Privacy Policy

Responsible Skillzcard GmbH
Skillzcard GmbH
Am Vorgebirgstor 37
50969 Köln
Phone: +49 (0) 15119605867
E-Mail: info@skillzcard.com

Represented by the managing directors
Mr Alec Agalarov
Mr Deniz Doru


Data protection officer
Michael Agalarov, Skillzcard GmbH, Am Vorgebirgstor 37, 50969 Köln
E-Mail: datenschutz@skillzcard.com

Status: May 2020


Content
  1. Basic information on data processing and legal basis
  2. Types of data processed/ categories of data subjects
  3. Safety measures
  4. Passing on of data to third parties and third-party providers
  5. Provision of contractual services/ registration
  6. Making contact
  7. Comments and contributions
  8. Collection of access data and log files
  9. Cookies
  10. Google Analytics
  11. LogRocket
  12. Use of single sign-on procedures Facebook Connect
  13. Newsletter
  14. Payment processing
  15. PDF creation
  16. Rights of the data subject
  17. Deletion of data
  18. Right of objection
  19. Changes to the privacy policy
1. Basic information on data processing and legal bases
1.1. This data protection declaration clarifies the type, scope and purpose of the processing of personal data within our online offer and the websites, functions and contents connected with it (hereinafter jointly referred to as "online offer" or "website"). The data protection declaration applies regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the online offer is executed.
1.2. The terms used, such as "personal data" or their "processing" refer to the definitions in Art. 4 of the Basic Data Protection Regulation (DSGVO).
1.3. The personal data of users processed within the scope of this online offer includes inventory data (e.g. names and addresses of customers), contract data and content data (e.g. entries in the contact form). Furthermore, data that you provide us with is processed, in particular personal data, i.e. name, professional activity (e.g. model), gender, contact email, telephone number, place of work, age, photos, bio/recent projects, agency, body measurements, external appearance, website, videos. We delete this data when you delete your user account. The legal basis for this processing of personal data is Art. 6 para. 1 lit. a. DSGVO.
1.4. The term "user" covers all categories of persons affected by the data processing. These include our business partners, customers, interested parties and other visitors to our online offer. The terms used are to be understood in a gender-neutral way.
1.5. We process personal data of users only in compliance with the relevant data protection regulations. This means that user data will only be processed if a legal permission has been granted, especially if the data processing is necessary for the provision of our contractual services (e.g. processing of orders) and online services, or if it is legally required, or if the consent of the users has been obtained, as well as on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO, in particular in the measurement of reach, the creation of profiles for advertising and marketing purposes as well as the collection of access data and the use of third-party services.
1.6. We point out that the legal basis of the consent is Art. 6 para. 1 lit. a. and Art. 7 DSGVO, the legal basis for processing for the purpose of fulfilling our services and implementing contractual measures is Art. 6 para. 1 lit. b. DSGVO, the legal basis for processing for the fulfilment of our legal obligations Art. 6 para. 1 lit. c. DSGVO, and the legal basis for processing to safeguard our legitimate interests Art. 6 para. 1 lit. f. DSGVO is.

2. Types of data processed/ categories of data subjects
2.1. The personal data of the users processed within the scope of this online offer include
- inventory data (e.g. names and addresses of customers),
- Contact details (e.g. e-mail, telephone numbers),
- Communication data,
- Contract data (e.g. services used, names of clerks, payment information),
- Usage data (e.g. the visited websites of our online offer, interest in our

2.2 The following persons are affected by the data processing:
- Contract and business partners,
- Users of our online offer,
- Interested parties who are interested in our online offer or who contact us for other reasons and
- customers.


3. Security measures
3.1. In accordance with Art. 32 DSGVO, we take appropriate organisational, contractual and technical security measures in line with the state of the art, taking into account the implementation costs and the nature, scope, circumstances and purposes of data processing as well as the varying degrees of probability and severity of risk to rights and freedoms, in order to ensure an adequate level of protection for your data. We hereby ensure compliance with the provisions of the data protection laws and protect this data against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
3.2. The security measures include in particular the encrypted transmission of data between your browser and our server. You can recognize such encrypted connections by the fact that the URL in the address bar of your browser begins with "https://". This is a communication protocol with which data can be transmitted in a tap-proof manner within the framework of transport encryption.

