Data Privacy Policy

 

General information

Name and address of data controller

The data controller in the sense intended by the General Data Protection Regulation and other national data protection laws of the European Union member states and various data protection regulations is:

Deutsches Elektronen-Synchrotron DESY
Notkestrasse 85
22607 Hamburg
Tel. +49 (0)40 89980

Email: desypr@desy.de

Website: www.desy.de

Name and address of data protection officer

The data controller's data protection officer is:

Carsten Porthun
Notkestrasse 85
22607 Hamburg
Tel. +49 (0)40 8998 2553

Email: datenschutz@desy.de

Data processing

General information

Scope of personal data processing

We process users' personal data only insofar as is required for the provision of a functional website and of our content and services. Users' personal data is processed only with their consent except where the processing is permitted under law and it has not been possible to obtain the user's permission in advance. 

Legal basis for the processing of personal data

Insofar as we obtain permission from the data subject for the processing of their personal data, the legal basis is art. 6 para. 1 a of the EU's General Data Protection Regulation (GDPR).

For the processing of personal data for the performance of a contract to which the data subject is party, the legal basis is art. 6 para. 1 b GDPR. This also applies for processing required for pre-contractual measures.

Where the processing of personal data is required for complying with our legal obligations, the legal basis is art. 6 para. 1 c GDPR.

In the event that the processing of personal data is in the essential interests of the data subject or of another natural person, the legal basis is art. 6 para. 1 d GDPR.

Where processing is in our legitimate interests or those of a third party, and the interests and basic rights and freedoms of the data subject do not outweigh such interests, the legal basis for the processing is art. 6 para. 1 f GDPR.

Deletion of data and duration of storage

The data subject's personal data will be deleted or locked as soon as it is no longer needed for the purpose for which it was originally stored. Data can in addition be saved if allowed for by EU or national legislators in EU regulations, statutes or other regulations to which the data controller is subject. Data can also be locked or deleted if a storage period allowed under the aforementioned norms expires, unless the continued storage of the data is required for formation or performance of contract.

Provision of website and creation of logfiles

Description and scope of data processing

Every time a user accesses our website, our system automatically captures the following data and information about the user's computer system:

  1. Browser type and version
  2. User's operating system
  3. User's Internet service provider 
  4. User's IP address
  5. Date and time of access
  6. Website from which user arrives at our website
  7. Websites accessed by user from our website

This data is stored in our system's logfiles. It is not stored with other personal data relating to the user.

Legal basis for data processing

The legal basis for the temporary storage of data and logfiles is art. 6 para. 1 f GDPR.

Purpose of data processing

The temporary storage of the user's IP address in our system for the duration of the user's session is necessary to ensure our website can be delivered to the user's computer. 

Data is stored in logfiles to guarantee the functionality of our website. The data also helps us to optimise our website and ensure our IT systems are secure. The data is not in this context used for marketing purposes.

The aforementioned aims also constitute our legitimate interest in data processing as per art. 6 para. 1 f GDPR.

Duration of storage

Data is deleted as soon as it is no longer required for the purpose for which it was collected. Where data is captured for the purposes of making the website available,  it is deleted when the user's session ends.

Where data is stored in logfiles, it is deleted after seven days at the latest, although it may be saved for longer, in which case the user's IP address will be deleted or anonymised so that the accessing client can no longer be identified. 

Objection and removal

The capture of the data for the provision of the website and the storage of data in logfiles are necessary for the functioning of our website. The user therefore has no right of objection. 

Use of cookies

Description and scope of data processing

Some of our websites/web applications use cookies. Cookies are text files that are saved on the user's computer system in or by the browser software. If a user accesses a website, a cookie can be stored on their operating system. This cookie contains a unique identification code that enables the user's browser to be recognised when the user revisits the website. 

We use cookies to make our website more user-friendly. Some elements of our website require the accessing browser to be identifiable even after the user has gone to a different site. 

The cookies save and transmit the following information:

  1. Language settings
  2. Log-in information

On our websites we also use cookies that enable users' surfing behaviour to be analysed. This means that the following data can be transmitted:

  1. Search terms entered
  2. Frequency of site access
  3. Use of website functions
  4. Page last visited
  5. Path of last search enquiry

Technical precautions are taken to ensure that the data collected in this way is anonymised. Therefore the data cannot be matched with the user and it is not stored with other personal data relating to the user. 

