I. Name and Address of the Controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
AwesomeGifts.Love
Fliederweg 12
2556 Schwadernau
Switzerland
Phone: 032 396 14 44
Email: [email protected]
Web: www.awesomegifts.love
II. General Information on Data Processing
1. Scope of Processing of Personal Data
We process personal data of our users only to the extent necessary to provide a functioning website as well as our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal regulations.
2. Legal Basis for the Processing of Personal Data
Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.
Insofar as the processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.
3. Data Erasure and Storage Duration
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the aforementioned norms expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.
III. Provision of the Website and Creation of Logfiles
1. Description and Scope of Data Processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:
This part needs to be adjusted accordingly. Non-applicable data should be removed, missing data should be added.
– Information about the browser type and version used
– The user’s operating system
– The user’s internet service provider
– The user’s IP address
– Date and time of access
– Websites from which the user’s system reaches our website
– Websites accessed by the user’s system through our website
Option 1: The log files contain IP addresses or other data that can be attributed to a user. This could be the case, for example, if the link to the website from which the user accesses the website or the link to the website to which the user proceeds contains personal data.
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
Option 2: The log files do not contain IP addresses or other data that can be attributed to a user.
The data is also stored in the log files of our system. This does not affect the IP addresses of the user or other data that enable the assignment of the data to a user. This data is not stored together with other personal data of the user.
2. Legal Basis for Data Processing
If IP addresses are stored in log files:
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
If no IP addresses are stored in log files:
The legal basis for the temporary storage of data is Art. 6 para. 1 lit. f GDPR.
3. Purpose of Data Processing
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
If IP addresses are stored in log files:
The storage in log files is done to ensure the functionality of the website. In addition, the data serves us to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
These purposes also constitute our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR.
4. Duration of Storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of collecting the data for the provision of the website, this is the case when the respective session is ended.
If data is stored in log files:
In the case of storing the data in log files, this is the case after no more than seven days. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
5. Objection and Removal Possibility
The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.
IV. Use of Cookies
a) Description and Scope of Data Processing
Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. If a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.
If the use of technically necessary cookies takes place:
We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change.
In the cookies, the following data is stored and transmitted:
A list of the stored data follows. Examples can be:
– Language settings
– Items in a shopping cart
– Log-in information
If the use of technically non-essential cookies also takes place:
We also use cookies on our website that enable an analysis of the user’s surfing behavior.
The following data can be transmitted in this way:
A list of the collected data follows. These can include, for example:
– Entered search terms
– Frequency of page views
– Use of website functions
Until now, it was possible under § 15 para. 3 TMG to pseudonymize the processed personal data for technically non-essential cookies and to inform the user about the use of cookies and his right to object and remove („Opt-Out solution“). However, it is controversial in the legal literature whether this norm continues to apply after the GDPR comes into effect. In doubt, it must be assumed that now only the provisions of the GDPR apply. In this case, reference must be made solely to Art. 6 GDPR. Even according to this norm, the continuation of the previous practice is conceivable if a „legitimate interest“ of the processor is referred to according to Art. 6 para. 1 lit. f GDPR. If no consent of the user is obtained before setting and retrieving technically non-essential cookies:
The data collected from users in this way is pseudonymized by technical measures. Therefore, it is no longer possible to assign the data to the calling user. The data is not stored together with other personal data of the users.
When our website is called up, users are informed by an information banner about the use of cookies for analytical purposes and referred to this privacy policy. In this context, there is also an indication of how the storage of cookies can be prevented in the browser settings.
Whether the previous practice of the „Opt-Out solution“ meets the requirements of Art. 6 para. 1 lit. f GDPR cannot currently be said with certainty. Clarity could be provided by the planned e-Privacy Regulation. Until then, the most legally secure solution is to obtain prior consent of the user („Opt-In solution“). If consent of the user is obtained before setting and retrieving technically non-essential cookies:
When our website is called up, the user is informed about the use of cookies for analytical purposes and his consent to the processing of personal data used in this context is obtained. In this context, there is also a reference to this privacy policy.
b) Legal Basis for Data Processing
If only technically necessary cookies are used or if technically necessary cookies and technically non-essential cookies are used without prior obtaining of the user’s consent:
The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR.
