Information on data protection
The protection of your personal data is an important concern for us ("DACHSER"). The processing of your personal data, such as your name, address, email address or telephone number, always takes place in accordance with the General Data Protection Regulation (GDPR) and the country-specific data protection regulations applicable to DACHSER. If provisions of the GDPR are mentioned, the corresponding provisions in other country-specific data protection regulations are also implied in each case.
Data subject rights and reporting data protection incidents
You may exercise your rights as a data subject - such as the right to information, rectification, erasure, restriction of processing, data portability and the right to object - online here. You may report data protection incidents such as unauthorised access, information, disclosure, processing, loss of personal data online here.
The responsible person for the purposes of data protection law is:
Tel.: +49 831 5916 0
Fax: +49 831 5916-1312
The name and contact details of the data protection officer at DACHSER SE are:
Data protection officer
87439 Kempten, Germany
This website collects a series of general data and information each time it is accessed. This general data and information is stored in the log files of the server. The data which may be recorded is:
The browser types and versions used,
The operating system used by the accessing system,
The website from which an accessing system reaches our website (known as referrers),
The sub-websites that are accessed via an accessing system on our website,
The date and time of access to the website,
The Internet Protocol (IP) address,
The Internet service provider of the accessing system and
Other similar data and information used to avert danger in the event of attacks on our information technology systems.
In using this general data and information, DACHSER does not draw any conclusions about you. No profiling occurs. Instead, we need this information in order to deliver the content of our website correctly, to optimise the content of our website as well as the advertising for it, to ensure the long-term viability of our information technology systems and the technology of our website, and to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.
This anonymously obtained data and information is used statistically by DACHSER for the purpose of increasing the level of data protection and data security within our company. We store the anonymous data from the server log files separately from all personal data provided by you. The legal basis for the temporary storage of data and log files is art. 6, para. 1, line f) GDPR.
You can contact us via the contact form provided on our website or via the email address provided in the company information. If you contact DACHSER via one of these channels, we will automatically store the personal data you provide. Such personal data transmitted to DACHSER on a voluntary basis will be stored for the purpose of processing your request and/or contacting you.
DACHSER assigns the enquiries and the associated personal data for processing and use to the competent authority within the DACHSER Group, generally to the national subsidiary in the country of the requester, and exchanges the data with the latter. So, for example, enquiries and the corresponding data from the website for Switzerland (www.dachser.com/ch) are exchanged with the DACHSER national subsidiary in Switzerland (DACHSER Spedition AG). In this context, data may also be transmitted to national subsidiaries in third countries.
The legal basis for the processing of the data is art. 6, para. 1, line b) GDPR and in all other cases the protection of legitimate interests pursuant to art. 6, para. 1, line f) GDPR. For the transfer of data to a third country, the legal basis is art. 49, para. 1, line b) GDPR.
On the DACHSER website, users are given the opportunity to subscribe to DACHSER newsletters (e.g. "eLetter"). Which personal data is transmitted to DACHSER when ordering the newsletter is determined by the input mask used for this purpose.
DACHSER uses the newsletter to regularly inform customers and business partners of news regarding our services and products, current press reports, information about our brand and the content currently on our website. The newsletter can only be received by the data subject if
(1) the data subject has a valid email address and
(2) the data subject registers to receive the newsletter. For legal reasons, a confirmation email will be sent to any email address entered for the first time by a data subject for the purposes of receiving the newsletter. This is a double opt-in procedure. This confirmation email is used to check whether the owner of the email address has authorised the receipt of the newsletter as a data subject. The legal basis for sending the newsletter is art. 6, para. 1, line a) GDPR.
When registering for the newsletter, we store the IP address assigned by the Internet service provider (ISP) of the computer system used by the data subject at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to be able to trace (possible) misuse of the email address of a data subject at a later time and therefore serves as legal protection for DACHSER. In the context of sending the newsletter, DACHSER will use Atrivio GmbH, Albert-Einstein-Str. 6, 87437 Kempten, Germany to collect, process, use and/or store this data for that purpose.
