Data Protection Declaration

I. Name and Address of the Controller

Name and address of the Controller as defined by the General Data Protection Regulation and other legal regulations of the individual member states trades:

Creditreform Rating AG
Hellersbergstraße 11
41460 Neuss
Germany
Phone: +49 (0) 21 31 / 109-626
email: info@creditreform-rating.de
Website: www.creditreform-rating.de

II. Address and Contact Details of the Data Protection Officer

The Data Protection Officer of the Controller can be contacted under:

Creditreform Rating AG
Hellersbergstraße 11
41460 Neuss
Germany
Phone: +49 (0) 21 31 / 109-602
email: datenschutz@creditreform-rating.de
Website: www.creditreform-rating.de

III. General Remarks

1. Description and scope of the Controller’s personal data processing activities

It is generally possible to access and use our website without any disclosure of personal data. Any submission of personal data that we may request on our website (including name, address or email address) will, insofar as this is possible, occur on a voluntary basis. Exceptions are made in cases where factual or practical reasons prevent us from procuring a prior permission and where legal regulations permit the processing of data under the circumstances given. Beyond this, personal data of customers are not disclosed to third parties. We are, however, permitted to provide government authorities with individual personal data inasmuch as the authorities in question request these data within their statutory powers (e.g.: for the purposes of law enforcement and criminal prosecution).

We would like to draw your attention to the fact that no Internet data transmission (for example communication via email) can ever be fully secure. It is not possible to guarantee total protection of data from third-party access. We hereby expressly object to any third-party use of the contact data that we publish under our duty to disclose the identities of the individuals who are accountable for our editorial content pursuant to German law for the purpose of sending non-requested advertising and information material. The individuals concerned reserve the right of taking legal action against entities which are sending them non-requested advertising including spam mails.

2. Legal foundations for the processing of personal data

Inasmuch as we are procuring permissions from the data subjects for the processing of their personal data, Art. 6 (1) lit. a of the EU-General Data Protection Regulation (GDPR) shall serve as the legal foundation for any such processing of personal data.

Art. 6 (1) lit. b of the GDPR shall provide the legal foundation for any processing of personal data that is required to fulfil the obligations of a contract in which the data subject is one of the parties. This also applies to data processing activities that are performed to take steps at the request of the data subject prior to entering in to the contract.

Inasmuch as a processing of personal data is required to fulfil a legal obligation of our company, Art. 6 (1) lit. c of the GDPR shall serve as the legal foundation for any such processing of personal data.

If vital interests of the data subject or another natural person require a processing of personal data, Art. 6 (1) lit. d of the GDPR shall serve as the legal foundation for any such processing of personal data.

If the data processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and if these legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6 (1) lit. f of the GDPR shall serve as the legal foundation for any such processing of personal data.

3. Deletion and storage periods

All personal data of the data subject shall be deleted or made unavailable for users when the legitimate purpose for storing the data in question has ceased to exist. Data may also be retained if such a data storage is required by European or national laws, regulations or other statutory provisions to which the Controller is subject. Data will also be deleted or made unavailable to users if a storage period specified in any of the aforementioned laws, regulations, legal provisions or standards has expired, unless the data in question must otherwise be retained for the purposes of agreeing a contract or of complying with the terms of a contract.

IV. Provision of the Website and Compilation of Log Files

1. Scope and description of the data processing activities

The provider of the pages automatically collects and stores the following information, using so-called server log files, which is automatically transmitted to us by your browser:

• Type and version of the browser
• Operating system in use
• Pseudonymized IP address of the computer accessing the network (e.g.: 123.123.123.XXX)
• Date and exact time of the server request

The log files contain pseudonymized IP addresses or other data on the basis of which an individual user might, in theory, be identified. Any such data are never retained together with the personal data of users. We reserve the right of examining these data retrospectively in the event that we have been provided with concrete evidence for unlawful use.

2. Legal foundations for the processing of data

Art. 6 (1) lit. f of the GDPR serves as the legal foundation for the temporary storage of data and log files.

3. Purposes of the data processing activities

The temporary storage of IP addresses within the system is necessary to allow the delivery of the website to the user’s computer. For this purpose, the user’s IP address must be kept in storage for the duration of the session.

The log file storage serves to maintain the website’s functionality. We also use the relevant data to optimize the site and to protect the security of our information technology systems. No data from this stage of the operation are used for marketing purposes.