4. Transfer of data to third parties and third party providers
4.1. Data will only be passed on to third parties within the framework of the legal requirements. We will only pass on user data to third parties if this is required, for example, on the basis of Art. 6 Para. 1 lit. b. DSGVO for contractual purposes or on the basis of justified interests in accordance with Art. 6 Para. 1 lit. f. DSGVO in the economic and effective operation of our business.
4.2. If we use subcontractors to provide our services, we will take appropriate legal precautions as well as appropriate technical and organizational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.
4.3. If, in the context of this privacy policy, content, tools or other means of other providers (hereinafter jointly referred to as "third party providers") are used and their registered office is located in a third country, it is to be assumed that a data transfer to the countries where the third party providers are located will take place. Third countries are countries in which the DSGVO is not a directly applicable law, i.e. generally countries outside the EU or the European Economic Area. Data is transferred to third countries either if there is an appropriate level of data protection, user consent or other legal permission.

5. Provision of contractual services/ registration
5.1. We process inventory data and contract data for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 Para. 1 letter b. DSGVO.
5.2. Users can create a user account. In this account they can create and view their Skillzcard. In the context of the registration, the necessary obligatory data are communicated to the users. This includes only the name, professional activity, place of work, gender and a picture. The user accounts are not public and cannot be indexed by search engines. User accounts can only be found within the platform. If users have cancelled their user account, their data with regard to the user account will be deleted, subject to their safekeeping is necessary for reasons of commercial or tax law in accordance with Art. 6 para. 1 lit. c DSGVO. It is the responsibility of the users to back up their data before the end of the contract if they have terminated it. We are entitled to irretrievably delete all user data stored during the term of the contract. All data can be managed and changed in the protected customer area.
5.3. Furthermore, we store all content published by you in order to operate our online offer. The provision with user-generated content is our contractual service and will only be processed with your consent (legal basis Art. 6 para. 1 lit. a. DSGVO).
5.4. Within the scope of registration and renewed applications as well as the use of our online services, the IP address and the time of the respective user action will be saved. The storage is based on our legitimate interests, as well as the user's protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 Para. 1 lit. c DSGVO.
5.5. We process usage data (e.g. the visited websites of our online offer, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile, in order to show the user e.g. product information based on their previously used services.


6. Contacting
When contacting us, the user's details will be used to process the contact request and its handling in accordance with Art. 6 Para. 1 lit. b. DSGVO are processed

7. Comments and contributions
7.1. If users leave comments or other contributions, their IP addresses will be deleted on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO for seven days.
7.2. This is done for our security in case someone leaves illegal content in comments and contributions. In this case we can be prosecuted ourselves for the comment or contribution and are therefore interested in the identity of the author


8. Collection of access data and log files
8.1. On the basis of our legitimate interests within the meaning of Article 6 paragraph 1 lit. f. DSGVO, we collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited site), IP address and the requesting provider.
8.2. For security reasons (e.g. to clarify misuse or fraud), log file information is stored for a maximum of seven days and then deleted. Data whose further storage is required for evidential purposes is excluded from deletion until the respective incident has been finally clarified.