If technically necessary and non-necessary cookies are used with prior obtaining of the user’s consent:
The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f GDPR.
The legal basis for the processing of personal data using cookies for analytical purposes, if the user’s
consent has been obtained, is Art. 6 para. 1 lit. a GDPR.
c) Purpose of Data Processing
If the use of technically necessary cookies takes place:
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.
Applications for which we need cookies include:
A list of applications follows. Examples can be:
– Shopping cart
– Adoption of language settings
– Remembering search terms
The user data collected by technically necessary cookies is not used to create user profiles.
If the use of technically non-essential cookies also takes place:
The use of analysis cookies is for the purpose of improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus continuously optimize our offer.
The exact purpose of use of the analysis cookies should be described in more detail here.
These purposes also constitute our legitimate interest in processing the personal data according to Art. 6 para. 1 lit. f GDPR.
e) Duration of Storage, Objection and Removal Possibility
Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to fully use all functions of the website.
If Flash cookies are also used:
The transmission of Flash cookies cannot be prevented via the browser settings, but by changing the settings of the Flash Player.
V. Newsletter
1. Description and Scope of Data Processing
The newsletter is sent based on the user’s registration on the website:
There is the possibility to subscribe to a free newsletter on our website. In doing so, the data from the input mask is transmitted to us during registration for the newsletter.
This place should specify the collected data. In the minimal case, this concerns the user’s e-mail address.
In addition, the following data is collected during registration:
The actually collected additional data must be specified. These can be, for example:
– The user’s IP address
– Date and time of registration
For the processing of the data, your consent is obtained during the registration process and reference is made to this privacy policy.
The newsletter is sent based on the sale of goods or services:
If you purchase goods or services on our website and leave your e-mail address, it can subsequently be used by us for sending a newsletter. In such a case, the newsletter will only send direct advertising for similar goods or services of our own.
No data is passed on to third parties in connection with data processing for sending newsletters. The data is used exclusively for sending the newsletter.
2. Legal Basis for Data Processing
The newsletter is sent based on the user’s registration on the website:
The legal basis for processing the data after the user subscribes to the newsletter, if the user’s consent has been obtained, is Art. 6 para. 1 lit. a GDPR.
The newsletter is sent based on the sale of goods or services:
The legal basis for sending the newsletter as a result of the sale of goods or services is § 7 para. 3 UWG (German Act against Unfair Competition).
3. Purpose of Data Processing
The collection of the user’s e-mail address serves to deliver the newsletter.
The newsletter is sent based on the user’s registration on the website:
The collection of other personal data during the registration process serves to prevent misuse of the services or the used e-mail address.
4. Duration of Storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. The user’s e-mail address is therefore stored as long as the subscription to the newsletter is active.
The newsletter is sent based on the user’s registration on the website:
The other personal data collected during the registration process will generally be deleted after a period of seven days.
5. Objection and Removal Possibility
The subscription to the newsletter can be cancelled by the affected user at any time. For this purpose, there is a corresponding link in each newsletter.
The newsletter is sent based on the user’s registration on the website:
This also enables a revocation of the consent to the storage of personal data collected during the registration process.
VI. Registration
1. Description and Scope of Data Processing
On our website, we offer users the opportunity to register by providing personal data. The data is entered into an input mask, transmitted to us, and stored. The data is not passed on to third parties. The following data is collected as part of the registration process:
The corresponding data should be listed here.
At the time of registration, the following data is also stored:
The data should be listed accordingly here. Examples can be
:
– The user’s IP address
– Date and time of registration
During the registration process, the user’s consent to process this data is obtained.
2. Legal Basis for Data Processing
The legal basis for processing the data is, if the user’s consent has been obtained, Art. 6 para. 1 lit. a GDPR.
If registration serves the fulfillment of a contract to which the data subject is party or the implementation of pre-contractual measures:
If the registration serves the fulfillment of a contract to which the user is a party or the implementation of pre-contractual measures, then additional legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR.