When you access our website, a message will inform you that cookies are used on the site for analysis purposes and will direct you to this data protection statement. You will also learn how to prevent cookies being saved by adjusting your browser settings. 

Legal basis for data processing

The legal basis for using cookies to process personal data is art. 6 para. 1 f GDPR.

Purpose of data processing

We use cookies for technical reasons in order to make use of the website easier for users. Without cookies, some of the functions of our website will not work. These functions require that, when you return to our site, your browser is recognised.

We need cookies for the following uses:

  1. Acceptance of language settings
  2. Registering search terms
  3. Registering last-visited website

The user data we collect for technical purposes via cookies is not used to create user profiles.

We use analysis cookies in order to improve the quality of our websites and their content. They enable us to see how our websites are used and thus to constantly optimise our service.

These purposes also constitute our legitimate interest in the processing of personal data as per art. 6 para. 1 f GDPR.

Duration of storage; objection and removal

Cookies are saved on the user's computer and transferred from there to our site. Therefore you as user have full control over the use of cookies. By adjusting your browser settings you can deactivate or restrict the transfer of cookies. Cookies already saved can be deleted at any time and they can also be deleted automatically, but deletion may result in restricted usability of some of the functions of our website.

Web analysis by Matomo

Scope of personal data processing

On our websites we use the open-source software tool Matomo (formerly PIWIK) to analyse users' surfing behaviour. This software places a cookie (see above) on the user's computer. When individual pages of our websites are accessed, the following data is saved: 

  1. Two bytes of IP address of accessing system
  2. Web page accessed
  3. The referrer website from which the user has arrived at the web page accessed 
  4. The subsequent pages visited from the web page accessed
  5. Dwell time on the web page
  6. Frequency of web page access

The software runs solely on our servers. Users' personal data is stored only there and is not shared with any third party.

The software is used in such a way that IP addresses cannot be saved in full. Two bytes of the address are masked (e.g. 192.168.xxx.xxx). It is therefore not possible to match the abbreviated IP address to the accessing computer.

Legal basis for the processing of personal data

Legal basis for the processing of personal data is art. 6 para. 1 f GDPR.

Purpose of data processing

Processing users' personal data enables us to analyse their surfing behaviour. Evaluating this data enables us to compile information about the use of individual elements of our websites, which in turn aids the continuous improvement of our websites and their user-friendliness. This is also the basis for our legitimate interest in the processing of data as per art. 6 para. 1 f GDPR. In anonymising IP addresses we pay due regard to the users' interest in the protection of their personal data.

Duration of storage

Data is deleted as soon as it is no longer required for our recording purposes (in our case, after 180 days).

Objection and removal

Cookies are saved on the user's computer and then transferred from there to our site. Therefore you as user have full control over the use of cookies. By adjusting your browser settings you can deactivate or restrict the transfer of cookies. Cookies already saved can be deleted at any time, including automatically, but in this case some of the functions of our websites may not be fully available.

On our websites you can opt out of the analysis process by following the relevant link. This will save another cookie on your computer that signals to our system not to save your data. If you then delete this cookie from your system, you will have to re-set it later.

For more on Matomo's privacy settings, see: https://matomo.org/docs/privacy/

Newsletter

Description and scope of data processing

On our websites you can subscribe to our free newsletters such as femto and DESY inForm. When you do so, the data you enter into the input fields will be transmitted to us, i.e.

  1. Your email address
  2. Your name

We also collect the following data:

  1. Date and time of registration

To process this data, we will need your permission, which you can provide when you register. The registration process will also refer you to this data protection statement.

When we process your data for the purposes of sending the newsletter, we do not share any data with any third party. The data is used solely for the sending of the newsletter.

Legal basis for data processing

Subject to your consent, the legal basis for the processing of data after you have subscribed to the newsletter is art. 6 para. 1 a GDPR.

Purpose of data processing

Your email address is collected for the purpose of sending the newsletter.

Duration of storage

Data is deleted as soon as it is no longer required for the purpose for which it was collected. Therefore your email address will be held only for as long as your subscription is active. 

Objection and removal

Subscription to the newsletter can be terminated at any time. Simply follow the link provided at the end of every newsletter.

Print media

Description and scope of data processing

On our website you can subscribe to free print media such as the research magazine femto. If you do so, the data you enter into the input fields will be transferred to us, i.e.

  1. Your email address
  2. Your name
  3. Your address

The following data is also collected when you register:

  1. Date and time of registration

To process this data, we will need your permission, which you can provide when you register. The registration process will also refer you to this data protection statement.

