Privacy Notice

I. Name and address of the controller

The controller as defined in the General Data Protection Regulation and other national data pro-tection laws of the Member States as well as in other data protection legislation is as follows:
Lastenstraße 11
8020 Graz
Austria
Tel.: +43 316 7844-0
E-Mail: dataprotection@LSAG.com
Website: www.LSAG.com

As the operator of the shoe retail chains Humanic und Shoe4You, Leder & Schuh AG has branches in the following countries: Austria, Bulgaria, Germany, Croatia, Romania, Slovakia, Slo-venia, Czech Republic and Hungary.

The following subsidiaries of Leder & Schuh AG operate in the relevant countries as controllers under the GDPR (countries in alphabetical order):
(1) Austria: Leder & Schuh AG; brand names on the market: Humanic, Shoe4You and Stiefelkönig
(2) Bulgaria: Humanic EOOD; brand name on the market: Humanic
(3) Croatia: Leder & Schuh d.o.o.; brand name on the market: Humanic
(4) Czech Republic: Humanic CZ spol. s.r.o.; brand names on the market: Humanic, Shoe4You
(5) Germany: Humanic Deutschland GmbH; brand name on the market: Humanic
(6) Hungary: Leder & Schuh Kereskedelmi Kft.; brand name on the market: Humanic
(7) Romania: Leather & Shoe SRL; brand name on the market: Humanic
(8) Slovakia: Leder & Schuh SK s.r.o.; brand name on the market: Humanic
(9) Slovenia: Leather & Shoe International d.o.o; brand name on the market: Humanic

Leder & Schuh AG processes data for the subsidiaries listed above.

II. Name and address of the data protection officer

Please send any inquiries relating to data protection regulations to the following email address:
dataprotection@LSAG.com

III. General information on data processing

1. Scope of processing of personal data

As a basic principle, we collect and use personal data of our users only to the extent necessary to provide a functioning website and to prepare our content and services. The collection and use of personal data of our users are routinely and strictly subject to the consent of the users.

An exception is made in such cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

When the processing of personal data is required for the performance of a contract to which the data subject is party, Art. 6 (1) b) GDPR serves as the legal basis. This also applies to such pro-cessing operations as are necessary for the steps which need to be taken prior to entering into a contract.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 (1) c) GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or of a third party, except where such interests are overridden by the interests, fundamental rights and freedoms of the data subject, Art. 6 (1) f) GDPR serves as the legal basis for processing.

3. Deletion of data and term of storage

The personal data of the data subject will be deleted or blocked as soon as the purpose of stor-age ceases to apply. Data may be stored beyond this time if provision is made for such storage by the European or national legislative authorities in EU directives, laws or other regulations to which the controller is subject.

The data will also be blocked or deleted if a period of storage prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

IV. Provision of the website and generation of log files

1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the computer accessing our site. The following data are collected:
(1) Information about the browser type and the version used
(2) The operating system of the user
(3) The Internet service provider of the user
(4) The IP address of the user
(5) Date and time of access
(6) Websites from which the system of the user reaches our website
(7) Websites which are accessed by the system of the user through our website

The data are also stored in the log files on our system. These data are not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 (1) f) GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary in order to enable the web-site to be delivered to the computer of the user. The IP address of the user must therefore be stored for the duration of the session. The data are stored in log files to ensure the functionality of the website. The data also help us to optimise the website and to ensure the security of our information technology systems. The data are not evaluated for marketing purposes in this context. These purposes also encompass our legitimate interest in the processing of data pursuant to Art. 6 (1) f) GDPR.

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected. Where data are collected to provide the website, this is the case when the respective session is over. Where data are stored in log files, this is the case after 30 days at the latest. An extended term of storage is possible. In this case, the IP addresses of the users are deleted or dissociated so that they can no longer be assigned to the client seeking access.

5. Objection and deletion options

The collection of the data for the provision of the website and the storage of the data in log files are absolutely necessary for the operation of the website. Consequently there is no prospect of lodging any objection.

V. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files which are stored in the Internet browser or by the Internet browser on the computer system of the user. When a user visits a website, a cookie may be stored on the operating system of the user. This cookie contains a character string which enables clear identification of the browser when the website is accessed again.