3. Purpose of Data Processing
The user’s registration is not necessary for the conclusion of a contract with the user:
Registration of the user is necessary for the provision of certain content and services on our website.
A closer description of the content and services follows. Why is identification of the user necessary for the provision in individual cases?
The registration serves the conclusion of a contract with the user:
Registration of the user is necessary for the fulfillment of a contract with the user or for the implementation of pre-contractual measures.
A closer description of the contract offered on the website follows. Why are the collected data necessary for these contracts?
If the processing of personal data of the contractual partner is legally required at the conclusion of the contract, then the respective norms from which the obligation arises should be named.
4. Duration of Storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection.
The registration does not serve the conclusion of a contract with the user:
This is the case for the data collected during the registration process if the registration on our website is cancelled or modified.
The registration serves the conclusion of a contract with the user:
This is the case for the data collected during the registration process for the fulfillment of a contract or for the implementation of pre-contractual measures if the data is no longer necessary for the execution of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner to comply with contractual or legal obligations.
Long-term contractual relationships require the storage of personal data during the contract period. In addition, warranty periods must be observed, and the storage of data for tax purposes. The storage periods to be observed in this regard cannot be specified in a general manner but must be determined for the individual contracts and contracting parties.
5. Objection and Removal Possibility
As a user, you have the option to cancel the registration at any time. The data stored about you can be changed at any time.
A closer description follows on how deletion of the account and modification of data are possible.
The registration serves the conclusion of a contract with the user:
If the data is necessary for the fulfillment of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible, provided that contractual or legal obligations do not preclude deletion.
VII. Contact Form and E-Mail Contact
1. Description and Scope of Data Processing
A contact form is available on our website, which can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask is transmitted to us and stored. This data includes:
A list of the data of the input mask follows
At the time of sending the message, the following data is also stored:
A list of the corresponding data follows. Examples can be:
– The user’s IP address
– Date and time of registration
Your consent is obtained for the processing of the data within the scope of the sending process and reference is made to this privacy policy.
Alternatively, contact can be made via the provided e-mail address. In this case, the user’s personal data transmitted with the e-mail will be stored.
No data is passed on to third parties in this context. The data is used exclusively for processing the conversation.
2. Legal Basis for Data Processing
The legal basis for the processing of data is, if the user’s consent has been obtained, Art. 6 para. 1 lit. a GDPR.
The legal basis for processing data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact aims at the conclusion of a contract, then additional legal basis for processing is Art. 6 para. 1 lit. b GDPR.
3. Purpose of Data Processing
The processing of personal data from the input mask serves us solely for processing the contact. In the case of contact via e-mail, this also constitutes the necessary legitimate interest in processing the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
4. Duration of Storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the input mask of
the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the relevant facts have been conclusively clarified.
The additional personal data collected during the sending process will be deleted no later than after a period of seven days.
5. Objection and Removal Possibility
The user has the possibility at any time to revoke his consent to the processing of personal data. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.
A description follows on how the revocation of consent and the objection to storage are made possible.
All personal data stored in the course of contact will be deleted in this case.
IX. Web Analysis by Matomo (formerly PIWIK)
1. Scope of Processing of Personal Data
We use the open-source software tool Matomo (formerly PIWIK) on our website to analyze the surfing behavior of our users. The software sets a cookie on the users’ computer (for cookies, see above). If individual pages of our website are called up, the following data is stored:
– Two bytes of the IP address of the user’s calling system
– The called website
– The website from which the user has come to the called website (referrer)
– The subpages that are called from the called website
– The time spent on the website
– The frequency of the website call
The software runs exclusively on the servers of our website. Storage of the users’ personal data takes place only there. Data is not passed on to third parties.
Note: Since no consent of the users is present, the function “Automatically Anonymize Visitor IPs” should definitely be activated. It is assumed here that the IP address is shortened by 2 bytes. Further information can be found here: https://matomo.org/docs/privacy/.
The software is set so that the IP addresses are not stored completely, but 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the calling computer.
2. Legal Basis for the Processing of Personal Data
The legal basis for processing users’ personal data is Art. 6 para. 1 lit. f GDPR.