Your data is used solely for the sending of the print media. For the despatch of the research magazine femto, your address details will be shared with a despatch agent. There too your data will be used solely for the despatch of femto and then deleted following despatch of the latest issue. 

For the despatch of other print media, your data is not shared with any third party.

Legal basis for data processing

Subject to your consent, the legal basis for the processing of data following your subscription to print media is art. 6 para. 1 a GDPR.

Purpose of data processing

The purpose of collecting your address is the despatch of the print media. 

Duration of storage

Data is deleted as soon as it is no longer required for the purpose for which it was collected. Therefore your email address and postal address will be held only for as long as your subscription to the print media is active. 

Objection and removal

You can terminate your subscription to print media at any time. See the notice printed in each edition. 

Every subscription form contains details of the person to contact if you wish your data to be deleted or amended. You can also contact this person if you wish to revoke your permission for the storage of the data collected about you during the registration process. 

Registration (e.g. for conferences, accommodation etc.)

Description and scope of data processing

On our website you can register for various offers and services by providing your personal details. The data is provided by you via input fields and then transferred to and stored by us. It will not be shared with any third party. When you register, the following data is collected:

  1. Name
  2. Email address and other contact details where applicable
  3. Your address where applicable
  4. Name of your organisation
  5. Arrival and departure times where applicable
  6. Dietary preferences for conferences

When you register, the following data will also be stored:

  1. User's IP address
  2. Date and time of registration

When you register, your consent to the processing of your data is requested. 

Legal basis for data processing

Subject to your consent, the legal basis for the processing of data is art. 6 para. 1 a GDPR.

Where the registration is for the performance of a contract to which you are party or for the performance of pre-contractual measures, the legal basis for the data processing is also art. 6 para. 1 b GDPR.

Purpose of data processing

We collect and process your data in order to plan and organise the event concerned (for conferences) as well as for registration purposes (e.g. accommodation). 

Duration of storage

Data is deleted as soon as it is no longer required for the purpose for which it was collected. 

Objection and removal

As a user, you can at any time de-register or have the data held about you amended.  

Every registration form contains the details of the person to contact if you wish your data to be deleted or amended. 

Contact form and email address

Description and scope of data processing

Our website uses contact forms that can be used for contacting us electronically. If you use these forms, the information you enter will be transferred to and saved by us, i.e.

  1. Name
  2. Email address
  3. Message content

When you send the message, the following data is saved:

  1. Your IP address
  2. Date and time

As part of the despatch process, your consent for the processing of your data will be obtained and you will be referred to this data protection statement. 

Alternatively you can contact us via the email address provided, in which case the personal data transmitted with the email will be saved.

This process will not involve any sharing of your data with third parties. Your data will be used solely for the processing of the conversation between us. 

Legal basis for data processing

Subject to your consent, the legal basis for the processing of data is art. 6 para. 1 a GDPR.

The legal basis for the processing of data transmitted as part of the sending of an email is art. 6 para. 1 f GDPR. Where the email contact is for the purposes of contract formation, the further legal basis is art. 6 para. 1 b GDPR.

Purpose of data processing

The personal data from the input fields is processed by us solely for the purpose of handling the matter in question. Where contact is made via email, the condition of legitimate interest in data processing is also satisfied. 

The processing of other personal data as part of the despatch process serves to prevent misuse of the contact form and to ensure our IT systems are secure. 

Duration of storage

Your data is deleted as soon as it is no longer required for the purpose for which it was collected. For personal data collected from the input fields of the contact form and for personal data sent to us via email, this deletion occurs when the conversation with you has ended. A conversation is deemed ended when it is reasonable to assume that the matter in question has been satisfactorily dealt with. 

Any additional information collected during the despatch process will be deleted at the latest after seven days.

Objection and removal

You can at any time withdraw your consent for the processing of our personal data. If you contact us via email, you can object at any time to the storage of your personal data. If you do so, our conversation cannot be continued.

Every contact form contains a contact email address. By writing to this address you can revoke your consent or object to the storage of your personal data. All personal data stored as part of the contact process will then be deleted. 

Visitor tours

Description and scope of data processing

DESY is open to visitors. If you register for a DESY tour via email or phone, we will save your data for the purposes of organising the tour. We will record the following details for one contact person per visitor group:

  1. Email address
  2. Name
  3. Address
  4. Phone number
  5. Bundesland (in Germany) or country

As part of the registration process, your consent for the processing will be requested and reference made to this data protection statement. 

