bye. bellas

I'm Nina, the founder of ciao.

Over the past year I have visited numerous fabric producers and tailors in the EU to create the perfect sustainable boho dresses.

The result is beautiful dresses in silky soft satin fabric made from 50% recycled viscose and 50% organic viscose. This reduces our water consumption and CO2 emissions by 50%.

  1. Name and address of the person responsible

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

MN eCommerce OG

Email: info@ciaothelabel.at

Website: www.ciaothelabel.at

  1. General information on data processing
  2. Scope of processing of personal data

In principle, we only process the personal data of our users to the extent that this is necessary to provide a functional website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in such cases in which it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by statutory provisions.

  1. Legal basis for processing personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis. Article 6 (1) (b) GDPR serves as the legal basis for the processing of personal data required to fulfill a contract to which the data subject is a party. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Article 6 (1) (c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6 Paragraph 1 lit. d GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the person concerned do not outweigh the first interest, Article 6 Paragraph 1 Letter f GDPR serves as the legal basis for the processing.

  1. Data Erasure and Storage Duration

The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. Storage can also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

III. conclusion of sales contracts

  1. Description and scope of data processing

Our website offers the possibility of concluding sales contracts. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and saved. We disclose customer accounts and personal information about customers when we are required to do so by law or when such disclosure is necessary to enforce our terms and conditions or other agreements (e.g. to shipping service providers) or the rights of Ciao., as well as the rights of our customers and to protect from third parties. This includes exchanging data with companies to prevent and minimize abuse and credit card fraud.

  1. Legal basis for data processing

Insofar as the processing of the data is necessary for the conclusion of the contract, Art. 6 Paragraph 1 lit. b GDPR serves as the permit standard for data processing.

  1. purpose of data processing

The data processing serves to process the closed purchase contract. We use your personal information to take and fulfill orders, deliver products and services, process payments, and communicate with you about orders, products, services, and promotional offers.

  1. Duration of storage

Your personal data will be deleted if there are no legal storage obligations to the contrary and if you have asserted a claim for deletion, if the data is no longer required to fulfill the purpose for which it was stored or if its storage is inadmissible for other legal reasons.

  1. Possibility of objection and elimination

If the data is required to fulfill a contract or to carry out pre-contractual measures, the data can only be deleted prematurely if there are no contractual or legal obligations to the contrary.

  1. When buying with Klarna Sofortüberweisung

If you opt for the payment services of Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter Klarna), we will forward your data as part of the payment and contract processing in accordance with Art. 6 para. 1 sentence 1 letter b) GDPR to Klarna. This data is transmitted so that Klarna can create an invoice for the invoice processing you require and carry out an identity and credit check. Please understand that we can only offer you the respective Klarna payment method if this is possible based on the results of the credit check. Detailed information on this and the credit agencies used can be found in Klarna's data protection information.

  1. Provision of the website, tracking and analysis
  2. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected here:

(1) Information about the browser type and version used

(2) The user's operating system

(3) The user's internet service provider

(4) The IP address of the user

(5) Date and time of access

(6) Websites from which the user's system accesses our website

(7) Websites accessed by the user's system via our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

  1. Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Article 6 (1) (f) GDPR.

  1. purpose of data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session. Storage in log files takes place to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

Our legitimate interest in data processing in accordance with Article 6 (1) (f) GDPR also lies in these purposes.

  1. Duration of storage

The data is converted into an aggregated form of user flows, which do not allow any traceability of individuals. The raw data collected will then be deleted immediately. The aggregated statistical data is stored for analysis purposes.

If the data is stored in log files, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or alienated so that it is no longer possible to assign the calling client.

  1. Possibility of objection and elimination

The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

  1. Information about the use of the website
  2. Description and scope of data processing

When users visit our website, this activity is automatically recognized in our measurement and retargeting services, provided the user agrees to this data processing. If the user is also known to us as a customer and can be identified, for example, via browser cookies, we save the goods category and product interests obtained in this way in the customer profile that we already have.