The personal data collected in the context of a subscription to the newsletter will be used exclusively for the following purposes:
- Sending the newsletter
- Advice and advertising
- Designing the newsletter according to requirements
- Compiling the topics of the newsletter in a way that is appropriate for your interests
Subscribers to the newsletter may also be informed by email if this is necessary for the operation of the newsletter service or for registration in this regard, such as for changes to the offer of the newsletter or for changes in technical conditions.
Consent to the storage of personal data, which the data subject has given us for the sending of the newsletter, can be revoked at any time. A link for the purpose of revoking consent can be found in each newsletter. It is also possible to de-register directly at any time by notifying DACHSER of the contact details mentioned under section 1.
Our newsletters contain 'tracking pixels'. A tracking pixel is a miniature graphic that is embedded in those emails sent in HTML format to enable log file recording and log file analysis. This enables a statistical evaluation of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, DACHSER may see if and when an email was opened by a data subject and which links in the email were accessed by data subjects.
Such personal data collected via the tracking pixels contained in the newsletters is stored and evaluated by DACHSER in order to optimise the sending of the newsletters and to better adapt the content of future newsletters to the interests of the data subject. Data subjects are entitled at any time to revoke the declaration of consent made separately for this purpose via the double opt-in procedure. After revocation, this personal data will be erased by DACHSER. A de-registration from receipt of the newsletter is automatically interpreted by DACHSER as a revocation.
The data generated by etracker is processed and stored by etracker exclusively in Germany on behalf of the provider of this website and is therefore subject to strict German and European data protection laws and standards. etracker has been independently tested, certified and ePrivacyseal awarded the data protection seal of approval.
Data processing is carried out on the basis of the legal provisions of art. 6, para. 1, line f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our concern within the meaning of the GDPR (legitimate interest) is the optimisation of our online offer and our website. As the privacy of our visitors is important to us, the data that may allow a reference to an individual person, such as the IP address, login or device IDs, will be anonymised or pseudonymised as soon as possible. No other use, combination with other data or transfer to third parties takes place.
The "do not track" browser setting also automatically excludes you from tracking.
You can object to the aforementioned data processing at any time.
We use the podcast hosting service Podigee from the provider Podigee GmbH, Schlesische Straße 20, 10997 Berlin, Germany. The podcasts are loaded by Podigee or transmitted via Podigee.
Use is based on our legitimate interests, i.e. interest in a safe and efficient provision, analysis and optimisation of our podcast offer in accordance with art. 6, para. 1, line f) GDPR.
Podigee processes IP addresses and device information to enable podcast downloads/replays and to determine statistical data such as listen counts. This data will be anonymised or pseudonymised by Podigee prior to being stored in the database, unless it is required to provide the podcasts.
DACHSER offers services via the DACHSER Platform tool on its website. The core functions of the DACHSER Platform include determining freight costs online, recording transport orders and tracking shipments using Tracking & Tracing.
DACHSER assigns registrations to the DACHSER Platform, and the associated personal data required for the processing and use, to the competent entity within the DACHSER Group, generally the national branch of the national company of the requester, and exchanges this data with this competent entity. For example, registrations and the data used for registration on the DACHSER Platform on the Switzerland website (www.dachser.com/ch) are exchanged with the DACHSER national company in Switzerland (DACHSER Spedition AG). In this context, data may also be transmitted to national companies in third countries. The applications of the DACHSER Platform can be used by users with or without individual registration. Once registered, the respective national company will activate the user after successful authentication. Registered users have more "credentials" than non-registered users, i.e. registered users have access to more extensive services. The personal data that is transmitted to DACHSER is determined by the respective input screen used for registration.
The exclusive purpose of data use when using the DACHSER Platform is the provision of the aforementioned services. The legal basis for processing the data when preparing or executing contracts is Art. 6 (1) (b) GDPR and in all other cases the legal basis is the protection of legitimate interests pursuant to Art. 6 (1) (f) GDPR. For transferring data to a third country, the legal basis is Art. 49 (1) (b) GDPR.
DACHSER offers services on its website under the eLogistics tool. The core functions of the eLogistics portal include the online determination of freight costs, the recording of transport orders and the tracking of shipments by means of tracking & tracing.