The data will be used solely for the organisation of your visit and deleted at the latest 14 days after your visit has ended. The data will not be shared with any third party. 

For statistical purposes we record in anonymised form the number of visitors and where they have come from. The data recorded for visitor groups is:

  1. Group size
  2. Postcode
  3. Bundesland (in Germany) or country

Legal basis for data processing

Subject to the user's consent, the legal basis for the processing of data following registration for a visitor tour is art. 6 para. 1 a GDPR.

Purpose of data processing

The purpose of the capture of the user's address is the organisation of the user's visit to DESY.

Duration of storage

Your data is deleted as soon as it is no longer required for the purpose for which it was collected. The personal data of the contact person for the visitor group will be deleted within 14 days of the end of the visit. For statistical purposes, we permanently save in anonymised form the number of visitors and where they have come from.

Objection and removal

You can object to your data being saved when you register for a visit. Simply email desypr@desy.de or call  +49 40 8998 3613. However if you do so we will not be able to arrange a visit for your group.

App

DESY Phone Book app

The Login occurs via Basic Authentication against a web service*. The user name and password are transmitted via a POST request to the address mentioned below, using SSL-encryption. On the server side an SSL-encrypted LDAP authentication takes place.

If the login is successful, a random hash will be generated on the server. This is stored on the respective device (in the app) and on the server together with a timestamp. Each query will be scanned to ensure that the local-stored hash matches the one on the server and is not older than 180 days. If the respective hash file is older or not matching, the user has to reenter their ID.

At no time will passwords be stored on the smartphone.

* https://pbookapp.desy.de/registration/register.html

Sharing personal data with third parties

Sharing with service providers

We sometimes use service providers to provide you with services and offers – e.g. for the delivery of print media direct from the printer.

Scope of processing of personal data

For the processing of print media deliveries, your address details will be shared with the printer.

Legal basis for the processing of personal data

The legal basis for the transfer of data is art. 6 (1) b GDPR.

Purpose of data processing

The purpose of data processing is the delivery of the print media to which you have subscribed. 

Duration of storage

Your personal data will be processed until delivery of the print media and then deleted.

Web Fonts

This website uses web fonts, provided by Monotype Imaging Holdings Inc. through fast.fonts.net, for the purpose of a uniform typeface. To determine the number of page views for web pages that use Monotype-licensed web fonts, the browser you are using must connect to the servers of fast.fonts.net.
 
Thereby, fast.fonts.net becomes aware that your IP address has been used to access our website. The use of Fonts.com web fonts is in the interest of a uniform layout of our websites. This constitutes a legitimate interest within the meaning of art. 6 para. 1 lit. f GDPR.
 
If your browser does not support web fonts, a standard font will be used by your computer.
 
For more information, please refer to Monotype's Privacy Policy:
https://www.monotype.com/legal/privacy-policy/web-font-tracking-privacy-policy/
 

Social media

Two-click process for enhanced data protection

In order to protect our users' privacy and data, we use the tried-and-tested two-click process, also known as the Shariff Solution, for recommendations made within social networks. The use of this process means that our websites are delivered with inactive buttons that do not transfer any data to social networks. Users can nonetheless manually activate the buttons, thereby creating a connection to their preferred network (first click). The second step involves the user then giving their recommendation (second click). The activation of one of the buttons in the first step therefore means that the user consents to transmit data to the social network concerned for this one page and for the requested service. 

Data protection regulations for use of Facebook

Some of our websites contain plug-ins provided by the social network Facebook.

A social network is an Internet-based social meeting point, an online community that allows its users to communicate with one another and to interact in a virtual environment. Facebook enables users to create private profiles, upload photos and to connect with one another via 'friend' requests.

The operator of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, US. For data subjects outside of the US and Canada, the data controller with responsibility for data processing is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Every time a page that is operated by the data controller is accessed and on which a Facebook plug-in is embedded, the Facebook plug-in concerned makes the browser on the data subject's computer download a copy of the Facebook plug-in from Facebook. On overview of all Facebook plug-ins can be obtained from https://developers.facebook.com/docs/plugins/?locale=de_DE As a result, Facebook learns which specific pages of our website have been visited by the data subject.

If the data subject is at the same time logged in to their Facebook account, Facebook learns which pages of our website the data subject visits over the entire duration of their session. This information is gathered by the Facebook plug-in and then allocated by Facebook to the data subject's Facebook account.