We use cookies to make our website more user-friendly. Some elements of our website are con-figured so that the browser accessing the site can still be identified even after the user has changed to another page. The following data are stored and transmitted in the cookies:
(1) Shopping cart
(2) Registration
(3) Contact form
(4) Language

We also use cookies on our website which enable an analysis of the surfing habits of the user. In this way, the following data can be transmitted:
(1) Frequency of page views
(2) Use of website functions

The user data collected in this way undergo a technical pseudonymisation process so that it is no longer possible to identify the user. The data are not stored together with other personal data of the users.

2. Legal basis for data processing

The legal basis for the processing of personal data using strictly necessary cookies is Art. 6 (1) f) GDPR. The legal foundation for the processing of personal data using analytical cookies is based on your consent pursuant to Art. 6 (1) a) GDPR.

3. Purpose of data processing

The purpose of using strictly necessary cookies is to facilitate the use of websites for the visitors. Some functions of our website cannot be provided without the use of cookies. The browser needs to be recognised even after the user has changed to another page. User data collected by strictly necessary cookies are not used to create user profiles.

The analytical cookies are used to improve the quality of our website and its content. The analyti-cal cookies tell us how the website is used, allowing us to keep optimising our service. For this purpose we create a profile of you under a pseudonym.

4. Term of storage, and objection and deletion options

Cookies are stored with the express consent of users on their computers and are transmitted from them to our site. Therefore users also have full control over the use of cookies. You can disable or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies which have already been saved can be deleted at any time. This can also be done au-tomatically. If cookies are disabled for our website, it may no longer be possible to use the full range of functions on the website.

VI. Newsletter

1. Description and scope of data processing

You can subscribe to our newsletter free of charge in any of the following ways:
(1) Online registration on our website
(2) Submission of the registration form (available in our stores)
(3) Registration in connection with joining the customer club (either online or by submitting the registration form)
(4) Registration in connection with online registration for our online shop

When you sign up for the newsletter, the following data will be transmitted to us from the input mask or from the registration form:
(1) email address
(2) Forename and surname
(3) Country
(4) Gender

If you register at the same time as joining the customer club or registering in the online shop, the following additional data will be collected:
(1) Title (optional)
(2) Date of birth
(3) Postal address
(4) Mobile number (optional)

The following data will also be collected if you register online:
(1) IP address of the computer being used to gain access
(2) Date and time of registration

The data will be used for the sole purpose of sending the newsletter.

2. Legal basis for data processing

The legal basis for the processing of the data after the user has registered for the newsletter is the issue of consent by the user pursuant to Art. 6 (1) a) GDPR.

3. Purpose of data processing

The email address of the user is collected in order to send the newsletter. All the other data listed under IV.1. are used to select the appropriate newsletter.

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected. The personal data collected from the user will be stored until the subscription to the newsletter is cancelled.

5. Objection and deletion options

The subscription to the newsletter may be cancelled at any time by the user. There is a link in each newsletter for this purpose. Users with online registration to the customer club or in the online shop may also revoke their consent to receive the newsletter online at any time.

In addition, the following email addresses may be used to unsubscribe from the newsletter in the relevant country:
(1) Austria & Germany: service@humanic.net
(2) Czech Republic: service.cz@humanic.net
(3) Slovakia: service.sk@humanic.net

You can unsubscribe from the newsletter by telephone on the following numbers:
(1) Österreich & Deutschland: 00800 80 100 100
(2) Czech Republic: +420 538 890 039
(3) Slovakia: +421 220 912 401

It is also possible to send notice of revocation by email to dataprotection@LSAG.com zu richten.

