Product Categories

Privacy policy

Protection of your personal data is important to us.

In the following, we would like to inform you that we ask for personal data from you and store it electronically. Your data will be stored and processed in accordance with the applicable provisions of the national data protection laws, as well as the General Data Protection Regulation (GDPR).

Anja Herr
AvS Coaching e.K.
Im Städtle 9
72805 Lichtenstein
Phone: +49 162 463 58 85
Fax: +49 322 26 471 275
E-Mail: info@amalie-von-stein.com
www.amalie-von-stein.com

 

I. General provisions

1.  Definitions

In order to improve the legibility and comprehensibility of our privacy policy, we would like to inform you about the general provisions used by the GDRP.

  • Personal data
    Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Data subject
    The data subject is an identified or identifiable natural person, whose personal data is processed by the controller.
  • Processing
    Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Restriction of processing
    Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
  • Profiling
    Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
  • Pseudonymization
    Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Controller
    Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • Processor
    Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Recipient
    Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. In addition to the recipients named in the respective clauses of this data protection declaration, these are, for example, recipients of the following categories: shipping service providers, payment service providers, merchandise management service providers, service providers for order processing, web hosts, IT service providers and dropshipping dealers or dealers who you contact to process the contract, provided that you have concluded a contract that involves an individual production. 
  • Third party
    Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  • Consent
    Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Payment service provider
    Payment service providers serve to process payments under contracts that a data subject enters into with the controller.

 

2.  Type and extent of data collection

Data is collected and processed when you access our website or retrieve a file stored on our website. As a rule, this does not take place unless it’s necessary to provide a functional website or its contents and services. Furthermore, personal data is regularly collected and used only after appropriate consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by legal provisions.

a.  Legal basis for the processing of personal data

If personal data is processed for fulfilling the contracts entered into with us, Art. 6 Para 1 lit. b GDRP serves as a legal basis. This also applies to processing operations, which are necessary to carry out pre-contractual actions.

If we obtain consent of the concerned person for processing operations of personal data, Art. 6 Para 1 lit. a GDRP serves as a legal basis.

If processing of personal data is required to fulfill a legal obligation, which our company is subject to, Art. 6 Para 1 lit. c GDRP serves as a legal basis.

In case vital interests of the concerned person or any other natural person require the processing of personal data, Art. 6 Para 1 lit. d GDRP serves as a legal basis.

If processing of data is required to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the concerned person do not outweigh the above-mentioned interest, then Art. 6 Para 1 lit. f GDRP serves as a legal basis for the processing.

b.  Data deletion and duration of storage

The personal data collected by us is deleted as soon as the purpose for storing the data ends. Data is stored if there is a law, a Union regulation or other provisions authorizing such storage. Furthermore, data is deleted when the retention period prescribed by the norms mentioned expires, unless there is a necessity for storing data further for concluding a contract or for the fulfillment of a contract.

 

II. Data collection via the website

1.  Logfiles

a.  Description and scope of data processing

When you access our website

  • Browser type/-version
  • Operating system used
  • Referrer URL (website visited previously), as well as pages retrieved on our website
  • IP address
  • Date and time of the server request
  • Internet Service Provider

are logged.

b.  Legal basis of data processing

Legal basis for storing data and the log files is Art. 6 Para 1 lit. f GDRP.

c.  Purpose of data processing

Storing data in log files ensures that our website is functioning properly. It further helps in optimization and security of our systems. Therein also lies our legitimate interest in the processing of data according to Art. 6 Para 1 lit. f GDRP. In accordance with this use, we do not evaluate data for marketing purposes.

d.  Duration of storage

The data stored by us is deleted as soon as we do not need it anymore for achieving the purpose for which it was collected. This happens at the latest after seven days. Storing data longer than that is possible. In this case, the users’ IP addresses are deleted or anonymized, in order to make identifying the user impossible.

e.  Option to revoke consent and elimination

Recording the data mentioned is absolutely necessary for the operation of the website. As a result, there is no option for the user to object to it.

 

2.  Technically necessary cookies

a.  Description and scope of data processing

Our website uses cookies. Cookies are text files that are saved on the user's computer system when retrieving our website. Cookies contain a string, which enables identification of the visitor's browser when our website is retrieved again. We use technically necessary cookies, which help in making our services more user-friendly, more effective and more secure.

The following data, for example, is stored and transmitted in the cookies:

  • Items in the shopping cart
  • Login information
  • Language settings

The data obtained from this is pseudonymized by us. Therefore, it is not possible to link data back to the visitor. Furthermore, this data is not stored together with other personal data.