3. Purpose of Data Processing
The processing of users’ personal data enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes also constitute our legitimate interest in processing the data according to Art. 6 para. 1 lit. f GDPR. By anonymizing the IP address, users’ interest in their protection of personal data is sufficiently taken into account.
4. Duration of Storage
The data will be deleted as soon as it is no longer needed for our recording purposes.
Here the exact point in time of deletion must be specified. This can be set in the software (see: https://matomo.org/docs/privacy/).
In our case, this is after xx.
5. Objection and Removal Possibility
Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to use all functions of the website to their full extent.
If the opt-out option is offered on the website:
We offer our users the option of opting out of the analysis procedure on our website. To do this, you must follow the corresponding link. In this way, another cookie is set on your system, which signals to our system not to store the user’s data. If the user deletes the corresponding cookie from his own system in the meantime, he must set the opt-out cookie again.
Further information on the privacy settings of the Matomo software can be found at the following link: https://matomo.org/docs/privacy/.
IX. Rights of the Data Subject
The following listing includes all rights of data subjects under the GDPR. Rights that have no relevance to one’s own website do not need to be mentioned. Accordingly, the listing can be shortened.
If your personal data is processed, you are a data subject within the meaning of the GDPR, and you have the following rights against the controller:
1. Right of Access
You can request confirmation from the controller as to whether personal data concerning you is being processed by us.
If such processing is taking place, you can request information from the controller about the following:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal
data being processed;
(3) the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
(4) the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) any available information on the source of the data if the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you is being transferred to a third country or to an international organization. In this context, you can request to be informed about the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
In data processing for scientific, historical, or statistical research purposes:
This right of access may be limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and such limitation is necessary for the fulfillment of the research or statistical purposes.
2. Right to Rectification
You have a right to rectification and/or completion by the controller if the processed personal data concerning you is incorrect or incomplete. The controller must make the rectification without undue delay.
In data processing for scientific, historical, or statistical research purposes:
Your right to rectification may be limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes, and such limitation is necessary for the fulfillment of the research or statistical purposes.
3. Right to Restriction of Processing
You may request the restriction of the processing of personal data concerning you under the following conditions:
(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or
(4) if you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours.
If processing of the personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction of processing has been obtained under the above conditions, you will be informed by the controller before the restriction is lifted.
In data processing for scientific, historical, or statistical research purposes:
Your right to restriction of processing may be limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and such limitation is necessary for the fulfillment of the research or statistical purposes.
4. Right to Erasure
a) Obligation to Erase
You may demand the controller erase personal data concerning you without undue delay, and the controller is obliged to erase this data without undue delay where one of the following reasons applies:
(1) The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
(2) You withdraw consent on which the processing is based according to Art. 6 para. 1 lit. a, or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing.
(3) You object to the processing pursuant to Art. 21 para. 1 GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.
(4) The personal data concerning you have been unlawfully processed.
(5) The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 para. 1 GDPR.
b) Information to Third Parties
If the controller has made the personal data concerning you public and is obliged pursuant to Art. 17 para. 1 GDPR to erase the personal data, taking into account available technology and the cost of implementation, the controller shall take reasonable steps, including technical
measures, to inform controllers which are processing the personal data that you, as the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions
The right to erasure does not exist insofar as the processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
(5) for the establishment, exercise or defense of legal claims.
5. Right to be Informed
If you have asserted the right to rectification, erasure, or restriction of processing to the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by the controller.
6. Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
(1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you shall have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others shall not be adversely affected by this.
The right to data portability does not apply to processing personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to Object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
You have the option, in the context of the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by automated means using technical specifications.
In data processing for scientific, historical or statistical research purposes:
You also have the right, for reasons arising from your particular situation, to object to processing of personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR.
Your right to object may be limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and such limitation is necessary for the fulfillment of the research or statistical purposes.
8. Right to Withdraw the Data Protection Consent Declaration
You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated Individual Decision-making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and a data controller,
(2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
(3) is based on your explicit consent
.
However, these decisions must not be based on special categories of personal data referred to in Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to Complain to a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.