4. Storage period

Data will be deleted as soon as they are no longer required to fulfil the purposes for which we originally collected them. In the case of data storage for the purpose of transmitting content from the website to the user, this means that any such data will be deleted at the end of the respective session.

Data will be deleted from log files after a maximum period of seven days, but may be retained for longer periods. In any such case, the IP addresses of the users will be deleted or modified in such a way that it is no longer possible to connect the addresses to the individual user who accessed the files in question.

5. Right to object and to demand removal

The temporary storage of data as described in the above and the storage of data in log files are necessary for the operation of the website. The user therefore has no right to object.

V. Use of Cookies

1.    Description and scope of the Controller’s personal data processing activities

We process requests to load our Internet pages by using so-called “cookies“. Cookies are small text files that are picked up by your device (PC, smart phone, tablet etc.). If you request a website, your browser may store a cookie. This cookie features a distinct sequence or string of characters that allows us to identify any specific browser which re-requests the website in question.
Cookies may furthermore enable an analysis of any given user’s surfing behaviour. If you request our website, you will receive information about any such use of cookies for analytical purposes, and we shall procure your consent to the processing of any of your personal data before proceeding further.
We are using cookies to make our websites easier to navigate, more effective and more user-friendly. Certain elements of our web page require a way of recognizing the browser which has accessed the site even after a change of page. For this purpose, cookies are temporarily storing the following data:
•    Language settings
•    Use of the web shop (login, shopping basket)
•    Validation of forms
•    Processing and bookmarking of search requests on the given page
•    Establishment of visitor numbers for statistical purposes (anonymized)
Our shop system furthermore involves the use of cookies which are technically required for certain functions such as log-in procedures and the processing of incoming orders. The system uses cookies to recognize visitors who have logged-in before.

2.    Legal foundations for the processing of data

Art. 6 (1) lit. f of the GDPR (the “legitimate interests” pursued by the controller) serves as the legal foundation for the processing of personal data through the use of technically required cookies.
Art. 6 (1) lit. a of the GDPR serves as the legal foundation for the processing of personal data through the use of cookies for analytical purposes under the provision that the data subject has given consent to the processing of his or her personal data for these purposes, also our legitimate interests in pursuing these purposes pursuant to Art. 6 (1) lit. f of the GDPR.


3.    Purposes of the data processing activities


We are using technically required cookies to make it easier for the users to access and navigate the website. Some of our website’s functions cannot be used without the use of cookies. To benefit fully from the offers that we provide, browser recognition must be enabled after a change of page. Data that have been collected by technically required cookies will not be used to create user profiles.
Analytical cookies are used to improve our website and its contents. Analytical cookies tell us how visitors use our website and provide us with the opportunity of adjusting our service range to the needs of our customers.

4.    Storage period

Some of the cookies that we are using will be deleted from your device at the end of the respective browser session (the so-called “session cookies”). Other cookies will remain on your device, enabling us to recognize your browser the next time you visit our site (“permanent cookies”).
In general, we delete any data when we believe that the legitimate business interest in pursuit of which those data were originally collected has expired, when we believe that a deletion of data would reflect the balance of interests or when you have successfully asserted your right to object pursuant to Art. 21 GDPR. We establish in regular intervals – at least once per year – whether or not our legitimate interest persists. Such an interest expires specifically when the collected data – in view of their age – are no longer deemed sufficiently relevant for the purposes of statistical analysis and evaluation of website usage. We assume that data become insufficiently relevant after a maximum period of three years.

5.    Right to object and to demand removal

Cookies are stored on your computer and transmitted to our website. This means that you have full control over the cookies‘ use. By changing the settings of your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. Deletions can also be performed automatically. If you choose such a “Do-Not-Track“ setting for your browser, we shall interpret this as an objection to the further collection and use of your personal data. Please note: if you deactivate cookies, you may not be able to use all the functions of our website.

VI.    Web Shop Registration and Use

1.    Description and scope of the Controller’s personal data processing activities

Our website provides users with an opportunity to register by submitting certain personal data. Users enter these data into an input mask and transmit them to us. We subsequently store these data.
The use of our web shop also requires a voluntary registration through the submission of certain personal data. We are applying the widest possible range of safeguards to protect your personal data from unauthorized third-party access. We do not provide any third party with your data or market these data. The submission of payment data and the payment process itself are handled by the payment service provider of your choice (PayPal, e.g.).
We require the following data to complete the registration process:
•    Type of customer (private or corporate)
•    Title   
•    First name and family name
•    Date of birth
•    Email address
•    Personal password
•    Delivery address, billing address (street, house number, post code, town or city, country)
•    Phone number (optional)
The following data are also stored as part of the registration process:
•    User IP address
•    Date and exact time of the registration

During the registration process, we request your permission to process the data you submit and link to this Privacy Statement.