You can set your browser in such a way that you are informed about the setting of cookies and individually decide on their acceptance or refuse the acceptance of cookies for specific cases or in general. If you do not accept cookies, the functionality of our website may be limited.

Insofar as cookies are also set on our websites for advertising and/or analysis purposes, we will inform you separately in this declaration.

b.  Legal basis of data processing

The legal basis for the processing of personal data by using cookies is Art. 6 Para 1 lit. f GDRP.

c.  Purpose of data processing

Technically necessary cookies serve to simplify the use of websites. Some functions of the website or the online shop cannot be provided without the use of cookies. For these functions it is necessary that a browser returning to our website can be correctly identified.

The user data collected by technically necessary cookies is not used for creating user profiles.

d.  Duration of storage, opt-out option and elimination

Cookies are stored on the user's computer and transmitted by the user. Therefore, users also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

 

3.  Contact form and email

If you contact us via the contact form or by e-mail, you agree to e-mail communication that is encrypted for transport but not for content. Please inform yourself about the associated risks, e.g. here: https://www.bsi-fuer-buerger.de.

a.  Description and scope of data processing

Visitors to our website are provided with a contact form for fast, electronic contact. The data entered in the input screen is transmitted to and stored by us.

In addition, the IP address of the user as well as the date and time of transmission are stored at the time of sending.

Alternatively, contact is possible via the email address provided. In this case, the user's personal data transmitted via email is stored.

The data will not be passed on to third parties. The data will be used exclusively for the processing of the inquiry.

b.  Legal basis of data processing

The legal basis for processing the data, if the user has consented to it, is Art. 6 Para 1 lit. a GDRP.

The legal basis for processing the data, which is transmitted while sending an email, is Art. 6 Para 1 lit. f GDRP. If contact via email aims to conclude a contract, then additional legal basis for the processing is Art. 6 Para 1 lit. b GDRP.

c.  Purpose of data processing

Processing of personal data serves the sole purpose of processing contact. In case of contact via email, this also includes the required legitimate interest in the processing of the data.

Other personal data processed in the sending process serves the purpose of preventing misuse of the contact form and to ensure the security of our information technology systems.

d.  Duration of storage

The data is deleted as soon as we do not need it for achieving the purpose for which it was collected. For personal data from the input screen of the contact form and that which has been sent via email, this is the case when the respective conversation with the user has ended.

The conversation ends when it is clear from the circumstances that the relevant facts have been finally clarified.

The additional personal data collected during the sending process is deleted at the latest after a period of seven days. If the correspondence results in a business transaction, we are legally obliged to keep the exchanged correspondence for 6 years (beginning with the end of the calendar year in which the respective letter was sent).

e.  Option to revoke consent and elimination

The user has the possibility to revoke his consent to the processing of his personal data at any time. For this purpose, the user can contact the person responsible via the contact options provided on the website. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case the conversation cannot be continued.

If the storage of the data follows from a legal obligation, there is no right of objection.

 

4.  Comment function

a.  Description and scope of data processing

We offer visitors to our website the opportunity to make comments. The data entered in the input mask is transmitted to us and stored.

In addition, the IP address of the user as well as the date and time of transmission are stored at the time of sending.

The data will not be passed on to third parties. The data will be used exclusively for the processing of the inquiry.

b.  Legal basis of data processing

The legal basis for processing the data is Art. 6 para. 1 lit. f GDPR.

c.  Purpose of data processing

The processing of personal data serves to prevent abuse of the comment function (e.g. by bots) and to ensure the security of our information technology systems.

d.  Duration of storage

The data will be deleted as soon as they are no longer necessary for the purpose of their collection. This is the case at the latest when the comment or the corresponding page is deleted.

e.  Option to revoke consent and elimination

The user has the possibility to revoke his consent to the processing of personal data at any time. To do so, the user can contact the controller via the contact options provided on the website.

 

5.  Registration of a user account or guest order

a.  Description and scope of data processing

Users have the opportunity to register on our website.

When registering, the data requested from the input mask is transmitted to us and stored. The same applies to entries made in the context of guest orders.

The personal data may be transferred to third parties, for example parcel service providers, if this is necessary for the fulfilment of the contract. These third parties use the data thus transferred exclusively for internal purposes that are attributable to us. For further details, please refer to section III. of this privacy policy.

b.  Legal basis of data processing

If the registration serves the purpose of fulfilling a contract, to which the user is contractual party, or to the execution of pre-contractual measures, then the legal basis for processing the data is Art. 6 Para 1 lit. b GDRP.

c.  Purpose of data processing

The registration of the user is required for the fulfillment of contracts with users or for the implementation of pre-contractual measures. The same applies to entries made in the context of guest orders.

d.  Duration of storage

The data will be deleted as soon as they are no longer necessary for the purpose of their collection.