9. Cookies
9.1. When you visit our website, information may be stored on your computer in the form of a cookie. Cookies are information that is transferred from our web server or web servers of third parties to the web browsers of the users and stored there for later retrieval. Most browsers are set in such a way that they automatically accept cookies. We would like to point out that the use of our online offer without cookies is only possible to a limited extent. In particular, the use of your customer account is generally not possible, as the use of cookies is technically mandatory for this purpose. However, you can also use your browser to prevent the setting of certain cookies only (e.g. cookies from third parties), for example if you wish to prevent web tracking. You can find more information on this in the help function of your browser. Further information on third-party cookies that are set or processed when you visit our website can be found in the following data protection declaration, if we use them. The term "cookies" also includes other technologies that perform the same functions as cookies (e.g., when user information is stored using pseudonymous online identifiers, also referred to as "user ID").
   - A distinction must be made between cookies that are set by the website operator when a user visits a website (also known as "first-party cookies") and cookies that are set by third-party providers (also known as "third-party cookies"). We only have technical control over the first-mentioned cookies. We further differentiate between the following cookies.
   - Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his browser.
   - Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The interests of users used for reach measurement or marketing purposes can also be stored in such a cookie.
   - Necessary (also: essential or absolutely necessary) cookies: Cookies can be absolutely necessary for the operation of a website (e.g. to store logins or other user entries or for security reasons).
   - Statistical, marketing and personalization cookies: Furthermore, cookies are generally also used in the context of range measurement and when the interests of a user or his behavior (e.g. viewing certain content, using functions, etc.) are stored in a user profile on individual web pages. Such profiles are used, for example, to display content to users that corresponds to their potential interests. This procedure is also known as "tracking", i.e. following the potential interests of users. We will inform you separately about the use of tracking technologies in our privacy policy or when you give your consent.

9.2. We use "session cookies", which are only stored for the duration of your current visit to our website (e.g. to enable the storage of your login status and thus the use of our website). A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online services and, for example, log out or close the browser.
9.3. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser.
9.4. The legal basis on which we process your personal data with the help of cookies depends on whether we ask you for your consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is the declared consent. Otherwise, the data processed with the aid of cookies will be processed on the basis of our legitimate interests (e.g. in the business operation of our online offer and its improvement) or, if the use of cookies is necessary to fulfil our contractual obligations.
9.5. Depending on whether the processing is based on consent or legal permission, you have the possibility at any time to revoke any consent you have given or to object to the processing of your data by cookie technologies ("opt-out"). You can first explain your opt-out by means of the settings of your browser by contradicting the setting of cookies in the system settings of your browser. An objection to the use of cookies for online marketing purposes can also be declared by means of a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can receive further notices of objection in the context of the information on the service providers and cookies used.
9.6. Before we process or have processed data in the context of the use of cookies, we ask the users for their consent, which can be revoked at any time. Before the consent has not been given, cookies will be used if necessary, which are necessary for the operation of our online offer. Their use is based on our interest and the interest of the users in the expected functionality of our online offer. This includes usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses). Users of our online service are affected by this processing. The processing takes place on the legal basis of consent (Art. 6 para. 1 sentence 1 lit. a DSGVO) or legitimate interests in the sense of the German Data Protection Act. Art. 6 para. 1 p. 1 lit. f. DSGVO.


10. Google Analytics
10.1. We use Google Analytics, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") on the basis of your consent (Art. 6 para. 1 lit. a. DSGVO). The parent company of Google is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google uses cookies. The information generated by the statistics and marketing cookie about the use of the online offer by the users is usually transferred to a Google server in the USA and stored there.
10.2. Google Inc. is certified under the Privacy-Shield-Agreement and thus offers a guarantee to comply with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
10.3. Google will also use this information to evaluate the use of this website by users, to compile reports on the activities within this website and to provide us with further services associated with the use of this website and the internet. Pseudonymous user profiles of the users can be created from the processed data.
10.4. We use Google Analytics only with activated IP anonymization. This means that the IP address of the user is shortened by Google within member states of the European Union or in other states which are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.
10.5. The IP address transmitted by the user's browser will not be merged with other Google data. Users can prevent the storage of cookies by adjusting their browser software accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
10.6. You can find further information on data use by Google, setting and objection possibilities on the websites of Google: https://www.google.com/intl/de/policies/privacy/partners ("Data use by Google when you use websites or apps of my partners"), http://www.google.com/policies/technologies/ads ("Data use for advertising purposes"), http://www.google.de/settings/ads ("Manage information that Google uses to show you advertising").