DACHSER assigns eLogistics registrations and the associated personal data for processing and use to the competent authority within the DACHSER Group, generally to the national branch of the subsidiary in the country of the requester, and exchanges the data with the latter. For example, registrations and the data used for registration for eLogistics on the website for Switzerland (www.dachser.com/ch) are therefore exchanged with the DACHSER national subsidiary in Switzerland (DACHSER Spedition AG). In this context, data may also be transmitted to national subsidiaries in third countries. The eLogistics applications can be used by users without or with individual registration. In the event of registration, the respective national subsidiary activates the user after successful authentication. When registered, users have more "credentials" available compared to use without registration, i.e. users can access more extensive services. The personal data that is transmitted to DACHSER is determined by the respective input mask used for registration.
The purpose for which data is used when accessing the eLogistics services is exclusively the provision of the aforementioned services. The legal basis for the processing of the data is art. 6, para. 1, line b) GDPR and in all other cases the protection of legitimate interests pursuant to art. 6, para. 1, line f) GDPR. For the transfer of data to a third country, the legal basis is art. 49, para. 1, line b) GDPR.
This page uses the Google Maps mapping service. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Parent: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This allows us to display interactive maps directly on the website and allows you convenient use of the mapping function.
By visiting the website, Google receives the information that you have accessed the corresponding sub-page of our website. In addition, the data referred to in section 2 will be transmitted. This occurs regardless of whether Google provides a user account through which you are logged in or whether there is no user account. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish this data to be assigned to your profile on Google, you must log out before activating the button. Google stores your data as usage profiles and uses it for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right. For more information on the purpose and scope of the data collection and its processing by the plugin provider, please refer to the provider's privacy policies.
The legal basis for the processing of your personal data using Google Maps is art. 6, para. 1, line f) GDPR. Data transmission to third countries without an adequacy decision is based on the recognised standard contractual clauses. Details can be found here and here.
On our website, we use social plugins ("plugins") from Facebook, Twitter, YouTube, Xing and LinkedIn. We use plugins in particular to enable you to share content on our website with other users of social networks or to point them to such content. You can identify the provider of the respective plugin by its logo or initial letters.
When you visit our site, we do not initially transfer any personal data to the providers of the plugins. However, if you click on the highlighted field, personal data will be transferred directly from you to the provider of the respective plugin and processed by the provider – possibly in third countries, such as the USA. After clicking on the plugin field, a new window of your browser opens and calls up the page of the provider of the respective social network. Data is transferred to the provider of the respective plugin regardless of whether you have an account with the social network of the plugin provider. If you are logged in to the plugin provider, your data collected with us will be directly assigned to your existing account with the plugin provider.
We have no influence on the type and scope of data collected and processed through the use of the plugins, nor are we aware of the full scope of the data collection, the purposes of the processing or the storage periods. According to the provider of the plugins, the transmitted data includes, among other things, information about your browser, about the websites visited and the date and time of the visit. The plugin providers process this information, for example, to create user profiles of you and to display on-demand advertising. You have the right to object to the creation of these user profiles, whereby you must contact the respective plugin provider to exercise the right to object. For further information, please refer to the Internet pages and data protection notices of the respective providers.
The legal basis for the processing of your personal data using the social plugins is art. 6, para. 1, line f) GDPR. When using the services offered by Facebook, Twitter, YouTube and LinkedIn, data can be transferred to third countries worldwide, such as the USA. In these cases, we will ensure an adequate level of data protection in order to implement the requirements of European law. This is usually done using accepted standard contractual clauses and other suitable guarantees as appropriate.
Access to personal data is technically possible for service providers and contractual partners that we use for the operation of our websites. These third-party providers are obliged to use your personal data only to provide the services we request or otherwise in accordance with our instructions.
Apart from the above data transfers, we will not transmit, sell or market your personal data to third parties, such as other companies or organizations, unless you have given your express consent to this, or the transfer is necessary to fulfil our contractual obligations to you, the user of the website.
The criterion for the duration of the storage of personal data is the respective legal retention period. After the expiry of the period we routinely erase the relevant data, provided that it is no longer required for the fulfilment of the contract or the initiation of the contract.