(1) Information about websites visited

(2) The user's length of stay on individual pages

(3) References provided by the customer

(4) Customer Contact Information

(5) User cookies

(6) Date and time of access

(7) Websites from which the user's system reached our website

We use this partly anonymous and, in the case of existing customers and newsletter subscribers, personal information not only to improve our services and our product range, but also to provide targeted content and advertising measures that are precisely tailored to the interests and needs of the respective user. For this purpose, the data on user behavior and preferences are collected and stored in the form of customer profiles and passed on to service providers for the implementation of advertising measures.

  1. Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Article 6 (1) (f) GDPR.

  1. purpose of data processing

The purpose is to carry out interest-based advertising measures and to display personalized content in the online shop and the mobile app, which is more useful and interesting for the user and used more efficiently in terms of marketing expenditure than general advertising. This collected data is not used for any other purpose nor sold to third parties.

  1. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. If the data is collected to identify current customer interests, this is the case when the purchase process has probably been completed and there is therefore no further customer need for this type of product.

  1. Possibility of objection and elimination

The collection of service usage data and the storage of customer profiles is not absolutely necessary for the operation of the website. The data is therefore only collected with the consent of the user. The customer can revoke this consent at any time. If the data is required to fulfill a contract or to carry out pre-contractual measures, the data can only be deleted prematurely if there are no contractual or legal obligations to the contrary.

VII. Use of cookies and integration of external content

Cookies and similar technologies, such as pixels, tags or beacons (“cookies”) are used to make our offer as pleasant as possible for you. Cookies are small text files that enable the user to be recognized and their use of our website to be analysed.

Most of the cookies we use are automatically deleted from your hard drive at the end of the browser session (“session cookies”). Session cookies are required, for example, to offer you the shopping cart function across multiple pages. In addition, we also use cookies that remain on your hard drive beyond the session (“persistent cookies”). On another visit, it will then be automatically recognized that you have already been with us and which inputs and settings you prefer. In particular, these cookies serve to make our offer more user-friendly, effective and secure.

We use the following cookies:

- Cookie name/ Technology: Amplitude

- Cookie provider and data recipient: Amplitude, Inc., 631 Howard Street, Floor 5, San Francisco, CA 94105, USA, supports us, MN eCommerce OG, as a processor in using this tool.

- Purpose of processing: range measurement, in particular recording and analyzing traffic and purchases on our website and creating reports on this; Conversion tracking (analysis of marketing campaigns on third-party sites); Optimization of the customer journey on our website.

- Processed data: IP address, unique user ID, session ID, Google and Facebook user ID, pages visited on our website, referrer URL, usage behavior on our website, information about the device, operating system, browser, location (city/country) .

- Storage period: 1 year

- Place of processing: United States

- Legal basis: Consent (Art. 6 Para. 1 lit. a GDPR). You can manage your cookie preferences at any time in this Cookie Consent Solution and enable or disable the tool.

- Cookie name/technology: Hotjar

- Cookie provider and data recipient: Hotjar Ltd., Dragonara Business Center, 5th Floor, Dragonara Road, Paceville St. Julian's STJ 3141, Malta, supports us, MN eCommerce OG, as a processor in using this tool.

- Purpose of processing: tracking movements on our website using heat maps and recordings and how far users scroll and which buttons they click in order to make the website even faster and more customer-friendly.

- Processed data: session ID, shortened IP address, device ID, mouse movements on our website by users (heat maps and recordings of individual user click sessions), keyboard movements, time stamp, website visited and referrer URL, page content, screen resolution, device type, Operating system, browser, location (country), language of the visited page

- Duration of storage: 30 days

- Place of processing: Malta

- Legal basis: Consent (Art. 6 Para. 1 lit. a GDPR). You can manage your cookie preferences at any time in this Cookie Consent Solution and enable or disable the tool.

- Cookie name/technology: session

- Cookie provider and data recipient: Shopify supports us, MN eCommerce OG, as a processor in using this tool.

- Purpose of the processing: Recognizing the logged-in user within a session, (i) so that the username and password do not have to be entered repeatedly and (ii) to enable the shopping cart to be remembered.