11. LogRocket
11.1. This website uses functions of the web analytics service "LogRocket". The provider of the web analysis service is LogRocket Inc, B6201, One Kendall Square, Cambridge, MA 02139, USA.
11.2. In the event of technical complications or functional impairments in connection with the operation of the Website, LogRocket will send automatic error reports containing information about the source of the error and its origin. Transmitted are server information as well as usage parameters such as the IP address, the browser used, timestamps and the URL that was accessed.
11.3. The storage of this user behaviour is carried out on the basis of Art. 6 para. 1 lit. a DSGVO in order to optimise our offer on this website.
11.4 LogRocket with headquarters in the USA is certified according to the EU-US Privacy Shield Framework (https://www.privacyshield.gov/participant?id=a2zt00000008RCRAA2&status=Active), so that compliance with the European data protection level can be guaranteed.
11.5 You can find further information about LogRocket's privacy policy here: https://logrocket.com/privacy.


12. Use of single sign-on procedures Facebook Connect
12.1. We use on our website "Facebook Connect", a service of Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter referred to as "Facebook"). Facebook Connect facilitates registration for services on the Internet. Instead of using a registration mask on our website, you can enter your login data for Facebook and then use our services. By using "Facebook Connect", your web browser automatically establishes a direct connection with the Facebook server. For registration you will be redirected to the Facebook page. There you can log in with your usage data. Through this, your user account on Facebook is linked to our service.
12.2. We have no influence on the scope and use of data collected by Facebook through the use of Facebook Connect. To the best of our knowledge, Facebook receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you have a user account with Facebook and are registered, Facebook can assign the visit to your user account. Even if you are not registered with Facebook or have not logged in, it is possible that Facebook will find out and store your IP address and, if necessary, other identifying features.
12.3. We use Facebook Connect to facilitate and shorten the registration and login process. This is also our legitimate interest in the processing of the above data by the third-party provider. The legal basis is Art. 6 para. 1 lit. f. DSGVO. You can prevent processing of the above information by Facebook by using our registration mask and not using Facebook Connect.
12.4. In addition, Facebook has subjected itself to the privacy shield agreement concluded between the European Union and the USA and has certified itself. Facebook thereby undertakes to comply with the standards and regulations of European data protection law. Further information can be found in the entry linked below: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active
12.5. Third Party Information: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For more information about the Third Party Provider's privacy practices, please visit the following Facebook website: https://www.facebook.com/about/privacy


13. Newsletter
13.1. With the following information, we will inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.
13.2. We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter referred to as "newsletters") only with the consent of the recipients or a legal permission. If, in the course of registering for the newsletter, its contents are specifically described, they are decisive for the consent of the users.
13.3. The registration for our newsletter takes place in a so-called double opt-in procedure. After registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no one can register with foreign e-mail addresses. The registrations for the newsletter are logged in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored by the shipping service provider are also logged.
13.4. Newsletters are sent via SendGrid, Inc., 1801 California Street, Suite 500 Denver, Colorado 80202 and via "MailChimp", a newsletter dispatch platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. (hereinafter referred to as the "Mailing Service Provider"). You can view the privacy policy of the shipping service provider here: https://sendgrid.com/policies/privacy or at: https://mailchimp.com/legal/privacy.
13.5. The shipping service provider is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with the European level of data protection (https://www.privacyshield.gov/participant?id=a2zt0000000TRktAAG&status=Active or https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).
13.6. Furthermore, according to its own information, the mail-order service provider may use this data in pseudonymous form, i.e. without allocation to a user, to optimise or improve its own services, e.g. to technically optimise the dispatch and presentation of newsletters or for statistical purposes to determine the countries from which the recipients come. However, the dispatch service provider does not use the data of our newsletter recipients to write to them itself or pass them on to third parties.
13.7. To subscribe to the newsletter, it is sufficient to provide your e-mail address. Optionally, we ask you to enter a name for the purpose of personal contact in the newsletter.
13.8. The newsletters contain a so-called "web beacon", i.e. a pixel-sized file which is retrieved from the server of the dispatch service provider when the newsletter is opened. Within the scope of this retrieval, technical information such as information on the browser and your system, as well as your IP address and time of retrieval are initially collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined by means of the IP address) or the access times. Statistical surveys also include determining whether newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our nor the dispatch service provider's intention to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
13.9. The use of the mail-order service provider, the performance of statistical surveys and analyses and the logging of the registration procedure are based on our legitimate interests in accordance with Art. 6 Para. 1 lit. f DSGVO. We are interested in the use of a user-friendly and secure newsletter system that serves our business interests and meets the expectations of the users.
13.10. You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. Your consent to the dispatch of the newsletter by the dispatch service provider and the statistical analyses will then expire at the same time. A separate revocation of the dispatch by the dispatch service provider or the statistical analysis is unfortunately not possible. You will find a link to cancel the newsletter at the end of each newsletter. If users have only registered for the newsletter and cancelled this registration, their personal data will be deleted


