/she can activate the buttons permanently. The appropriate check mark can be placed under a cogwheel icon to ensure that the selected button is always active.

                                                                                11. b) Retention Period

                                                                                  The retention period depends on the specifications of the operators of the social networks.

                                                                                  11. c) Legal Basis

                                                                                    The operators of the social networks inform the data subjects about the legal basis.

                                                                                    11. d) Objection and right to deletion

                                                                                      Via the cogwheel icon, via which the data subject has activated the social media buttons, he can later change his consent again and deactivate the buttons.

                                                                                      12. Single sign-on and payment services

                                                                                      12. a) Purpose of data collection and processing

                                                                                        For simplified ordering and payment processing, we use the tools from third-party providers listed below:

                                                                                        • PayPal, an offer from PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg;

                                                                                        • Paydirekt, an offer from paydirekt GmbH, Hamburger Allee 26-28, 60486 Frankfurt am Main.

                                                                                        When calling up the shopping cart, these providers use scripts integrated into our website to check whether the user is a customer of the respective provider and logged in there. This is done by comparing any cookies stored by the provider in the user's browser. For this purpose, the IP address, the browser used, the operating system and the page called up are transmitted to the third party provider. We only collect data when a customer of a provider makes use of the services of the third party and arranges for the personal details stored there - namely the order and billing address - to be transmitted to us and if applicable, the payment process is handled in accordance with the user conditions of the service with which the customer has a contractual relationship. 

                                                                                        12. b) Retention Period

                                                                                          We only process the data that is transmitted to us by the third party provider on behalf of the customer for the purpose of contract execution. In this respect, the information on the retention period and the headword "execution of contract" above apply. Insofar as the third party provider processes data on behalf of the data subject, the storage period shall be determined by the privacy policy of the third party to which reference is made here.

                                                                                           12. c) Legal Basis

                                                                                            The legal basis for the processing of the above data is Art. 6 (1) lit. b GDPR as far as the data is used to process contracts via our website. As far as payment services are concerned, the storage is also based on Art. 6 (1) lit. c GDPR, as the data collected in this way are of tax relevance and are therefore necessary for the fulfilment of our tax obligations. Processing is also based on Art. 6 (1) lit. e GDPR, because it fulfills our legitimate interest in enabling the customers of the respective service providers to use the services of their contractual partners and to guarantee a fast and pleasant handling of the contract.

                                                                                            12. d) Objection and right to deletion

                                                                                              Since there are standardized retention periods here and the data must remain stored and processed for the execution of the contract, an objection or a deletion is not possible.

                                                                                              III. Data subject rights

                                                                                              If our website processes personal data of users, the affected person (data subject) has the following rights towards the controller pursuant to the GDPR.

                                                                                              Right of access pursuant to Art. 15 GDPR

                                                                                              The data subject has a right to the following information:

                                                                                              1. the purposes of the processing;

                                                                                              2. the categories of personal data concerned;

                                                                                              3. the recipients or categories of recipients to whom the personal data has been or will still be disclosed, especially for recipients in third countries or for international organisations;

                                                                                              4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

                                                                                              5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

                                                                                              6. the right to lodge a complaint with a supervisory authority;

                                                                                              7. where the personal data is not collected from the data subject, any available information as to its source;

                                                                                              8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

                                                                                              9. if personal data is transferred to a third country or an international organisation, the data subject has the right to be informed of the appropriate guarantees according to Art. 46 of the GDPR in connection with the transfer of such data.

                                                                                              We provide the data subject with a copy of the personal data undergoing processing. For all further copies requested by the data subject, the controller may demand a reasonable fee based on the administrative costs. 

                                                                                              1. Right of rectification pursuant to Art. 16 GDPR

                                                                                              The data subject has the right to have the controller rectify inaccurate personal data concerning the data subject without undue delay. Under consideration of the purposes of processing, the data subject has the right to demand the completion of incomplete personal data - also by supplementary declaration.