- Processed data: session ID, products placed in the shopping cart

- Storage duration: session

- Legal basis: Cookies that are absolutely necessary to fulfill a contract (Article 6 (1) (b) GDPR).

- Cookie name/ Technology: CSRF

- Cookie provider and data recipient: Shopify supports us, MN eCommerce OG, as a processor in using this tool.

- Purpose of processing: IT security (protection of forms on the website from fraudulent attacks using so-called cross-site scripting)

- Processed Data: Randomly generated string of numbers

- Storage duration: session

- Legal basis: Cookies that are absolutely necessary to fulfill a contract (Article 6 (1) (b) GDPR).

- Cookie name/technology: Timezone

- Cookie provider and data recipient: Shopify supports us, MN eCommerce OG, as a processor in using this tool.

- Purpose of processing: A fixed time is set in the database, which is converted using the time zone cookie according to the user's time zone. In this way, the correct time is always displayed to the user. The cookie is set for both frontend and admin functions.

- Data processed: time zone of the user

- Storage duration: session

- Legal basis: Cookies that are absolutely necessary to fulfill a contract (Article 6 (1) (b) GDPR).

- Cookie name/technology: Google Analytics

- Cookie provider and data recipient: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

- Purpose of processing: range measurement, in particular recording and analyzing traffic and purchases on our website and creating reports on this; Optimization of user-friendliness and improvement of the website. Individualized tracking, retargeting, personalized advertising and creation of a usage profile in order to show you advertising that corresponds to your usage behavior, analysis of purchases.

- Processed data: Abbreviated IP address, cookie ID, location (country, city), browser information (browser type), internet provider, referrer/exit pages, operating system, date/time stamp, device, screen resolution, usage data (pages viewed on our Website, clicks, scrolling behaviour), aggregated information on the ordering process and orders (including sales, the products ordered and the duration of purchases, cancellations in the purchasing process), data on the achievement of "website goals" (e.g. contact requests and newsletter registrations) and data on usability tests of our website. Google does not process this personal data in an anonymous form. Google can use this personal data - in accordance with the user's data protection settings at Google - for its own purposes (e.g. profiling) and link the personal data with other data stored about the user (e.g. the user's Google account).

- Storage period: 14 months

- Place of processing: EU, USA. The personal data is usually transferred from Google Ireland to a Google LLC server in the USA and stored there. Due to the activation of the shortening of the IP address on this website, your IP address will be shortened beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there.

- Legal basis: Consent (Art. 6 Para. 1 lit. a GDPR). You can manage your cookie preferences at any time in this cookie consent solution under the "Settings" tab and enable or disable the tool.

- Cookie name/technology: Facebook Website Custom Audiences

- Cookie provider and data recipient: Facebook Ireland Limited, Misery Hill, Dublin 2, D02, Ireland

- Purpose of processing: conversion tracking, retargeting, remarketing, personalization of advertising, comparison of your usage behavior with the usage behavior of similar customers on Facebook (so-called lookalike customers) in order to also display this lookalike customer Ciao. ad on Facebook, analysis the profitability and effectiveness of advertising measures

- Processed data: abbreviated IP address, cookie ID, pixel ID, website usage data, information about the browsing session, URL of the website visited by the user, further surfing behavior (= websites subsequently visited), page location, referrer URL, User agent (e.g. browser, e-mail or newsreader), operating system

- Duration of storage: 180 days

- Place of processing: EU, USA. The personal data is usually transferred to a Facebook, Inc. server in the USA and stored there.

- Legal basis: Consent (Art. 6 Para. 1 lit. a GDPR). You can manage your cookie preferences at any time in this cookie consent solution under the "Settings" tab and enable or disable the tool.

- Cookie name/technology: Google Marketing Platform & Campaign Manager

- Cookie provider and data recipient: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

- Purpose of processing: Aggregated, i.e. summarized, analysis of the profitability and effectiveness of advertising measures, restriction of the display of advertising, combating fraud and abuse. Conversion tracking, remarketing, analysis of the profitability and effectiveness of advertising measures, segmentation of users based on their interests, personalized advertising.