VII. Registration in the online shop

1. Description and scope of data processing

We offer users the opportunity to register in our online shop on our website. This involves entering personal data. The data are entered into an input mask and transmitted to us and saved. The following data are collected during the registration process:
(1) email address
(2) Date of birth
(3) Title
(4) Forename and surname
(5) Gender
(6) Telephone number
(7) Address
(8) Password
(9) Customer club member (yes/no)
(10) Agreement to T&C and data privacy policy (yes/no)

The following data are also saved at the time of registration:
(1) The IP address of the user
(2) Date and time of registration

If reservations are made in the online shop, the following additional data will be processed:
(1) Articles reserved
(2) Branch for pickup
(3) SMS notification when reserved items are ready for collection (yes/no)

If purchases are made online, the following additional data will be processed:
(1) Articles ordered
(2) “yourSize” size recommendation
(3) Shoe size ordered
(4) List price of the articles ordered
(5) Retail price of the articles ordered
(6) Total price of the purchase order
(7) Details of the articles ordered
(8) Billing address
(9) Delivery address
(10) Promotion codes for the purchase order
(11) Payment method

The following purchase order data are passed on to address verification companies, payment service providers and logistics companies. We also check the credit rating if we supply the goods in advance of payment:
(1) Date of birth
(2) Title
(3) Forename
(4) Surname
(5) Gender
(6) Address
(7) Total price of the purchase order
(8) Billing address

No other data will be passed on. The data are sent to companies within the European Union or within the European Economic Area or to US companies with Privacy Shield certification. They are not sent to any international organisations. They are sent so that the payment can be pro-cessed (by payment service providers), so that the address and credit rating can be checked (by address and credit investigation companies), and so that the orders can be dispatched (by freight forwarding companies). The legal basis for this is Art. 6 (1) b) GDPR and Art. 6 (1) f) GDPR. The transfer of the data is absolutely necessary for the fulfilment of the contract therefore you have no right to object to their transfer.

2. Legal basis for data processing

The legal basis for registration is the consent of the user in accordance with Art. 6 (1) a) GDPR. The legal basis for the execution of purchase orders placed by the user is Art. 6 (1) b) GDPR and Art. 6 (1) f) GDPR.

3. Purpose of data processing

The data are processed for the conclusion of contractual matters.

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected.

5. Objection and deletion options

The personal data are required for the fulfilment of the contract therefore you cannot exercise any right of objection and deletion in this respect. Naturally users may cancel the registration online at any time.

VIII. Registration for the customer club

1. Description and scope of data processing

You can register for the customer club in any of the following ways:
(1) Online registration on our website
(2) Mobile registration using our customer app
(3) Submission of the registration form (available in our stores)

The following data are collected during the registration process:
(1) email address
(2) Date of birth
(3) Title
(4) Forename and surname
(5) Gender
(6) Telephone number
(7) Address
(8) Password (optional)
(9) Agreement to T&C and data privacy statement (yes/no)

The following data are also saved at the time of the online registration:
(1) The IP address of the user
(2) Date and time of registration

The data will be used solely for the customer club processes.

The following data are collected if you are a customer club member and take advantage of yourKIDS offers (savings on children’s shoes):
(1) Customer card number
(2) yourKIDS points

The data are used solely for the calculation of yourKIDS bonus points.

2. Legal basis for data processing

The legal basis for the processing of the data is the consent of the user in accordance with Art. 6 (1) a) GDPR.

3. Purpose of data processing

Users need to log into the customer club section for certain content and services.

These services include (mobile) club card, exchange without receipt, yourSIZE (foot measure-ment and shoe size recommendation – optional: separate registration required), yourKIDS (bonus scheme for the purchase of children's shoes – optional: separate registration required), birthday surprises, price savings, promotions, prize draws and newsletters (optional: separate registration required).

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected. This is the case for the data collected during the registration process if the regis-tration for the customer club is cancelled or changed.

5. Objection and deletion options

Registered users may correct their data or revoke their registration online at any time. It is also possible to send an email to yourclub@humanic.net or to dataprotection@LSAG.com.

IX. yourSize

1. Description and scope of data processing

The condition for use of yourSIZE (foot measurement and shoe size recommendation) is current membership in the customer club. Your feet will be measured in one of our stores. The following data are collected during this process:
(1) Customer card number
(2) Length / width / height / instep height of left foot
(3) Length / width / height / instep height of right foot
(4) yourSize shoe size for left foot
(5) yourSize shoe size for right foot

2. Legal basis for data processing

The legal basis for the processing of the data is the consent of the user in accordance with Art. 6 (1) a) GDPR.