If the data subject is logged into their Facebook account at the same time as they visit our site, Facebook learns via its plug-in that the data subject has visited our website. This happens regardless of whether or not the data subject clicks on the Facebook plug-in. If you wish to prevent the sharing of this information with Facebook, you should log out of your Facebook account before visiting our website. 

The data guidelines issued by Facebook at https://de-de.facebook.com/about/privacy/ contain information on how data is collected, processed and used by Facebook. They also explain how to adjust your Facebook settings to protect your privacy. Various applications are available that enable you to prevent your data being transferred to Facebook. 

Data protection regulations for using Twitter

Some of our websites use elements of Twitter. Twitter is a multilingual public microblogging platform on which users can publish and distribute 'tweets' (short messages of 280 characters or fewer). These tweets can be accessed by everyone, including by people not registered with Twitter. Twitter enables users to communicate with a wide audience using hashtags, links and retweets. 

Twitter is operated by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, US.

Every time you access one of the pages operated by the data controller and in which a Twitter component has been embedded, your browser will automatically download a copy of the Twitter component concerned onto your system. For more information on the Twitter timeline visit https://help.twitter.com/de/using-twitter/embed-twitter-feed

If you are at the same time logged in to your Twitter account then, every time you access the website on which the Twitter components are embedded, Twitter will know which pages of our website you visit. This information will be gathered by the Twitter components and assigned by Twitter to your Twitter account.

If when you access our website you are at the same time logged in to your Twitter account, Twitter will via these components be informed of your visit and this will happen regardless of whether you click on the Twitter components or not. If you do not wish this information to be shared with Twitter in this way, you should log out of your Twitter account before accessing our website. 

Twitter's data protection regulations can be read at https://twitter.com/privacy?lang=de

Use of external search engines

Our websites use Google's user-defined search function (Google Custom Search Engine, or "Google CSE") as their main search engine. The embedded search facility enables full-text search for content on our publicly accessible websites. This search facility can be accessed via the search box embedded in the page header of the individual websites concerned. 

When you enter a search term into the search box and then hit return or click on the search symbol, you activate the search function and your results will be shown on a results page, which downloads the Google search results using a Google plug-in. In this way data is transferred to the search service.

The plug-in developed and provided by Google ("Google CSE") is embedded by the operator in the search results page. When the search results page is accessed, the plug-in enables automated communication (data exchange) between the search results page displayed and Google. The use of the search function provided by Google encompasses a dynamic transfer of data via Google.

Data is not shared with Google until you conduct a search and thereby access the search results page. By using the search function within the search results page, you will at the same time share your data with Google, but if you use our websites without using Google's user-defined search function, no data will be shared with the search engine provider (Google).

By using the search function and thus accessing the search results page, you consent to the sharing of data with Google. This includes for example the search terms you enter and the IP address of your device.

If you are at the same time logged in with Google, Google can allocate the information directly to your user profile. More information about how Google uses users' data can be found in their data protection statement at http://www.google.com/intl/de/policies/privacy

Use of external map services

Data protection regulations for use of Google Maps

Some of our website use Google Maps to show locations. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, US. By using this website you consent to the capture, processing and use of the data that is automatically collected, and of the data that you enter, by Google, its agents and external service providers.

See Google Maps for their terms and conditions of use. For more details on the relevant data protection regulations see https://policies.google.com/privacy?hl=de

Payment services and processes

Scope of personal data processing

When booking conferences or other events, you may be transferred to our payment service provider, TeleCash GmbH & Co. KG. In such cases we will provide only an ID to which the payment can later be allocated. Other personal data will be collected by the payment service provider on its own behalf under the terms of its data protection statement.

Legal basis for personal data processing

The legal basis for the transfer of data is art. 6 (1) b GDPR.

Purpose of data processing

For the allocation of payments at TeleCash GmbH & Co. KG to the correct conference/seminar registrations, an ID will be created and passed to the service provider together with the registration.

Duration of storage

We will save the payment ID and payment status together with the data that we collect when you register for a conference. The duration of the storage will depend on the registration concerned.

Rights of data subject

If your personal data is processed, you are a data subject in the sense intended by the GDPR and you have the following rights in your relationship with the data controller:

Right to be informed

You have the right to be informed by the data controller whether your personal data is being processed. 

