Data protection

 

Outline / index

 

A. Name and contact information for the Controller

 

B. Name and contact information for the Data Protection Officer

 

C. Scope of processing of personal data, purpose of processing

 

1. Accessing our website and creating log files

a) Description of data processing, storage
b) Purpose & legal basis of data processing
c) Sharing
d) Right to object and right to erasure

 

2. Email contact by the user

a) Description of data processing, storage
b) Purpose & legal basis of data processing
c) Sharing
d) Right to object and right to erasure

 

3. Postal advertising

a) Description of data processing, storage, sharing
b) Legal basis for data processing, right to object

 

4. Creating an account for the BOMAG Parts web shop

a) Description of data processing, storage
b) Purpose & legal basis of data processing
c) Sharing, recipients
d) Right to object

 

5. Ordering goods or services via our BOMAG Parts web shop

a) Description of data processing
b) Storage
c) Purpose & legal basis of data processing
d) Sharing, recipients
e) Right to object

 

6. Customer account

a) Description of data processing, storage
b) Purpose & legal basis of data processing
c) Sharing, recipients
d) Right to object and right to erasure

 

7. Cookies

a) Description of data processing, purpose, recipients, sharing
b) Legal basis for data processing
c) Storage length, right to object and right to erasure

 

8. Newsletter

a) Description of data processing, storage
b) Purpose & legal basis of data processing
c) Transfer / recipient of the data
d) Right of objection

 

 

D. Rights of data subjects

 

 

 

 

 

 

 

Data protection

 

 

 

 

 

 

A. Name and contact information for the Controller

 

 

The Controller in the sense of the General Data Protection Regulation and other data protection provisions regarding data processing is:

 

BOMAG GmbH

Hellerwald, 56154 Boppard, Germany

Phone: 06742/ 100-0

Fax: 06742/ 100 3090

Email: info@bomag.com

Website: www.bomag.com

 

Legal representatives: Ralf Junker, Dirk Woll, Robert Laux Contact information: see above

 

 

 

 

B. Name and contact information for the Data Protection Officer

 

The Data Protection Officer for the Controller is

 

Andreas Mallmann,

c/o BOMAG GmbH,Hellerwald, 56154 Boppard, Germany

Phone: 06742/ 100-0

Fax: 06742 / 3090

Email: info@bomag.com

 

 

 

 

C. Scope of processing of personal data, purpose of processing

 

1. Accessing our website and creating log files

 

a) Description of data processing, storage

Each time our website is accessed, our system automatically collects data and information from the computer system accessing the site.

The following data is collected in this process:

  • the user’s IP address                            
  • notification whether access was successful

Based on the recorded IP address, we determine the country from which the user is accessing our website. This is used to display the corresponding country and language version of the website (German / English). To do this, the IP address is shortened to the first 6 digits and then analyzed using a Geo IP database to determine the country from which the user is accessing the website. This country is assigned a country code, which is then saved in the log files in place of the IP address.

The other data listed above will be erased from the system’s log files after 7 days unless further processing is required in exceptional cases in order to protect our legitimate interests (e.g. to block IT addresses or file a criminal complaint). In this case, data will be erased as soon as it is no longer needed to achieve the purpose for which it was collected.

This data will not be saved and/or combined with the user’s other personal data.

 

b) Purpose & legal basis of data processing

The data named under a) will be collected

  • in order to permit the website to be delivered to the user’s computer. The legal basis for this is Art. 6 Sec. 1 lt. f GDPR. For technical reasons, the IP address must be stored temporarily in order to display the pages accessed by the user, and represents a legitimate interest on our part in the sense of Art. 6 Sec. l Sentence 1 f GDPR that is not opposed by any overriding interests of the user;
  • in order to ensure the security of our web server and fault-free operation of our website, including the web shop system, e.g. documenting failed login attempts, monitoring to prevent or discover hacker attacks; The abovementioned purposes represent a legitimate interest on our part in the sense of Art. 6 Sec. 1 Sentence 1 f GDPR that is not opposed by any overriding interests of the user.

c) Sharing / recipients of the data

The collected data will be stored on our own server.