- Processed data: Aggregated usage behavior (e.g. clicks on advertising and subsequent actions, e.g. shopping), displayed advertising in the Google advertising network. Google also processes your rough location (at the local level) and context information (e.g. content of the currently viewed page and your search terms) as part of the “non-personalised advertising” function in order to show you generic Ciao. advertising in the Google advertising network. This advertising is not personalized and Google does not track your click behavior on a user-related basis. Ciao. receives this data only in aggregated form. You can find more information here: https://support.google.com/admanager/answer/9005435?hl=de&ref_topic=28145 You must declare your objection to non-personalised advertising to Google. You can find more information here: https://policies.google.com/privacy?hl=de, cookie ID, usage behavior of our website (e.g. adding products to the shopping cart, subscribing to the newsletter, making appointments, transactions), your location (country and abbreviated ZIP code), language, approximate age, browser information, device information, searches on Google.

- Duration of storage: 540 days

- Place of processing: EU, USA. The personal data is usually transferred to a Google LLC server in the USA and stored there.

- Legal basis: Consent (Art. 6 Para. 1 lit. a GDPR). You can manage your cookie preferences at any time in this cookie consent solution under the "Settings" tab and enable or disable the tool.

You can accept or reject cookies - apart from cookies that are absolutely necessary for the provision of our website - on your first visit to our website and at any time thereafter in our cookie settings. To do this, you must tick or remove the tick next to the cookie and click on "Save selection and agree". These settings apply to your computer and mobile device. You can also make settings for cookies in your browser settings or via www.youronlinechoices.com. If you refuse cookies, certain pages on our website or the functionalities provided may not be available.

VIII. Newsletters and Marketing Communications

  1. Description and scope of data processing

On our website you have the option of subscribing to a free, regular newsletter and other marketing communications (“newsletter”). In the newsletter we regularly inform you about current product and service offers from Ciao by e-mail. We can customize the newsletter for you based on the data given below. The following data is processed in connection with the newsletter if we can assign it to you:

  • Data that we collect when you register for the newsletter: e-mail address;
  • Data that we process to prove your consent: IP address, time of registration for the newsletter and confirmation of the e-mail address, click on the confirmation link in the confirmation e-mail, content of the declaration of consent;
  • Data that we collect to measure the relevance and success of your use of our newsletter: user ID, email address, IP address, opening of the newsletter, usage behavior in the newsletter (e.g. clicks on articles, links or products), your further usage behavior on our website after clicking on links in the newsletter (e.g. viewed and purchased products and services). For this purpose, we use a tracking cookie that is assigned to your email address by the user ID.
  • Information we collect about your purchases: Products and services purchased, vouchers redeemed;
  • Data we collect via enabled cookies as described in our Cookie Consent Solution;
  • Coupon Redeemed Data.
  1. Legal basis for data processing

If you have registered for our newsletter, the legal basis for the processing of the data is your consent under Article 6 (1) (a) GDPR. We then check the email address provided when registering for the newsletter as part of a so-called double opt-in procedure, in which we send a confirmation email to the email address provided.

  1. purpose of data processing

We process your data to send you the newsletter. We also process the data to get to know your interests and to provide you with content on our website or in the newsletter tailored to your interests.

  1. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. We will therefore process your data for as long as you have not revoked your consent. If you have revoked your consent, we will no longer send you newsletters and will delete your data in accordance with the provisions of the GDPR and the BDSG.

  1. Possibility of objection and elimination

You can revoke your consent at any time with effect for the future by clicking on the unsubscribe link at the end of each newsletter or by sending an email to (info@ciaothelabel.at) stating the email address to which the newsletter was sent should no longer be sent.