3. Purpose of data processing

The data are used solely for the measurement of the feet and the shoe size recommendation. The data are passed on to processors in connection with the data usage. These transfers take place within the European Union (EU) or the European Economic Area (EEA).

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected.

5. Objection and deletion options

Registered users may correct their data or revoke the use of yourSIZE online at any time. It is also possible to send an email to yourclub@humanic.net or to dataprotection@LSAG.com.

X. Contact form and email contact

1. Description and scope of data processing

There is a contact form on our website which can be sent to us electronically. If a user contacts us in this way, the data entered in the input mask will be transmitted to us and stored. These data are as follows:
(1) Subject of inquiry
(2) Forename and surname
(3) email address
(4) Telephone number
(5) Inquiry/message
(6) Country

The following data are also saved when the message is sent:
(1) The IP address of the user
(2) Date and time of registration

Alternatively, you can contact us via the email address provided. In this case, the personal data transmitted by the user with the email will be stored. In this context, the data will not be passed on to third parties. The data will be used for the sole purpose of communicating with the user.

2. Legal basis for data processing

The legal basis for the processing of the data is the consent of the user in accordance with Art. 6 (1) a) GDPR. The legal basis for the processing of the data transmitted in the course of sending an email is Art. 6 (1) f) GDPR. If contact is made by email with a view to entering into a contract, the additional legal basis for the processing is Art. 6 (1) b) GDPR.

3. Purpose of data processing

The personal data taken from the input mask are processed only to deal with the matter about which we were contacted. If contact is made by email, this also constitutes the necessary legiti-mate interest in the processing of the data.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to safeguard the security of our information technology systems.

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected. Where personal data are taken from the input mask of the contact form and are sent by email, this is the case when the respective conversation with the user is finished. The conversation is finished when it can be inferred from the circumstances that the relevant points have been clarified and the matter has been finalised.

The additional personal data collected during the sending process will be deleted after a period of no more than 30 days.

5. Objection and deletion options

Users may revoke their consent to the processing of the personal data at any time. If users con-tact us by email, they may object to the storage of their personal data at any time. In any such case, the conversation cannot be continued.

In order to withdraw your consent, please write to dataprotection@LSAG.com. All the personal data stored in the course of the conversation will be deleted in this case.

XI. Web analysis (Google Analytics)

1. Description and scope of data processing

We use Google Analytics to improve the functionality of our website and to adapt it to the needs of our customers. All the details on the Google Analytics privacy policy can be found at the following address: https://support.google.com/analytics/answer/6004245?hl=de

The following data categories are used by Google Analytics:
(1) IP address
(2) Origin (country, state and city)
(3) Language
(4) Operating system
(5) Device (PC, tablet PC and smartphone incl. dimensions/screen resolution)
(6) Browser and all add-ons used
(7) Sources of traffic (social networks like Facebook, search engines, websites visited, newsletters or affiliate programs)
(8) Surfing habits (landing pages/pages visited, click paths, bounce rates and dwell time)
(9) Sales figures (storage of sales in the online shop, conversion rates)

All the data listed here are provided to Google Inc. They are provided for the purpose of analysing the usage of our website by visitors (incl. online shop). The legal basis of the transfer is the Privacy Shield framework. The data are not sent to any international organisations.

2. Legal basis for data processing

The legal basis for the processing of the data is the consent of the user in accordance with Art. 6 (1) a) GDPR.

3. Purpose of data processing

The purpose of web analysis is to analyse the behaviour of our users in order to optimise our website for them.

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected or you revoke your consent by deleting the cookie.

5. Objection and deletion options

Users may revoke their consent to the processing of the personal data at any time by deleting the cookie. Other possible ways of withdrawing consent to the use of data can be found at the following address: https://support.google.com/analytics/answer/6004245?hl=en

XII. Social media plug-ins

1. Description and scope of data processing

We use social media plug-ins to attract attention to our advertising, to measure the success rate of our advertising and for target marketing.