Data collected as per a) will not be shared with third parties unless this is necessary in the event of attacks on our IT system, see above under b), for instance in the context of filing a criminal claim with law enforcement agencies.

 

d) Right to object

The user’s IP address must be temporarily recorded in order to make the website available, and data must be saved in log files in order to operate the website. Therefore the user does not have a right to object to this. For the rest, you have the right to object at any time to processing on grounds relating to your particular situation; see further information in Section D.

 

 

2. Email contact by the user

 

a) Description of data processing, storage

Among other things, you can contact us via the email address that we provide in the web shop under “Contact.” In this case, the personal data transmitted with the email will be processed by us. We will use this data to respond to the inquiry. If you provide us with your name and mailing address, we will process this data as per Point C 3 (postal advertising).

The data we have collected will be erased as soon as it is no longer needed for the purpose for which it was collected. If the inquiry relates to a contract that has been concluded or is being negotiated, the content, date and time of the communication will be saved until the end of the limitation period for any resulting claims.

In other cases, the personal data from your email inquiry will be restricted from further processing and will only be used as a defense against potential legal claims if the relevant conversation with you has ended. The conversation has ended when circumstances indicate that the matter in question has been definitively resolved. After the end of the limitation period, the data will be erased.

 

b) Purpose & legal basis of data processing

Your email address and any other data you have provided will be stored in order to respond to your inquiry. The legal basis for this is Art. 6 Sec. 1 lt. f GDPR. If the goal of your contact is to establish a contract, an additional legal basis for the processing is Art. 6 Sec. 1 lt. b GDPR.

 

c) Sharing

No data will be shared with third parties in this context. The data will exclusively be used for processing and responding to your contact request. We use our own web server and our own IT system to transmit and process the contact request.

 

d) Right to object and right to erasure

You can object at any time to the use of your personal data. In this case, the conversation cannot be continued. Section D applies in addition.

 

 

3. Postal advertising

 

a) Description of data processing, storage, purpose, sharing

If you provide us with your name and mailing address, we will save this data for potential future mailings of postal advertising regarding our products. The data may be made available to an external service provider performing the franking and mailing services. This service provider will act according to our instructions and on our behalf. The service provider is headquartered in the European Union. No other sharing with third parties will take place. The data will be erased as soon as it is no longer needed in order to achieve the purpose for which it was collected, or if you lodge an objection to its processing.

 

b) Legal basis for data processing, right to object

The legal basis for the data processing described in a) is Art. 6 Sec. 1 lt. f GDPR. Sending product information by mail is a legitimate interest of our company. You can object at any time to this use of your personal data. In this case, we will no longer send you postal advertisements. In addition, Section D applies.

 

 

4. Creating an account for the BOMAG Parts web shop

 

a) Description of data processing, storage

The BOMAG Parts web shop is intended only for entrepreneurs and legal entities. In order to use it, you must register electronically. We will then create a customer account. Registration takes place electronically via the registration page that we provide. The mandatory fields must be completed in order for us to review your registration request, including whether the registering party is in fact an entrepreneur or a legal entity.

The mandatory information is:

  • Company name / name of the legal entity
  • Contact person and his/her telephone number
  • A valid email address
  • Billing address and mailing address, if different
  • VAT ID
  • Desired password for the future customer account

In order to verify the provided email address and your registration request, we will automatically send an email to the email address you have provided before we review the information; in this email, we ask you to confirm your registration request and to make sure your provided data is accurate. If you do not confirm your registration request within 7 days, your registration data will be erased.

Once you confirm your registration request, we will record and store the date and time when the request was sent.

Once we receive your confirmation, we will determine whether the registering party is in fact an entrepreneur or a legal entity. If you are an entrepreneur, we will perform a credit check, since we will be providing advance performance by delivering the parts to be ordered later via our web shop. In the course of the credit check, we will obtain a credit report from Creditreform Koblenz Dr. Rödl & Brodmerkel KG, Rizzastr. 49, 56068 Koblenz. To do so, we will share your company name and registered address. The report will be reviewed and evaluated by us. No automated decision-making will take place.