14. Payment processing
Payments are processed by our service provider Braintree, a division of PayPal Inc, 22-24 Boulevard Royal, L-2449, Luxembourg, and therefore we will transfer your data to this service provider. Braintree's privacy policy can be found at: https://www.braintreepayments.com/legal

15. PDF Creation
15.1. For the creation of PDF files we use the service provider Expected Behavior, LLC, 407 Fulton St 103, Indianapolis IN, 46202, USA (hereinafter "Expected Behavior"). Expected Behavior processes personal data exclusively within the scope of the instructions given by us. For this purpose we have concluded an order processing agreement with Expected Behavior. You can view the data protection regulations of the shipping service provider here: https://www.expectedbehavior.com/privacy-policy.
15.2. Expected Behavior is certified under the Privacy-Shield Agreement and thus offers a guarantee to comply with the European data protection level (https://www.privacyshield.gov/participant?id=a2zt000000001NpAAI&status=Active).


16. Rights of the data subject
If personal data are processed by you, you are the data subject within the meaning of the DSGVO and you are entitled to the following rights in relation to the person responsible:

16.1. Right to information
You can request confirmation from the data controller as to whether personal data concerning you is being processed by us. If such processing has taken place, you may request information from the data controller on the following: (1) the purposes for which the personal data are processed; (2) the categories of personal data which are processed; (3) the recipients or (3) the recipients or categories of recipients to whom the personal data relating to you have been or will be disclosed; (4) the envisaged duration of the storage of the personal data relating to you or, if it is not possible to give specific details, criteria for determining the duration of storage (5) the existence of a right of rectification or erasure of personal data relating to you, a right to have the processing limited by the controller or a right to object to such processing; (6) the existence of a right of appeal to a supervisory authority; (7) any available information on the origin of the data when the personal data are not collected from the data subject; (8) the existence of automated decision making, including profiling, in accordance with Art. 22 (1) and (4) DPA and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing on the data subject. You have the right to request information as to whether the personal data concerning you are being transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 FADP in connection with the transfer. 


16.2. Right of rectification
You have a right of rectification and/or integration vis-à-vis the controller if the personal data processed concerning you is incorrect or incomplete. The data controller must make the correction without delay.


16.3. Right to limit processing
You have the right to request that the processing of personal data concerning you be limited under the following conditions: (1) if you dispute the accuracy of the personal data concerning you for a period of time which enables the controller to verify the accuracy of the personal data; (2) if the processing is unlawful and you object to the deletion of the personal data and instead request the restriction of the use of the personal data; (3) if the controller no longer needs the personal data for the purposes of the processing but you need them for the purpose of asserting, exercising or defending legal claims; or (4) if you object to the processing pursuant to Art. 21 (1) DSGVO and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons. If the processing of personal data relating to you has been restricted, such data may be processed - apart from storage - only with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or of a Member State. If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted. 