This is the case for the data collected during the registration process if the registration on our website is cancelled or modified.

This is the case for the data collected during the registration process or the guest order process for the fulfilment of a contract or for the implementation of pre-contractual measures if the data is no longer necessary for the implementation of the contract. Even after conclusion of the contract, it may still be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations.

For legal reasons, we must retain correspondence exchanged in connection with the conclusion of a contract for 6 years (beginning with the end of the calendar year in which the respective letter was sent).

e.  Option to revoke consent and elimination

Users have the possibility to cancel the registration at any time. Users can change or have the stored data changed by themselves at any time.

Please contact the controller to find out how to delete the registration.

If the data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, an early deletion of the data is only possible if contractual or legal obligations don’t prevent a deletion.

 

III.    TRANSFER OF DATA TO THIRD PARTIES FOR CONTRACT FULFILLMENT

1.  General information

a.  Description and scope of data processing

When you place an order, we collect and use your personal data only to the extent necessary to fulfill and process your order and to process your inquiries. The data entered by you during the ordering process will be passed on to service partners we need to process your order, as far as this is necessary for the fulfilment of the contract or as far as you have consentet to it.

In addition to the recipients named in the respective clauses of this privacy policy, these are, for example, recipients of the following categories:

Shipping service providers, payment service providers, merchandise management service providers, service providers for order processing, web hosters, IT service providers and dropshipping merchants.

b.  Legal basis of data processing

The processing described above is intended to fulfil a contract to which the user is a party. The legal basis for processing the data is Art. 6 para. 1 lit. b GDPR.

c.  Purpose of data processing

The transmission serves to fulfill our contractual obligations.

d.  Duration of storage 

Your data will be deleted when they are no longer required for the execution of the contract, unless contractual or legal obligations to keep records conflict with this.

e.  Option to revoke consent and elimination 

The user has the possibility at any time to revoke the given consent with the controller or the provider.

If the data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, an early deletion of the data is only possible if contractual or legal obligations don’t prevent a deletion.

 

2.  Payment service provider

a.   Description and scope of data processing

If a user selects a payment service provider for payment during the ordering process, the user's data required to make the payment will automatically be transmitted to the latter. These are e.g. the name and the address, bank data, e.g. Account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, summary and recipient-related information. In this case, the controller receives no account or credit card information, but only the information whether the payment process was successful. The data may be transmitted by the payment service provider to credit reporting agencies for identification purposes and credit checks. In that regard, reference is made to the terms and conditions and privacy notices of the payment service provider, which can be viewed on the website of each payment service provider.

If you have to be registered with your chosen payment service provider to use it, you will be redirected during the payment process on the payment service providers pages. In this case, the provider collects the data itself. In this respect, the privacy policy of the respective payment service provider applies.

You can find the payment service providers offered by the controller and further information about them in the section of the respective payment service provider.

b. Legal basis of data processing

The legal basis for processing the data is Art. 6 para. 1 lit. b GDPR (processing for the implementation of pre-contractual measures and performance of a contract).

c. Purpose of data processing

The transmission of the data to the selected payment service provider serves the fulfillment of a contract of which the user is the contracting party; in particular, data is used for payment processing, prevention of misuse, as well as for identity and credit checks.

d. Duration of storage

Your data will be deleted if it is no longer necessary for our business processes and does not conflict with statutory retention requirements. We do not have any influence on the storage of the data at the payment service provider, please contact the payment service provider of your choice, who is the controller for this matter in the sense of the data protection regulations.

e. Possibility of opting out and elimination

You have the rights under "VI. Rights of the persons concerned ", which may be asserted against the respective controller.

 

3.  Data transmission for credit assessment

a.  Description and scope of data processing

In the cases permitted by law, data may be transmitted to credit agencies for credit assessment within the scope of payment processing. The recipients of the data can be the following companies:

b.  Legal basis of data processing

The legal basis for processing the data is Art. 6 para. 1 lit. b GDPR.

c.  Purpose of data processing

The transmission takes place for abuse prevention, as well as for identity and credit assessment.

d.  Duration of storage

Your data will be deleted when they are no longer required for our business processes and there are no legal obligations to retain them. We have no influence on the storage of the data by the provider. You can reach the provider at the above mentioned contact details.

e.  Option to revoke consent and elimination

The user has the possibility to revoke the given consent at any time with the provider or the controller. A revocation of data, which are absolutely necessary for the payment processing, is not possible.