The results of the registration review will be provided to you by email. Your company name / the name of your legal entity and your mailing address will also be processed as per Point C 3 (postal advertising). If we refuse your registration request, the initially collected data will be erased immediately.

In the event of a successful registration, we will process the data collected during registration as per Point C 6 (Customer account).

 

b) Purpose & legal basis of data processing

The mandatory information for the registration process and any other data you provide will be stored in order to review the registration requirements, to perform the credit check (see above under a)), to inform you of the decision and to create the customer account. The legal basis for this is Art. 6 Sec. 1 lt. b as well as Art. 6 Sec. 1 lt. f GDPR.

Storing the shortened IP address and the time and date when the registration was confirmed serves as proof of your registration and can be used to clarify any misuse of your data if necessary. The legal basis for processing this data is Art. 6 Sec. 1 lt. f GDPR.

 

c) Sharing / recipients of the data

During the credit check, we will share your company name and registered address with the credit bureau named in a). Information about data processing pursuant to Article 14 General Data Protection Regulation (GDPR) that takes place in the credit bureau can be found at www.creditreform-koblenz.de. No other sharing of the data will take place. We use our own web server and our own IT system to transmit and process the registration request.

 

d) Right to object

You can object at any time to the continued registration review and to the transmission of the data named in c) to the credit bureau. In this case, the registration cannot be completed and no future orders can be made via our web shop.

 

 

5. Ordering goods or services via our BOAMG Parts web shop

 

a) Description of data processing

If you wish to place an order via our web shop, you can do so after logging in to your customer account. This automatically uses the data you provided when registering and creating your customer account in order to complete the order information. You can provide a new mailing address and choose the shipping method (standard/express shipping). The new mailing address will be saved in your customer account. After that, you will have another chance to review your order and make any desired changes or corrections. These transactions are not legally binding. Your order will only be submitted to us when you click on the “Buy now” button, which represents a binding offer to conclude a purchase agreement with us. We will immediately electronically confirm our receipt of your order. The order will be saved in your customer account, where you can access it at any time. In addition, we will record and save the date and time when we received the order.

We will inform you electronically about our acceptance or refusal of the order. If you wish, you can log in to your customer account to check the current status of your order and to track shipments.

 

If you select the payment method “credit card” you will be transferred to the website of the payment service “Concardis PayEngine” of the company Concardis GmbH, D-65760 Eschborn for settlement of the purchase price. For this purpose, we forward the purchase price you are paying, your order number (also known as “MerchantOrderID”), our payment reference, your name, the specified delivery and billing address and the item positions. After the payment service has been carried out, we will receive the following information from

Concardis GmbH, which we will process:

  • OrderID (transaction at Concardis)
  • Status of the transaction
  • reserved / recorded amount and time

The data relayed by Concardis will be imported into our ERP system and stored, cf. further information under Section C 5 (Order of Goods).

The selected payment service provider may record additional data from you if you open an account there or already use an account there for payment. Please enquire about the relevant data processing procedures to the respective payment service in these cases.

In other respects, we will not share any personal data with third parties. The basis for the data transfer is Art. 6 Sect.1 lit. b GDPR (Selection of the Payment Method upon Conclusion of the Contract).

 

b) Storage

We are required by commercial and tax regulations to store your address, payment and order data for a period of 10 years. After the end of the standard limitation period following the conclusion of the purchase agreement, your data will be restricted for further processing and will only be used for a defense against possible legal claims or to comply with statutory obligations. This excludes data collected as per C 3 (postal advertising) and data stored in the customer account. This data can be deleted by logging in to the customer area; see the information on customer accounts below in C 6.

If we do not accept your order, the data will be erased within 3 months.

 

c) Purpose & legal basis of data processing

Saving the date and time when your order was submitted serves as proof of your order and can be used to clarify any misuse of your personal data if necessary. The legal basis for processing this data is Art. 6 Sec. 1 lt. f GDPR.