                                                                                              2. Right of erasure pursuant to Art. 17 GDPR

                                                                                              The data subject has the right to have the controller erase personal data concerning the data subject without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

                                                                                              1. a) The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise;

                                                                                              2. b) the data subject withdraws consent on which processing is based pursuant to lit. (a) of Article 6(1) or lit (a) of Art. 9(2) GDPR, and where there are no other legal grounds for processing;

                                                                                              3. c) the data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing the data subject objects to the processing pursuant to Art. 21(2) of the GDPR;

                                                                                              4. d) the personal data have been unlawfully processed;

                                                                                              5. e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law the controller is governed by;

                                                                                              6. f) the personal data has been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

                                                                                              3. Right of restriction to processing pursuant to Art. 18 GDPR

                                                                                              The data subject has the right to have the controller restrict processing where one of the following applies:

                                                                                              1. a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,

                                                                                              2. b) the processing is unlawful and the data subject has opposed the erasure of the personal data and requested the restriction of its use instead;

                                                                                              3. c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or

                                                                                              4. d) the data subject has objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

                                                                                              4. Right of notification pursuant to Art. 19 GDPR

                                                                                              If the data subject has demanded from the controller in regard to the personal data of the data subject a rectification pursuant to Art. 16 GDPR, erasure pursuant to Art. 17(1) GDPR, or restriction of processing pursuant to Art. 18 GDPR, and if the controller has informed all recipients who have received personal data of the data subject of the request of the data subject (unless impossible or only possible subject to unreasonable efforts), the data subject shall have the right to receive a notification from the controller as to who has received his personal data.

                                                                                               5. Right to data portability Art. 20 GDPR

                                                                                              The data subject has the right to receive the personal data concerning him, which he has provided to the controller, in a structured, commonly used and machine-readable format and has the right to transmit this data to another controller without hindrance from us, where

                                                                                              1. processing is based on consent pursuant to Art. 6(1) lit. a GDPR or Art. 9(2) lit. a GDPR or on a contract pursuant to Art. 6(1) lit. b GDPR; and

                                                                                              2. the processing is carried out by automated means.

                                                                                              This must not adversely affect the rights and freedoms of others.

                                                                                              In exercising the right to data portability pursuant to (1), the data subject has the right to have the personal data transmitted directly from us to another controller, where technically feasible.

                                                                                              The exercise of the right to data portability is without prejudice to the right to erasure pursuant to Art. 17 GDPR. The right of data portability shall not apply to any processing that is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

                                                                                              7. Right of objection pursuant to Art. 21 GDPR

                                                                                              The data subject has at any time the right to object, on grounds relating to his particular situation, to processing of personal data concerning him which is based on Art. 6(1)lit. e or f GDPR, including profiling based on those provisions. We will no longer process the personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if processing serves the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject has at any time the right to object to processing of personal data concerning him for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data are no longer be processed for such purposes.

                                                                                              The data subject may withdraw the consent he has given at any time. The lawfulness of any collection and processing until such time, however, shall not be affected by this.

                                                                                              8. Automated individual decision-making, including profiling, pursuant to Art. 22 GDPR

                                                                                              The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or similarly significantly affects him. This does not apply if the decision

                                                                                              1. is necessary for entering into, or performance of, a contract between the data subject and us;

                                                                                              2. is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or

                                                                                              3. if the data subject has granted his express consent.

                                                                                              Such decisions must not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g GDPR applies and suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject are in place. In the cases referred to in sections a) and c), we will implement suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject, at least the right to obtain human intervention on our part, to express its point of view and to contest the decision.

                                                                                              9. Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR

                                                                                              Each data subject has, without prejudice to any other administrative or judicial remedy, the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if the data subject believes that the processing of their personal data violates this regulation.

                                                                                              The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

                                                                                              10. Right to an effective judicial remedy against a controller or processor pursuant to Art. 79 GDPR

                                                                                              Each data subject has, without prejudice to any other administrative or judicial remedy including the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR, the right to an effective judicial remedy if he believes that the rights he is entitled to under this regulation were violated by any processing of his personal data that does not comply with the provisions of this regulation.

                                                                                              The competent courts for actions brought against contract processors are the courts of the Member State in which we or the contract processor have a branch. Alternatively, such actions can also be brought before the courts of the Member State in which the data subject has his residence, unless we or the contract processor are an authority of the Member State and we or the contract processor exercised sovereign powers.