16.4. Right to erasure
a) Obligation to erase You may request the controller to erase personal data concerning you without delay and the controller shall be obliged to erase such data without delay if one of the following reasons applies: (1) the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed (2) you revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a FADP, and there is no other legal basis for the processing. (3) You lodge an objection to the processing pursuant to Art. 21(1) DPA and there are no overriding legitimate reasons for the processing, or you lodge an objection to the processing pursuant to Art. 21(2) DPA. (4) The personal data concerning you have been processed unlawfully. (5) The deletion of personal data relating to you is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject. (6) The personal data concerning you have been collected in relation to information society services offered in accordance with Article 8(1) of the DPA. b) Information to third parties If the controller has made public the personal data concerning you and is obliged to delete them in accordance with Art. 17 para. 1 FADP, he shall take reasonable measures, including technical measures, taking into account the available technology and implementation costs, to inform data controllers who process the personal data that you, as a data subject, have requested them to delete all links to this personal data or copies or replications of this personal data. c) Exceptions The right of erasure shall not apply insofar as the processing is necessary (1) for the exercise of the right to freedom of expression and information; (2) to comply with a legal obligation to which the processing is subject under Union or national law to which the controller is subject or in the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest relating to public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 DPA; (4) for archiving, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Art. 89 para. 1 DPA, insofar as the law referred to in a) is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or (5) for the assertion, exercise or defence of legal claims. 


16.5. Right to information
If you have asserted the right to rectification, erasure or limitation of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort. You have the right vis-à-vis the controller to be informed of these recipients. 


16.6. Right to data transferability
You have the right to obtain the personal data concerning you which you have supplied to the controller in a structured, common and machine-readable format. In addition, you have the right to transfer these data to another controller without hindrance by the controller to whom the personal data have been made available, provided that (1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a DSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to Art. 6 para. 1 lit. b DSGVO and (2) the processing is carried out using automated procedures. In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from one responsible party to another, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this. The right to data transferability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 


16.7. Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out pursuant to Article 6 paragraph 1 letter e or f of the DPA; this also applies to profiling based on these provisions. The controller will no longer process the personal data concerning you, unless he can demonstrate compelling reasons for processing which are justified on grounds of protection and which outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims. If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing, including profiling, insofar as it is linked to such direct marketing. If you object to processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for those purposes. You have the possibility to exercise your right of objection in relation to the use of information society services, without prejudice to Directive 2002/58/EC, by using automated procedures involving technical specifications. 


16.8. Right to revoke your data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. Revocation of the consent does not affect the legality of the processing carried out on the basis of the consent until revocation.


16.9. Automated decision in individual cases including profiling
You have the right not to be subjected to a decision based exclusively on automated processing - including profiling - which has legal effect on you or significantly affects you in a similar way. This shall not apply where the decision is (1) necessary for the conclusion or performance of a contract between you and the controller, (2) authorised by Union or national law to which the controller is subject and that law contains adequate measures to safeguard your rights and freedoms and legitimate interests or (3) with your explicit consent. However, such decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 DPA, unless Art. 9 para. 2 lit. a or g applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests. With regard to the cases referred to in (1) and (3), the data controller shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, which shall include at least the right to obtain the intervention of a person from the data controller, to express his or her point of view and to challenge the decision. 


16.10. Right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to appeal to a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place where the alleged infringement is committed, if you consider that the processing of personal data relating to you is in breach of the DPA. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 DSGVO.


17. Deletion of data
17.1 The data stored with us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory storage obligations. If the users' data are not deleted because they are required for other and legally permissible purposes, their processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax law reasons.

17.2 In accordance with legal requirements, data is stored for 6 years in accordance with § 257 para. 1 HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.)


18. Right of objection
Users can object to the future processing of their personal data in accordance with the legal requirements at any time. The objection may in particular be made against processing for the purposes of direct advertising.

19. Amendments to the data protection declaration
We reserve the right to change the privacy policy in order to adapt it to changed legal situations or in case of changes in the service and data processing. However, this only applies with regard to declarations on data processing. Insofar as the consent of the users is required or components of the data protection declaration contain regulations of the contractual relationship with the users, the changes will only be made with the consent of the users.