Personal data will be processed during the review and execution of the order:

  • to identify you as the customer,
  • to review acceptance of the order,
  • to clarify any follow-up questions about the ordered products,
  • to deliver the purchased goods,
  • to issue invoices,
  • to process any warranty claims or other legal claims that you assert against us,
  • to assert any claims against you;

the legal basis for this data processing is Article 6 Sec. 1 lt. b GDPR.

 

d) Sharing, recipients

We use our own web server and our own IT system to process your order. The provided mailing address will be shared with our shipping service provider / freight forwarder for the purpose of delivering the order. No other personal data will be shared with third parties.

 

e) Right to object and right to rectification

You can object at any time to storing of the time and date when the order was submitted; see Section D.

 

 

6. Customer account

 

a) Description of data processing, storage

The customer account can be used to store relevant data about your company / your legal entity for future orders via our web shop, which allows orders to be processed quickly. The customer account stores the data provided upon submission of the registration request, any new mailing addresses and all orders, the date and time of your last login and your selected BOMAG machines.

This data will be erased if more than 2 years have elapsed since your last login. For the rest, you can erase this data by deleting the customer account. To do so, you will need to log in to the customer account. Deleting the customer account will not erase data about concluded purchase agreements that is stored in our application system. Section C 5 applies in this regard.

 

b) Purpose & legal basis of data processing

Creating and saving the customer account makes it fast and easy to place orders, since the customer data does not need to be entered again. In addition, it allows us to effectively ensure that the order is being placed by an entrepreneur or a legal entity under public law, since we exclusively operate a B2B shop. The legal basis for processing this data is Art. 6 Sec. 1 lt. f GDPR.

 

c) Sharing / recipients of the data

The data is not shared with third parties. We use our own web server and our own IT system to save and administer the customer account.  

 

d) Right to object and right to erasure

You can object at any time to the storage and processing of data in the customer account and/or request that it be erased and/or erase it yourself by logging in to the customer account. In this case, you will no longer be able to order our replacement parts from our web shop.

 

 

7. Cookies

 

a) Description of data processing, purpose, recipient, sharing

Our website uses cookies that permit the use of the web shop (for instance to assign selected items to a certain user by way of a session ID assigned with a cookie) and that optimize the use of the web shop based on settings chosen by the user (for instance saving the language preference / display options via a cookie). Further details and cookies are shown in the following table. Some of the functions of our website cannot be offered without the use of cookies.

We use the following cookies:

 

Name

Function

Technically required

Validity

Stored data

Httponly secure cookie

Assigns a session ID to the user when the page is accessed

yes

End of the session

SessionID

IPP_User_Settings

Saves selected user settings in the parts catalog

no

365 days

Layout settings in the parts catalog

JSESSIONID

Web shop: Assigns the avtivities (selected items) to a user

yes

End of the session

Items selected in the parts catalog that were placed in the shopping cart in the web shop

Layout-Cookie

Saves the user's layout settings

no

365 days

GUID of the layout as a value

 

Cookies are text files that are saved in the user’s web browser or by the web browser on the user’s computer system when you access our website. The cookie contains a unique character string that allows the browser to be clearly identified the next time you access the website or when you go to a different page (retrieving various sub-pages).

User data collected by cookies will not be utilized to create user profiles. Information from the cookies will not be shared with third parties.

 

b) Legal basis for data processing

The legal basis for processing personal data using the abovementioned cookies is Art. 6 Sec. 1 lt. f GDPR, as well as Art. 6 Sec. 1 lt. b GDPR if an order is placed through our web shop.

 

c) Storage length, right to object and right to erasure

Cookies are stored on the user’s computer. The cookies that we use have the “lifespan” (validity period) shown in the table. After this period, the cookies will no longer function. Since the cookies are stored on your end device, you as the user have the option of limiting the use of cookies or deleting them. You can change the settings in your web browser to disable or limit the transmission of cookies. Previously saved cookies can be deleted at any time. This can also take place automatically. If cookies are disabled for our website, you may no longer be able to fully use all of the website functions. We are not able to delete stored cookies from your end device, nor can we automatically save your preference not to receive cookies when you access our site.