If the purpose of storage lapses or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data will be routinely blocked or erased in accordance with the statutory provisions.
As a data subject, you are entitled to the rights set out in articles 15–21 GDPR against DACHSER if the conditions set out therein are met. These are the rights to information (art. 15 GDPR), rectification (art. 16 GDPR), erasure (art. 17 GDPR), restriction of processing (art. 18 GDPR), data portability (art. 20 GDPR) and the right to object (arts. 21 and 22 GDPR). Apart from this, you have the right to lodge a complaint with the supervisory authority pursuant to art. 77 GDPR.
Google Ads allows us to display ads in the Google search engine when users enter certain search terms on Google (keyword targeting). Google Ads is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use Google Ads to measure the number of visits that have come to our website through the display of ads in Google Search and to evaluate which search terms have led to the placement of our ads. Conversion tracking is done exclusively using the cookie-free web analysis tool etracker, which only collects statistical data. We do not use the remarketing function and you will not receive any further advertising from us after visiting our website. The legal basis for this data processing is our legitimate interest in optimising our online offer and our marketing measures. You can object to the aforementioned data processing at any time.
The legal basis for the use of Brightcove Analytics is consent pursuant to Art. 6 (1) sentence 1 lit. a of the German Data Protection Act (DSGVO). You can object to the use of the service via the "Privacy Settings" without losing any of the basic functionalities of the website.
We have taken the necessary precautions pursuant to Art. 44 et seq. GDPR to ensure an adequate level of data protection in the recipient country.
Information on data protection as it pertains to the business relationship
1. General information and definitions
If you contact DACHSER Spedition AG to enter into a business relationship, or if you have a business relationship with DACHSER Spedition AG, we process personal data in accordance with the following provisions.
2. Name and address of the controller and of the data protection representative
The controller within the meaning of the GDPR, other data protection laws applicable in the Member States of the European Union and other provisions related to data protection is:
DACHSER Spedition AG, Althardstr. 355, 8105 Regensdorf, Switzerland, tel.: +41 44-8721-100, fax: +41 44-8721-198, email: firstname.lastname@example.org, website: www.dachser.ch
The contact details of the data protection representative of DACHSER Spedition AG in accordance with the GDPR are
DACHSER SE, Data Protection Officer, Thomas-Dachser-Straße 2, 87439 Kempten, Germany, email: email@example.com
3. General information on data processing
3.1 Scope and purposes of the processing of personal data
We may process various categories of personal data, in particular:
- Name, contact details (e.g. address, telephone number, email address), gender
- Information about your employer, job title, position
- Language preferences
- Contract data
We collect and use the personal data of our business partners primarily for the initiation of contracts or for the processing of our orders and contracts. This includes all activities that are necessary or expedient to conclude, execute and enforce a contract, such as processing orders, quoting, concluding contracts and registering on our website, managing contractual relationships including payment processing, communication and collection. We also process your personal data for other purposes, as far as permitted and deemed appropriate by us:
- For legal protection: We may also process personal data in order to enforce claims prior to court proceedings, in court, out of court and before authorities in Germany and abroad or to defend ourselves against claims.
- To comply with legal requirements: This includes, for example, the processing of complaints and other reports, compliance with orders from a court or an authority, measures to detect and clarify abuses, and generally measures to which we are obliged under applicable law, self-regulation or industry standards.
- For administration and support: In order to make our internal processes efficient, we process data as necessary for IT management, accounting or data archiving.
- We may also process data for other purposes. These include business management, including business organisation and development, other internal processes and administrative purposes (e.g. management of master data, accounting and archiving), training and education purposes, and the preparation and handling of the purchase and sale of business units, companies or parts of companies and other company law transactions and the associated transfer of personal data, as well as measures for business management and the safeguarding of other legitimate interests.
3.2 Handling of personal data
The collection, processing or use of personal data is generally prohibited, unless a legal standard explicitly permits the handling of data. According to the GDPR, personal data may be collected, processed or used in principle:
- In the case of an existing contractual relationship with the data subject.
- In the course of initiating or processing a contract with the data subject.
- If and to the extent that the data subject has given their consent.