2.    Legal foundations for the processing of data

Art. 6 (1) lit. f of the GDPR serves as the legal foundation for the processing of the data with the data subject’s permission.
Additionally, if the registration  is required to fulfil the obligations of a contract in which the data subject is one of the parties or to perform steps at the request of the data subject prior to entering into the contract, Art. 6 (1) lit. b of the GDPR shall also serve as the legal foundation for the data processing activities.

3.    Purposes of the data processing activities

The website requires user registrations for the provision of certain content and services.
Users must also complete the registration process to enable us to fulfil the obligations of any contract with the user or to perform steps prior to entering into any such contract. The information that you provide is necessary to complete payment and invoicing procedures.


4.    Storage period


Data will be deleted as soon as they are no longer required to fulfil the purposes for which we originally collected them. Inasmuch as data are concerned which have been submitted as part of the registration process, this means that they shall be deleted when the registration of the user in question on our website is cancelled or modified.
Data that have been stored during the registration process in order to enable us to fulfil the obligations of any contract with the user or to perform steps prior to entering into any such contract shall also be deleted when the data are no longer required for the purposes of the contract in question. A necessity to retain the personal data of the contractual partner can survive the completion of the contract in order to enable us to comply with certain contractual and legal obligations.

5.    Right to object and to demand removal

Users are free to cancel their registration at any time. You can also instruct us at any time to modify or to rectify any personal data that we may have stored about you. If you want to delete your account, please contact info@creditreform-rating.de or our Data Protection Officer (for contact details, please see II.). We shall promptly comply with any request to delete personal data.
If the data are required to fulfil the obligations of a contract or to perform steps prior to entering into a contract, a premature deletion of data can only be performed if no contractual or legal obligations prevent us from deleting the data in question.


VII.    Contact Form and Contact Via Email

1.    Description and scope of the Controller’s personal data processing activities

Our website features a contact form that users are free to use on a voluntary basis. If a user takes advantage of this opportunity to contact us, any data that are entered into the input mask and submitted will be transmitted to us. We subsequently store these data. These data include the following:
•    Title
•    First name and family name
•    Email address
•    Phone number
•    Subject and reference
•    Free text field
When the user submits the form, we also store the following data:
•    User IP address
•    Date and exact time of the submission

Alternatively, users can also contact us via email under an address that has been specified for this purpose. Any personal data that users submit in their emails will also be stored.
No data that have been stored in this way shall be provided to third parties. The data are exclusively used for the purpose of processing the conversation or to perform steps prior to entering into a contract.


2.    Legal foundations for the processing of data

Art. 6 (1) lit. f of the GDPR serves as the legal foundation for the processing of the data. Additionally, if the contact is established with a view to agreeing a contract, Art. 6 (1) lit. b of the GDPR shall also serve as the legal foundation for the data processing activities.


3.    Purposes of the data processing activities

Personal data from the input mask of the contact form shall be exclusively used for purposes of contacting potential customers and of performing steps prior to entering into a contract. If users contact us by email, we shall equally exercise our legitimate business interest in processing any data submitted to us in this way.

Other personal data that have been provided to us during the submission as described in the above shall be used to prevent the misuse of our contact form and to ensure the security of our information technology systems.


4.    Storage period

Data will be deleted as soon as they are no longer required to fulfil the purposes for which we originally collected them. Inasmuch as the personal data are concerned that have been submitted through the input mask or per email, this means that they shall be deleted when the conversation with the user in question has been completed. Conversations shall be considered completed when the circumstances indicate that the underlying matter has been conclusively settled.
Other personal data that have been provided to us during the submission as described in the above shall be deleted after a maximum period of seven days.