The following data are used in the advertising analysis process:
(1) Date and time of the website visit
(2) Type and number of actions (e.g. page view, registration, shopping cart, purchase)
(3) Content of pages visited (e.g. purchase price, product categories)
(4) Pages visited on our website
(5) Frequency of visits to our website (number of visits)
(6) Type of device used to visit our website
(7) Redirect URL
(8) Social media plug-in indexed content

All the data listed here are provided to the social media plug-in operator. They are provided with a view to attracting attention to our advertising and measuring the success rate of our advertising as well as for target marketing. The legal basis for the transfer of the data is the consent of the user in accordance with Art. 6 (1) a) GDPR. For social media plug-in operators based in the USA, the Privacy Shield framework is the legal basis of the transfer. The data are not sent to any international organisations.

2. Legal basis for data processing

The legal basis for the processing of the data is the consent of the user in accordance with Art. 6 (1) a) GDPR.

3. Purpose of data processing

Advertising analysis serves the purposes of attracting attention to our advertising, measuring the success rate of our advertising, and target marketing.

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected or you revoke your consent by deleting the cookie.

5. Objection and deletion options

Users may revoke their consent to the processing of the personal data at any time by deleting the cookie.

Other possible ways of withdrawing consent to the use of data can be found at the following addresses:
https://www.facebook.com/policy.php
https://policy.pinterest.com/de/privacy-policy
https://help.instagram.com/155833707900388

XIII. Video surveillance

1. Description and scope of data processing

There are CCTV systems on the shop floor and in the storage areas in some branches in order to prevent theft and to preserve evidence in the event of theft. The areas which are monitored are clearly indicated by pictograms.

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 (1) f) GDPR.

3. Purpose of data processing

The data are used to protect property and to preserve evidence in cases of theft.

4. Term of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected.

5. Objection and deletion options

The personal data are required for the overriding interest of protecting the property therefore you cannot exercise any right of objection and deletion in this respect.

XIV. Applicant data

1. Description and scope of data processing

The following personal data are collected in the course of job application processes:
(1) Contact details
(2) Covering letter
(3) Curriculum vitae
(4) References
(5) Recruitment consultant/online platform (optional)

We will have received these data either in the course of an electronic application (e.g. by email), by post, by personal delivery or from a recruitment consultant or an online platform.

In order to conduct the application process, personal data will be exchanged between the head office and the branches (Humanic and Shoe4You) of Leder und Schuh AG. These data will not be passed on to third parties and will only be used in connection with job application processes.

2. Legal basis for data processing

The legal basis for the processing of the data is a potential employment contract which we may wish to enter into with you. In this sense, the legal basis is the fulfilment of the contract pursuant to Art. 6 (1) b) GDPR.

3. Purpose of data processing

The applicant data are used to recruit employees and to establish working relationships (conclu-sion of employment contracts).

4. Term of storage

The personal data will be stored for as long as necessary to accomplish the relevant purpose or to fulfil legal obligations to preserve business records or to safeguard legal claims. The data will be deleted on expiry of the statutory retention periods.

5. Objection and deletion options

Users may revoke their consent to the processing of the personal data at any time by sending an email to dataprotection@LSAG.com.

XV. Rights of data subjects

If your personal data are processed, you are defined as the data subject by the GDPR and you have the following rights towards the controller:

1. Right of access

You may ask for confirmation from the controller as to whether your personal data are being processed and, where this is the case, you may ask for the following information:
(1) the purposes for which the personal data are processed
(2) the categories of personal data which are processed
(3) the recipients or categories of recipients to whom your personal data have been or will be disclosed
(4) the envisaged period for which your personal data will be stored or, where this cannot be established with certainty, the criteria used to determine the term of storage
(5) the existence of a right to rectification or erasure of your personal data, a right to re-striction of processing by the controller or a right to object to such processing
(6) the existence of a right to lodge a complaint with a supervisory authority
(7) where the personal data are not collected from the data subject, any available information as to their source
(8) the existence of automated decision-making, including profiling, as referred to in Art. 22 (1) and (4) GDPR and – at least in these cases – detailed information on the logic in-volved and the significance and the envisaged consequences of such processing for the data subject

You have the right to request information as to whether your personal data are transferred to a third country or to an international organisation. In this context, you may ask to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

2. Right to rectification

You have a right to ask the controller to correct and/or complete your personal data records if the information being processed is incorrect or incomplete. The controller must rectify the situation without undue delay.