Section 3.2 will not apply if the Swiss DSG is exclusively applicable.
3.3 Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, art. 6, para. 1, line a) of the GDPR will form the legal basis for this.
When processing personal data necessary for the performance of a contract to which the data subject is a party, art. 6, para. 1, line b) GDPR is the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
To the extent that processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, art. 6, para. 1, line c) GDPR will be the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or of a third party, and if the interests, fundamental rights and freedoms of the data subject do not outweigh that legitimate interest, art. 6, para. 1, line f) GDPR will be the legal basis for the processing.
3.4 Categories of groups of data subjects and their data
The following categories of data are available to carry out business activities and fulfil all obligations associated with them, if necessary:
- Client data and their contact persons as well as their customers' data transmitted by the client as far as is necessary for order processing and customer support.
- Data from service providers, suppliers and their contact persons as far as is necessary for fulfilment of the order to customers, service providers and suppliers.
When using personal data, and where the scope of the collected data is concerned, the basic rules of the right to informational self-determination and other data protection standards, in particular the preventive prohibition principle, purpose limitation, transparency, information and notification obligations, the principles of data avoidance and data economy, as well as the rights to rectification, blocking, erasure and objection, are observed.
The collection and processing of personal data takes place within the scope of that which is legally permissible. In doing so, the special requirements for the collection and processing of sensitive data in accordance with art. 9, para. 1 GDPR must be observed. In principle, only that information which is necessary for the operational performance of tasks and is directly related to the purpose of processing may be processed and used.
If other bodies request information about data subjects, the information will only be disclosed without the consent of the data subject if a legal obligation or a legitimate interest of the company justifying such disclosure exists, and if the identity of the inquirer is unambiguously established.
3.5 Recipients of personal data
Personal data will only be passed on to third parties involved in the fulfilment of the contract, such as subsidiaries, partners or subcontractors, for the purpose of providing the logistics service commissioned by you. Personal data of those involved in the logistics service will be passed on to the customer of the logistics service (e.g. delivery receipt).
In particular, we will not sell or otherwise market your personal data to third parties.
3.6 Transfer of data to third countries
Data is transferred to third countries only for the purpose of fulfilling commissioned logistics services. In the interests of data economy, only the data required for the dispatch and delivery of goods to client's customers is transferred to the domestic and foreign companies in the DACHSER Group and to external service providers. In this context it is possible for data to be transmitted to recipients in third countries worldwide.
A transfer of data to a third country without an adequate level of data protection is permitted for the performance of a contract between the data subjects and the controller, provided that the transfer of data is necessary for the performance of the contract.
3.7 External service providers/order processing/maintenance
Where necessary, agreements are in place with external service providers in accordance with article 28 GDPR or the EU standard contractual clauses.
3.8 IT security concept
In addition to the technical and organisational measures that have been taken, Dachser has also drawn up appropriate supplementary guidelines due to the fundamental importance of information security.
The Information Security Management System (ISMS) of the DACHSER IT headquarters has been certified in accordance with ISO 27001 since 2011.
3.9 Data erasure and storage periods
The personal data of the data subject will be erased or blocked as soon as the purpose of the storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for conclusion of a contract or fulfilment of a contract.
4. Rights of the data subject
If your personal data is processed, you are the data subject within the meaning of the GDPR and you have the following rights with respect to the data controller. Insofar as the Swiss Data Protection Act is applicable, the provisions of the Data Protection Act will prevail in place of this Section 4 for the exercise of the rights of the data subjects.
4.1 Right of access
You may request confirmation from the controller as to whether personal data concerning you is being processed by us.
In the event of such processing, you may request information from the controller regarding the following:
- The purposes for which the personal data is being processed;
- The categories of personal data being processed;
- The recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
- The planned duration of the storage of the personal data concerning you or, if specific information is not possible, criteria for determining the duration of the storage;
- The existence of a right to rectify or erase the personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
- The existence of a right of appeal to a supervisory authority;
- All available information on the origin of the data when the personal data is not collected from the data subject;
- The existence of an automated decision-making process including profiling in accordance with art. 22, paras. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information on whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees in accordance with art. 46 GDPR which are in place in connection with the transmission.