  1. My account

(1) Data processing for registration and use of "My Account"

  1. Description and scope of data processing

Users can register for "My Account" and use a variety of services, in particular simplified shopping, retrieving the order overview, creating a favorites list, booking and managing consultation appointments and transporters, receiving coupons, participating in sweepstakes and user surveys, publishing product reviews, Customer Support Requests. We process the following data in connection with the registration and use of "My Account":

  • Data that we collect when registering for "My Account" (email address, password, date of registration)
  • Data that we process to prove your registration (IP address, time of registration for "My Account" and confirmation of the e-mail address, click on the confirmation link in the confirmation e-mail)
  • Data that you store in your user account (name, title, preferred billing and delivery address, payment method)
  • Data on your current and past orders (name, title, products purchased, price, payment method, time of order, status of orders, billing address, redeemed vouchers)
  • Goods you have added to your favorites list
  • Data that we collect in connection with your appointments (name, title, email address, telephone number, time of the consultation appointment, branch, furnishing plans from the consultation appointment)
  • Information about coupons you have received and redeemed
  • Data that we collect as part of surveys (information on the type of living space (e.g. house or apartment), your rooms, your furnishing style, the number of people in your household, planned change of residence, name, gender, date of birth, address, telephone number, e-mail address, answers to our questions about your customer satisfaction)
  • Data you enter in product reviews
  • Data that you provide in your inquiries to customer support (name, content of the inquiry)
  1. Legal basis for data processing

The legal basis for data processing in connection with the services of "My Account" is Article 6 Paragraph 1 Letter b GDPR (performance of contract).

The legal basis for storing your data together in our user database and filling in your master data is our legitimate interest (Art. 6 Para. 1 lit. f GDPR) in IT security and data accuracy and being able to offer you uniform services. We save you only once in our database and with your current and correct data in our user database and can provide you with a simple registration process for your "My Account" user account.

  1. purpose of data processing

We process the data in order to provide the users with the services in connection with the user account.

  1. Duration of storage

We process the data for as long as the contract of use for the user account exists. In addition, we only store this data to fulfill any legal storage obligations or to assert or defend against legal claims.

(2) Data processing to customize the services for "My Account" users

  1. Description and scope of data processing

For users who have signed up for My Account, we want the Services to match their interests. We therefore process your data in connection with the registration and use for "My Account" combined with your other usage behavior (especially data on the use of the e-mail newsletter, surveys, redeemed coupons, cookie data, sales pitches and the baby box) if you wish this and we can assign this data to you (e.g. through behavior during login to my account) in order to be able to personalize newsletters, product recommendations that we display to you on our website and vouchers according to your interests.

  1. Legal basis for data processing

The legal basis for the customization of the newsletter, product recommendations on the website and vouchers is your consent (Art. 6 Para. 1 lit. a GDPR), which we obtain separately. You can revoke your consent at any time with effect for the future.

  1. purpose of data processing

We process the data in order to customize the services (newsletter, product recommendations on the website and vouchers) for the user.

  1. Duration of storage

We process the data for as long as the usage contract for the user account exists and the user has not withdrawn their consent. In addition, we only store this data to fulfill any legal storage obligations or to assert or defend against legal claims.

  1. Contact form and email contact
  2. Description and scope of data processing

There is a contact form on our website which can be used to contact us electronically. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and saved. These dates are:

First and Last Name

E-mail address

message/comment

If applicable, telephone no.

If applicable, a delivery and billing address

If applicable, your order number.

At the time the message is sent, the following data is also stored:

(1) The IP address of the user

(2) Date and time of registration

Your consent will be obtained for the processing of the data during the sending process and reference will be made to this data protection declaration.

Alternatively, you can contact us via the email address provided. In this case, the user's personal data transmitted with the e-mail will be stored.

In this context, the data will not be passed on to third parties. The data will only be used to process the conversation.

  1. Legal basis for data processing

The legal basis for processing the data is Article 6(1)(a) GDPR if the user has given their consent.

The legal basis for the processing of data transmitted in the course of sending an email is Article 6 Paragraph 1 Letter f GDPR. If the e-mail contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.

  1. purpose of data processing

The processing of the personal data from the input mask serves us solely to process the contact. If contact is made by e-mail, this is also the necessary legitimate interest in the processing of the data.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

  1. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is over when it can be inferred from the circumstances that the facts in question have been finally clarified.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

  1. rights of the data subject

If personal data is processed by you, you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the person responsible:

  1. right of providing information

You can request confirmation from the person responsible as to whether personal data relating to you is being processed by us.