5.    Right to object and to demand removal

Users can at any time withdraw their consent to the processing of their personal data. Users who contact us per email shall be free to object to the storage of their personal data at any time. In such a case, we shall not be able to continue the conversation.
Withdrawals of consent and objections to data storage can be submitted by email to the address info@creditreform-rating.de or to our Data Protection Officer (for contact details, please see II.). On receiving such a request, we shall promptly delete all personal data that have been stored in connection with the user’s activity of contacting us.
If the data are required to fulfil the obligations of a contract or to perform steps prior to entering into a contract, a premature deletion of data can only be performed if no contractual or legal obligations prevent us from deleting the data in question.


VIII.    Newsletter


1.    Description and scope of the Controller’s personal data processing activities


We offer you a Newsletter to provide you regularly with news, analyses and information  about new products concerning country risks and general risk management.
You can voluntarily subscribe to our Newsletter. For this purpose, you must provide your email address and confirm your intention of subscribing to the Newsletter. Subscriptions to the Newsletter can be activated and de-activated by checking a box in the registration form or in the Overview section of the User menu. We will send you the Newsletter only with your express consent. After you have submitted your Newsletter registration, you will receive an email (under the address you have specified) to confirm your subscription. We will provide you regularly with copies of our Newsletter only if you click on the link which is provided for this purpose in the confirmation email (this is a so-called “Double-Opt-In” procedure).


2. Legal foundations for the processing of data

Art. 6 (1) lit. a of the GDPR serves as the legal foundation for the processing of the data in connection with the Newsletter registration.

3. Purposes of the data processing activities

Your email address will be stored and processed so we can provide you with regular copies of the Newsletter.

4. Storage period

Your email address will remain in our storage system and the Newsletter will be dispatched until you cancel your subscription.

5. Right to object and to demand removal


You have the right at any time to withdraw your permission for processing your personal data and to cancel your Newsletter subscription. In order to cancel your subscription, please click on the link which is provided in the Newsletter or change your Newsletter settings in the Overview section of our website’s User menu. Once you have cancelled your subscription, we will no longer send you any copy of our Newsletter, and your email address will only be used to allow you to register in our shop. If you want to delete all your user access data from our database including your email address, please read the section on your “Right to object and to demand removal” in Chapter VI (“Web Shop Registration and Use“).

IX.  Use of Google Analytics (Website Analysis Tool)


1.    Description and scope of the Controller’s personal data processing activities


This website uses Google Analytics, a web analytics service provided by Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses “cookies”, text files which are placed and stored on your computer, to help the website analyze how users use the site.
Please note that on this website Google Analytics has been extended by the code “anonymizeIP“ in order to ensure an anonymized collection of IP addresses (so-called IP masking). If you activate IP anonymization on this website, Google will anonymize (i.e. shorten) your IP address before sending it to an address outside the European Union or to a country which is not a contracting state of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a US-based Google server and anonymized there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services related to website activity and Internet usage. The anonymized IP address provided by your browser within the framework of Google Analytics will not be merged with other data provided by Google. 
If you want to find out more about the general conditions of use and data privacy laws, please go to http://www.google.com/analytics/terms/de.html or to https://www.google.de/intl/de/policies/.


2.    Legal foundations for the processing of data


Art. 6 (1) lit. f of the GDPR (the “legitimate interests” pursued by the controller) serves as the legal foundation for the processing of personal data. Our legitimate interests are explained in the above. Google Inc. conducts its business within the framework of the EU-US Privacy Shield, which means that the transmission of data to Google’s US-based operations complies with EU data privacy regulations.


3.    Purposes of the data processing activities


We use website analysis tools and analysis cookies in order to make it easier for the users to access and navigate the website and to improve our site’s contents. Analysis tools and cookies provide us with information about the way in which our website is being used, allowing us to engage in a process of continuous optimization. The cookie-generated information about your use of the website will be generally transmitted to and stored inside a US-based Google server.


4.    Storage period


Cookies are stored on the user’s computer and transmitted to our website. This means that you have at any time full control over the cookies‘ use. By changing the settings of your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. Deletions can also be performed automatically. If you deactivate cookies, you may not be able to use all the functions of our website.
In general, we delete any data when we believe that the legitimate business interest in pursuit of which those data were originally collected has expired, when we believe that a deletion of data would reflect the balance of interests or when you have successfully asserted your right to object pursuant to Art. 21 GDPR. (See also the chapter on the Rights of the Data Subject, 7. Right to object.) We establish in regular intervals – at least once per year – whether or not our legitimate interest persists. Such an interest expires specifically when the collected data – in view of their age – are no longer deemed sufficiently relevant for the purposes of statistical analysis and evaluation of website usage. We assume that data become insufficiently relevant after a maximum period of three years.