4.2 Right to rectification
You have the right to rectify and/or complete the data held by the controller if the processed personal data concerning you is incorrect or incomplete. The controller must make the rectification without delay.
4.3 Right to restriction of processing
You may request that the processing of your personal data be restricted under the following conditions:
- If you dispute the accuracy of the personal data concerning you for a period that allows the controller to verify the accuracy of the personal data;
- If the processing is unlawful and you refuse to erase the personal data and instead request restriction of the use of the personal data;
- If the controller no longer needs the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims, or
- If you object to the processing pursuant to art. 21, para. 1 GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data – with the exception of storage – may only be processed with your consent or for the purpose of establishing, exercising or defending legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
4.4 Right to erasure
4.4.1 Obligation to erase
You may require the controller to erase the personal data concerning you immediately and the controller shall be obliged to erase that data immediately, provided that one of the following reasons applies:
- The personal data concerning you is no longer required for the purposes for which it was collected or otherwise processed.
- You revoke your consent on which the processing is based in accordance with art. 6, para. 1, line a) or art. 9, para. 2, line a) GDPR and there is no other legal basis for the processing.
- You object to the processing in accordance with art. 21, para. 1, GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to art. 21, para. 2 GDPR.
- The personal data concerning you has been processed unlawfully.
- The erasure of personal data concerning you is necessary in order to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
- The personal data concerning you has been collected in relation to information society services offered pursuant to art. 8, para. 1, GDPR.
- 4.4.2 Information to third parties
If the controller has made the personal data concerning you public, and if the controller is obliged to erase that data in accordance with art. 17, para. 1 GDPR, the controller shall, in view of the available technology and implementation costs, be obliged to take appropriate measures, including technical measures, to inform data controllers who process that personal data that you, as the data subject, have requested that all links to that personal data or copies or replicas of that personal data be erased.
The right to erasure does not exist if processing is necessary:
- To exercise the right to freedom of expression and information;
- To fulfil a legal obligation which requires the processing under the law of the Union or of the Member States to which the controller is subject, or to perform a task in the public interest or in the exercise of public authority entrusted to the controller;
- For reasons of public interest in the field of public health pursuant to art. 9, para. 2, h) and i) and art. 9, para. 3 GDPR;
- For archival purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to art. 89, para. 1 GDPR, insofar as the right referred to in section a) is likely to make the achievement of the objectives of this processing impossible or seriously impair it, or
- To establish, exercise or defend legal claims.
4.5 Right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves a disproportionate effort. You have the right to be informed of these recipients by the controller.
4.6 Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance by the controller to whom the personal data has been provided, as long as
- the processing is based on consent pursuant to art. 6 para. 1, line a) GDPR or art. 9, para. 2, line a) GDPR or on a contract pursuant to art. 6, para. 1, line b) GDPR and
- processing takes place using automated procedures.
In exercising this right, you also have the right to require that the personal data concerning you be transmitted by one controller directly to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of public authority delegated to the controller.
4.7 Right to object
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you which is carried out on the basis of art. 6, para. 1, lines e) or f) GDPR; this also applies to profiling based on these provisions.
The controller shall cease processing the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for such marketing purposes; this also applies to profiling, insofar as it is related to such direct marketing.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means using technical specifications.
4.8 Right to revoke declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. Revocation of the consent will not affect the legality of the processing carried out based on that consent up until the point it was revoked.
4.9 Automated decision-making in individual cases including profiling
You have the right not to be subject to any decision based solely on automated processing, including profiling, which has a legal effect on you or which affects you in a similarly significant way. This does not apply if the decision:
- is necessary for the conclusion or performance of a contract between you and the controller;
- is permissible under the laws of the Union or of the Member States to which the controller is subject, and those laws contain appropriate measures to safeguard your rights and freedoms and legitimate interests, or
- is made with your express consent.
- However, these decisions may not apply to specific categories of personal data under art. 9, para. 1, GDPR unless art. 9, para. 2, line a) or g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.
With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to express their own position and to contest the decision.
4.10 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, place of work or place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.
The supervisory authority to which the complaint was lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under art. 78 GDPR.