 

IV.     DATA TRANSFER FOR THE PURPOSE OF USAGE ANALYSIS

 

1.  Amazon Partner Program

a.  Description and scope of data processing

The controller participates in the Amazon partner program. The provider is Amazon EU S.à.r.l, 5 Rue Plaetis, L-2338 Luxembourg, Luxembourg.

For this purpose, components of the Amazon Partner Program are integrated on the website of the controller.

Amazon uses cookies for this purpose. The cookies enable Amazon to track orders placed within the framework of the partner program. In particular, Amazon can track whether the order was placed via a link from the partner program.

Further information and Amazon's applicable data protection regulations can be found at https://www.amazon.de/gp/help/customer/display.html?nodeId=3312401

b.  Legal basis of data processing

The legal basis for processing the data is Art. 6 para. 1 lit. a GDPR.

c.  Purpose of data processing

By the participation in the Amazon partner program advertisements can be placed to the offer of the operator against commission.

d.  Duration of storage

Your data will be deleted when they are no longer required for our business processes and there are no legal obligations to retain them. We have no influence on the storage of the data by the provider. You can reach the provider at the above mentioned contact details.

e.  Possibility of opting out and elimination

Cookies are stored on the user's computer and transmitted by the user. Therefore, users also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

 

2.  Affilinet

a.  Description and scope of data processing

We participate in the partner program of affilinet. Provider is affilinet GmbH, Sapporobogen 6-8, 80637 Munich, Germany. In this context we have placed links, banners, etc. on our website which lead to offers from third parties.

The provider sets tracking cookies on the users' end devices. In doing so, the provider stores the ID of the person in charge as well as information on the advertising material clicked on (banner, text link, etc.). Further personal data of the users is not collected.

Further information is available at https://www.affili.net/getmedia/50be441d-785a-4f85-94b9-807f52b9e66b/Datenschutz_DE.aspx

b.  Legal basis of data processing

The legal basis for processing the data is Art. 6 para. 1 lit. a GDPR.

c.  Purpose of data processing

The processing of users' personal data enables the Provider to record sales and/or leads and thus to process payments between the Provider and the controler.

d.  Duration of storage

We have no influence on the storage of the data by the provider. You can reach the provider at the above mentioned contact details.

e.  Option to revoke consent and elimination

Cookies are stored on the user's computer and transmitted by the user. Therefore, users also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

 

V.        DATA TRANSFER TO IMPROVE THE FUNCTIONALITY OF THE SITE

1.  Google Fonts

a.  Description and scope of data processing

This website uses external fonts, so-called Google Fonts. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When the website is accessed, the font files are loaded from the server of Google Inc. These servers can also be located in the USA. In this case, for example, it is transmitted which pages the user has called up and the IP address of the user's terminal device.

Further information is available at https://developers.google.com/fonts/faq?hl=de-DE&csw=; or under https://policies.google.com/?hl=de.

b.  Legal basis of data processing

The legal basis for processing the data is Art. 6 para. 1 lit. a GDPR.

c.  Purpose of data processing

We do not receive any information or evaluations from Google Inc. about data collected by them and have no control over this.

By using Google Fonts, the presentation and display of the website is improved and optimized.

d.  Duration of storage

We have no influence on the storage of the data by the provider. You can reach the provider at the above mentioned contact details.

e.  Possibility of opting out and elimination

We are not aware of any possibilities for objection or removal.

 

 

VI.     Rights of the data subjects

1.  Information and access to personal data

Data subjects have the right to be provided with a confirmation if personal data is processed by a controller. 

If personal data is collected, data subjects shall be provided with the following information:

  • purposes of the processing
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  • Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the access to data processed can be restricted

2.  Right to rectification

The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning him or her. The controller has to inform the data subject without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the right to rectification can be restricted

3.  Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the right to restriction of processing can be restricted.

4.   Right to erasure (“right to be forgotten”)

 

a.  Obligation to erasure

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

b.  Information to third parties

Where the controller has made the personal data public and is obliged to erase personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c.  Exceptions

The right to erase shall not apply, if the processing is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDRP
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph a is likely to render impossible or seriously impair the achievement of the objectives of that processing
  • for the establishment, exercise or defense of legal claims.

5.  Notification obligation

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1) and 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

6.  Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  • the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.  Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The right of objection may be limited to the extent that it is likely to make the realization of the research or statistical purposes impossible or seriously impair it and the limitation is necessary for the fulfilment of the research or statistical purposes.

8.  Right to withdraw the data subjects consent

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal

9.  Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not apply if the decision

  1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
  3. is based on the data subject's explicit consent.

In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Decisions shall not be based on special categories of personal data referred to in Article 9(1), unless suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

10.           Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.