3. Right to restriction of processing

You may ask for the processing of your personal data to be restricted where the following condi-tions apply:
(1) if you contest the accuracy of your personal data for a period of time which enables the controller to verify the accuracy of the personal data
(2) if the processing is unlawful
(3) if the controller no longer needs the personal data for the relevant processing purposes but you need them to establish, exercise or defend legal claims
(4) if you have objected to the processing pursuant to Art. 21 (1) GDPR pending verification as to whether the legitimate grounds of the controller override your grounds

Where processing has been restricted, such personal data may – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the processing was restricted on the conditions listed above, you will be informed by the con-troller before the restriction is lifted.

4. Right to erasure

a) Duty of erasure

You may ask the controller to erase your personal data without undue delay, and the controller will be obliged to erase these data without undue delay if any of the following grounds should apply:
(1) Your personal data are no longer needed for the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent on which the processing was based pursuant to Art. 6 (1) a) or Art. 9 (2) a) GDPR and there is no other legal basis for the processing.
(3) You file an objection to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection to the processing pursuant to Art. 21 (2) GDPR.
(4) Your personal data have been processed unlawfully.
(5) The erasure of your personal data is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.
(6) Your personal data have been collected in relation to the offer of information society ser-vices referred to in Art. 8 (1) GDPR.

b) Information to third parties

Where the controller has made your personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the data, the controller, taking account of the available technology and the im-plementation costs, shall take reasonable steps – including technical measures – to inform those responsible for the data processing who are processing personal data that you, the data subject, have requested that they erase all links to these personal data or to copies or replications of these personal data.

c) Exceptions

The right to erasure shall not apply insofar as the processing is necessary for the following rea-sons:
(1) for exercising the right to freedom of expression and information
(2) for compliance wit
h a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (3) for reasons of public interest in the area of public health in accordance with Art. 9 (2) h) and i) and Art. 9 (3) GDPR
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR insofar as the right referred to in paragraph a) is likely to render impossible or seriously compromise the achievement of the objectives of this processing
(5) for the establishment, exercise or defence of legal claims

5. Right to notification

If you have exercised the right of rectification, erasure or restriction of processing against the controller, then the controller will be obliged to notify all recipients to whom your personal data have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort and expense. You have the right to be notified about these recipients by the controller.

6. Right to data portability

You have the right to receive the personal data which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right, in the follow-ing cases, to transmit these data to another controller without any hindrance from the controller to whom or which the personal data were provided:
(1) the processing is based on consent pursuant to Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR or on a contract pursuant to Art. 6 (1) b) GDPR and
(2) the processing is carried out by automated means

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another where this is technically feasible. The freedoms and rights of others must not be adversely affected in this process.

The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is carried out on the basis of Art. 6 (1) e) or f) GDPR. The controller will no longer process your personal data unless the latter can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the data are processed for the establishment, exercise or defence of legal claims.

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data for the purpose of such marketing. This also applies to profiling insofar as it is connected with such direct marketing. If you object to the pro-cessing for direct marketing purposes, your personal data will no longer be processed for these purposes.

In the context of the use of information society services – notwithstanding Directive 2002/58/EC – you may exercise your right of objection by automated means using technical specifications.

8. Right to revoke the declaration of consent pursuant to data privacy law

You have the right to revoke your consent pursuant to data privacy law at any time. The revoca-tion of consent will not affect the legality of the processing carried out on the basis of the consent until its revocation.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or significantly affects you in a similar manner. This will not apply in the following instances:
(1) the decision is necessary for the conclusion or performance of a contract between you and the data controller
(2) the decision is authorised by Union or Member State law to which the controller is subject and which also lays down appropriate measures to safeguard your rights and freedoms and your legitimate interests
(3) the decision is taken with your explicit consent

These decisions may not be based on special categories of personal data referred to in Art. 9 (1) GDPR, however, unless Art. 9 (2) a) or g) applies and suitable measures have been put in place to protect the rights and freedoms and your legitimate interests. In the cases referred to in paragraphs (1) and (3) above, the data controller shall implement suitable measures to safeguard the rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, the right to express your point of view and the right to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual resi-dence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Request for Information under the General Data Protection Regulation (GDPR)