If such processing is present, you can request information from the person responsible for the following information:

(1) the purposes for which the personal data are processed;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom your personal data has been or will be disclosed;

(4) the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage duration;

(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the person responsible or a right to object to this processing;

(6) the existence of a right of appeal to a supervisory authority;

(7) all available information about the origin of the data if the personal data are not collected from the data subject;

(8) the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether your personal data is being transmitted to a third country or to an international organization. In this context, you can request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.

  1. Right to Rectification

You have a right to correction and/or completion to the person responsible if the processed personal data concerning you is incorrect or incomplete. The person responsible must make the correction immediately.

  1. Right to restriction of processing

Under the following conditions, you can request the restriction of the processing of your personal data:

(1) if you dispute the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;

(3) the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or

(4) if you have lodged an objection to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State are processed.

If the restriction of processing has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.

  1. Right to Erasure
  2. a) Obligation to delete

You can request the person responsible to delete the personal data concerning you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:

(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2) You revoke your consent on which the processing was based pursuant to Article 6 Paragraph 1 Letter a or Article 9 Paragraph 2 Letter a GDPR and there is no other legal basis for the processing.

(3) You object to the processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing in accordance with Article 21 (2) GDPR.

(4) The personal data concerning you was processed unlawfully.

(5) The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.

(6) The personal data concerning you was collected in relation to information society services offered pursuant to Article 8 (1) GDPR.

  1. b) Information to third parties

If the person responsible has made the personal data relating to you public and is obliged to delete it in accordance with Art. 17 (1) GDPR, he shall take appropriate measures, including technical measures, to protect the person responsible for data processing, taking into account the available technology and the implementation costs , who process the personal data, that you, as the data subject, have requested them to delete all links to this personal data or copies or replications of this personal data.

  1. c) Exceptions

The right to erasure does not exist if processing is necessary

(1) to exercise the right to freedom of expression and information;

(2) to fulfill a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the controller became;

(3) for reasons of public interest in the field of public health in accordance with Article 9 (2) lit. h and i and Article 9 (3) GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law mentioned under Section a) is likely to make it impossible or seriously impair the achievement of the objectives of this processing, or

(5) to assert, exercise or defend legal claims.

  1. right to information

If you have asserted the right to correction, deletion or restriction of processing against the person responsible, he is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the person responsible.

  1. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another person responsible without hindrance by the person responsible for providing the personal data, provided that

(1) the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and

(2) the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible. The freedoms and rights of other people must not be impaired by this.

The right to data portability does not apply to processing of personal data that is required to perform a task that is in the public interest or in the exercise of official authority that has been assigned to the controller.

  1. Right to object

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Article 6 Paragraph 1 lit. e or f GDPR; this also applies to profiling based on these provisions.

The person responsible no longer processes the personal data relating to you unless he can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data concerning you is processed in order to operate direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you object to the processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.

In connection with the use of information society services, you have the option – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures that use technical specifications.

  1. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation.

  1. Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the person responsible,

(2) is permissible on the basis of Union or Member State legislation to which the person responsible is subject and this legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or

(3) with your express consent.

However, these decisions may not be based on special categories of personal data according to Article 9 Paragraph 1 GDPR unless Article 9 Paragraph 2 lit. a or g GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests .

With regard to the cases referred to in (1) and (3), the person responsible shall take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the person responsible, to express his or her point of view and to challenge the decision.

  1. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, if you believe that the processing of your personal data is contrary to violates the GDPR.

The supervisory authority to which the complaint was lodged will inform the complainant about the status and the results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

XII. Transmission to third countries

If we transfer your personal data to countries outside the European Economic Area (EEA) or commission processors in such countries (e.g. in the USA), we implement the legally required standards and security mechanisms. We achieve this, for example, by agreeing the so-called EU standard contracts. Please contact us as described under point 1 to find out more about the specific security mechanisms we use.