 

8. Newsletter

 

a) Description of data processing, storage

On our website you have the option to subscribe to a free newsletter.

We use the so-called double opt-in procedure for the newsletter registration. This means that after you register we send you an e-mail to the specified e-mail address, in which you confirm that you wish to receive the newsletter by clicking on the link it contains. If you do not confirm your registration within 48 hours, the link becomes invalid.

When registering for the newsletter, the data you enter in the input mask is transmitted to us.

In addition, we record and store:

  • The date and time of confirmation of your newsletter subscription (the click on the link in the confirmation e-mail)
  • The date and time of any newsletter cancellation

After your confirmation, we save your e-mail address for the purpose of sending you the newsletter.

In order to process the data and send the newsletter, your consent is required and obtained during the registration process and reference is made to the data protection declaration.

The data is used exclusively for sending the newsletter.

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. If you unsubscribe from the newsletter, the aforementioned data will be restricted for further processing and only used for defence purposes against possible legal claims. After expiry of the limitation period, the data will be deleted.

 

b) Purpose & legal basis of data processing

Your e-mail address is stored in order to send you the newsletter. The legal basis for this is Art. 6 (1) lit. a GDPR.

Storing the time of the confirmation of the newsletter registration / sending the confirmation email is intended to prove your registration and, if necessary, to clarify a possible misuse of your personal data. The legal basis for the processing of this data is Art. 6 (1) lit. a and c and Art. 7 (1) GDPR.

 

c) Transfer / recipients of the data

When sending the newsletter, we use software and services from a special provider, in the course of which the following data, which is stored on our IT system, is made available to it:

  • E-mail address of the newsletter recipient
  • Form of address
  • First name, last Name
  • Company
  • Country

The processing of this data is done on our behalf. This service provider is based in the European Union or in a country of the European Economic Area and is subject to our instructions regarding data processing.

No data is transferred to third parties in connection with the data processing for the sending of newsletters.

 

d) Right of objection

Subscription to the newsletter can be terminated at any time by the user. There is a corresponding link for this purpose in every newsletter (unsubscribe from the newsletter).

This also revokes the consent granted for the collection / storage / use of personal data collected during the registration process for sending the newsletter by e-mail.

 

 

 

D. Rights of data subjects

 

 

As the data subject, you have the right to obtain information free of charge about the personal data we have stored about you, as well as the right to rectification, restriction of processing, erasure, third-party notification, data portability, objection, withdrawal of data protection consent, prevention of automatic decision-making, and/or complaints to the responsible supervisory authority for data protection, if necessary. Further details can be found in the additional information below.

If you have any questions about data processing or to assert your rights, please contact us, as the Controller, or our Data Protection Officer; see the contact information provided in A and B of this text.

 

 

1. Right to information

 

If we process your personal data, you have the right to request information from us as the Controller, free of charge, about whether we are processing your personal data. If this is the case, you as the data subject have the right to obtain information about this personal data, including the following:

  • the purposes for which the personal data is processed;
  • the categories of personal data being processed;
  • the recipients or categories of recipients to whom your personal data is disclosed or will be disclosed;
  • the period for which your personal data will be stored or, if specific information cannot be provided here, the criteria used to determine this period;
  • the existence of the right to request the rectification or erasure of your personal data, the right to restrict processing by the Controller, or the right to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • all available information about the origin of the data if the personal data is not collected from you as the data subject;
  • the existence of automated decision-making, including profiling, pursuant to Art. 22 Sec. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you as the data subject.

You have the right to request information about whether your personal data is transmitted to a third country or to an international organization. In this context, you can ask to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in conjunction with this transmission.

 

 

2. Right to rectification

 

You have the right to obtain rectification and/or completion from us as the Controller if your processed personal data is inaccurate or incomplete.