5.    Right to object and to demand removal


When you request access to our website, you are provided with the option of refusing permission to store any cookies on your device (“opt-out cookie”). You can also prevent the storage of cookies by configuring your browser software accordingly. Please note that you may not be able to use all the functions of our website when you block the storage of cookies in one of these ways. You can also prevent the transmission of any cookie-generated data about your usage of the website (incl. your IP address) to Google as well as any further processing of these data through Google by downloading and installing the browser plugin that is available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.


X. Rights of Data Subjects

If any of your personal data are processed, you are a data subject as defined by the GDPR and have the right to exercise the following rights against the Controller:

1. Right of access to personal data

You have the right to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed.

Where that is the case, you can instruct the Controller to provide you with the following information:

(1) the purposes of the processing activities;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) any available information as to the source of the personal data where they have not been collected directly from the data subject;
(8) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
(9) whether your personal data are transferred to a third country or to an international organisation and what appropriate safeguards are in place pursuant to Article 46 of the GDPR relating to any such transfer.


2. Right to rectification

You have a right to obtain from the Controller the rectification or completion of inaccurate or incomplete personal data concerning you. The Controller shall have to perform the rectification or completion without undue delay.

3. Right to restriction of processing

You have the right to obtain from the Controller restriction of processing where one of the following applies:

(1) you are contesting the accuracy of your personal data in reference to a period which enables the Controller to verify the accuracy of the personal data in question;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the Controller no longer requires the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims, or
(4) you have objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether the legitimate grounds of the Controller override your own reasons.
(5) Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(6) If a restriction of processing has been obtained in reference to any of the legal grounds outlined in the above, you shall be informed by the Controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase

You have the right to obtain from the Controller the erasure of your personal data without undue delay. The Controller shall have the obligation to erase your personal data without undue delay where one of the following grounds applies:

(1) Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw consent on which the processing is based according to point (a) of Article 6 (1) of the GDPR, or point (a) of Article 9 (2) of the GDPR, and there is no other legal ground for the processing.
(3) You object to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) of the GDPR.
(4) Your personal data have been unlawfully processed.
(5) Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.
(6) Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

b) Third-party involvement

Where the Controller has made your personal data public and is obliged pursuant to Art. 17 (1) of the GDPR to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you (as the data subject concerned) have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions

No such right to erasure shall apply to the extent that processing is necessary:

(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.

5. Right of information

Once you have exercised your right of rectification, erasure or restriction of processing against the Controller, the Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in compliance with his respective obligations to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You also have the right to instruct the Controller to identify those recipients to you.

6. Right to data portability

You have the right to receive your personal data that you have provided to the Controller in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been submitted, provided:

(1) the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) of the GDPR or on a contract pursuant to point (b) of Article 6 (1) of the GDPR; and
(2) the processing is carried out by automated means.

In exercising your right to data portability, you shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of this right shall not adversely affect the rights and freedoms of others.

The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to any processing of your personal data which is based on point (e) or (f) of Article 6 (1) of the GDPR, including profiling activities that may be based on those provisions.

The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where your personal data are processed for direct marketing purposes, you shall have the right to object at any time against any processing of your personal data for such marketing purposes, including profiling to the extent that it is related to such direct marketing activities.

Once you have objected to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

You may opt – in the context of the use of information society services and notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.

8. Right to withdraw the Declaration of Consent under Data Protection Law

You have the right to withdraw your Declaration of Consent to the processing of data at any time. Any such withdrawal of your consent to the processing of personal data shall not affect the lawfulness of the processing activities that have been completed in the period between the provision of the Declaration of Consent and its eventual withdrawal.

9. Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or similarly affecting you in a significant way. This shall not apply when the relevant decision:

(1) is necessary for entering into, or performance of, a contract between you and the Controller,
(2) is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights, freedoms and legitimate interests, or
(3) is based on your explicit consent.

These decisions, however, shall not be based on special categories of personal data referred to in Article 9 (1) of the GDPR, unless point (a) or (g) of Article 9 (2) of the GDPR applies and suitable measures to safeguard your rights, freedoms and legitimate interests are in place.

In cases for which the exemptions described in the above under points (1) and (3) apply, the Controller shall implement suitable measures to safeguard your rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

Viewed