 

 

3. Right to restriction of processing

 

You can request the restriction of processing for your personal data where one of the following requirements applies:

  • if you contest the accuracy of your personal data, data processing will be restricted for a period enabling us as the Controller to verify the accuracy of the personal data;
  • if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
  • if we as the Controller no longer need the personal data for the purpose of the processing, but you need it in order to establish, exercise or defend legal claims; or
  • if you object to processing pursuant to Art. 21 Sec. 1 GDPR and we as the Controller are reviewing the lawfulness of the matter. If it has not yet been determined whether the Controller’s legitimate interests override your interests, data processing will be restricted.

If processing of your personal data has been restricted, such data shall, with the exception of storage, only be processed with your consent or in order to establish, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a member state.

If processing has been restricted as per the above requirements, you will be notified by us as the Controller before this restriction is lifted.

 

 

4. Right to erasure

 

a) Erasure obligation

You can ask us as the Controller to immediately erase your personal data, and we as the Controller are obligated to erase this data immediately where one of the following grounds applies:

  • Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You withdraw your consent upon which the processing was based pursuant to Art. 6 Sec. 1 lt. a or Art. 9 Sec. 2 lt. a, and there is no other legal basis for the processing.
  • You object to processing pursuant to Art. 21 Sec. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. Sec. 2 GDPR.
  • Your personal data was unlawfully processed.
  • Your personal data must be erased in order to comply with a legal obligation under Union or member-state law to which the Controller is subject.
  • Your personal data was collected in relation to the offer of information security services pursuant to Art. 8 Sec. 1 GDPR.

 

b) Notification of third parties

Where we as the Controller have made your relevant personal data public and are obliged pursuant to Art. 17 Sec. 1 GDPR to erase this personal data, we as the Controller, taking into account the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform third parties that you as the data subject have requested the erasure by these parties of any links to, or copy or replication of, this personal data.

 

c) Exceptions

The right to erasure and to third-party notification shall not apply to the extent that processing is necessary:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation that requires processing under Union or member-state law to which we as the Controller are subject; or
  • to perform a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • for reasons of public interest in the area of public health pursuant to Art. 9 Sec. 2 lt. h and i as well as Art. 9 Sec. 3 GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 Sec. 1 GDPR, in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • to establish, exercise or defend legal claims.

 

 

5. Right to notification

 

We will notify all recipients of your personal data about any rectification, erasure or restriction of processing unless this is impossible or requires unreasonable effort.

You have the right to be notified by us as the Controller about these recipients.

 

 

6. Right to data portability

 

You have the right to receive your personal data, which you have provided to us as the Controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us as the Controller to which the personal data was provided, where:

  • the processing is based on consent pursuant to Art. 6 Sec. 1 lt. a GDPR or Art. 9 Sec. 2 lt. a GDPR or on a contract pursuant to Art. 6 Sec. 1 lt. b GDPR; and
  • the processing is carried out by automated means.

In exercising this right, you also have the right to have your personal data transmitted directly by us as the Controller to another controller, where technically feasible. This shall not impair the freedoms or rights of other persons.

The right to data portability does not apply to the processing of personal data that is necessary in order to perform a task carried out in the public interest or in the exercise of official authority vested in us as the Controller.

 

 

7. Right to object

 

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Art. 6 Sec. 1 lt. e or t GDPR, including profiling based on those provisions.

We as the Controller shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or unless the processing serves to establish, exercise or defend legal claims.

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

 

 

8. Right to withdraw data protection-related consent

 

You have the right to withdraw your consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

 

9. Automated individual decision-making, including profiling

 

You have the right not to be subject to a decision based solely on automatic processing, including profiling, that produces legal effects for you or similarly significantly affects you.

This shall not apply if the decision:

a) is necessary for entering into or performing a contract between you and us as the Controller;
b) is authorized by Union or member-state law to which we as the Controller are subject and also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
c) is based on your explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 Sec. 1 GDPR, unless Art. 9 Sec. 2 lt. a or g applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in a) or c), we as the Controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express your point of view and to contest the decision.

 

10. Right to lodge a complaint with a supervisory authority

 

Without prejudice to any other administrative or legal remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, at your place of work or the location of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint is lodged shall inform the complainant about the status and outcome of the complaint, including the possibility of a legal remedy pursuant to Art. 78 GDPR.