If your data is being processed, you have the right to the following information from the data controller:

(1) The purposes for which the personal data is being processed;

(2) The categories of personal data being processed;

(3) The recipients or categories of recipients to whom your personal data has been or will be disclosed;

(4) The intended duration of storage of the personal data or, if this information is not available, the criteria for determining the duration;

(5) The existence of your right to the correction or deletion of your personal data, your right to the restriction of its processing by the data controller and your right to object to such processing;

(6) The existence of your right to complain to the supervisory authorities;

(7) All available information on the origin of the data insofar as the data was not collected from the data subject;

(8) The existence of automated decision-making including profiling as per art. 22 para. 1 and 4 GDPR and, at least in such cases, meaningful information on the logic involved and the scope and intended effect of such processing for the data subject. 

You have the right to know if your personal data is transferred to a non-EU country or an international organisation. In this context you have the right to be informed of the relevant guarantees that under art. 46 GDPR are to be provided for the transfer of data. 

This right to be informed can be restricted insofar as is there is reason to believe it might jeopardise research or statistical aims and if such restriction is necessary to meet such aims.

Right to correction

You have the right to have your personal data corrected or completed by the data controller. Correction must be carried out by the data controller immediately.

This right to correction can be restricted insofar as is there is reason to believe it might jeopardise research or statistical aims and if such restriction is necessary to meet such aims.

Right to restriction of processing

You have the right to the restriction of the processing of your personal data subject to the following criteria:

(1) You dispute the accuracy of your personal data for a period of time that allows the data controller to check the accuracy of the data concerned;

(2) The processing is unlawful and you decline to have the personal data deleted and instead request that the use of the data be restricted;

(3) The data controller no longer requires the personal data for the purposes originally intended but nonetheless needs it for the assertion of rights or the bringing of or defence against claims; or

(4) You have objected to processing as per art. 21 para. 1 GDPR and it has not yet been established whether the legitimate interests of the data controller outweigh your interests.

Where the processing of your personal data is restricted, this data may (apart from being stored) be processed only with your consent or for the assertion of rights or the bringing of or defence against claims or for the upholding of the rights of another natural or juristic person or on the grounds of significant public interest within the European Union or a member state.

Where processing is restricted in accordance with the aforementioned criteria, the data controller will inform you prior to the removal of such restriction. 

Your right to the restriction of data processing can itself be restricted insofar as there is reason to believe it might jeopardise research or statistical aims and if such restriction is necessary to meet such aims.

Right to deletion

Obligation to delete

You have the the right to the immediate deletion of your personal data by the data controller, provided that:

(1) The data concerned is not longer required for the purposes for which it was originally collected or has otherwise been processed;

(2) You revoke the consent on which under art. 6 para. 1 a or art. 9 para. 2 a GDPR processing was based and there is no other legal basis for the processing.

(3) Under art. 21 para. 1 GDPR you object to processing and there are no legitimate grounds for processing that take priority, or your objection to processing is based on art. 21 para. 2 GDPR;

(4) Your personal data has been processed unlawfully;

(5) The deletion of your personal data is necessary for compliance with a legal obligation under European Union law of the law of a member state to which the data controller is subject;

(6) Your personal data has been collected in relation to services offered as part of the information society as per art. 8 para. 1 GDPR.

Sharing of information with third parties

Where the data controller has published your personal data and is required under art. 17 para. 1 GDPR to delete it, it must, with due regard to the technology available and the costs of implementation, put in place appropriate measures (including technical ones) to inform those responsible for processing your personal data that you, the data subject, have exercised your right to have all links to or copies of your personal data deleted.

Exceptions

You have no right to the deletion of your personal data where its processing is required:

(1) For the exercise of the right to freedom of expression or information;

(2) For compliance with a legal obligation that makes processing necessary under the law of the European Union or the law of a member state to which the data controller is subject or for compliance with an order in the public interest or with an official requirement to which the data controller is subject;

(3) On grounds of public interest as it relates to public health as per art. 9 para. 2 h and i as well as art. 9 para. 3 GDPR;

(4) For archiving purposes or scientific or historical research purposes that are within the public interest or for statistical purposes as per art. 89 para. 1 GDPR, insofar as the rights specified under a) are likely to jeopardise the realisation of the aims of this processing; or

(5) For the assertion of or defence against claims or the exercise of rights.

Right to be informed

If you exercise your rights to have the data controller correct or delete your personal data or to restrict its processing, the data controller must inform all recipients to whom your personal data has been disclosed that you have exercised the aforementioned rights, unless to do so is impossible or would involve disproportionate cost or effort.

You have the right to be informed by the data controller who these recipients are.

Right to data portability

You have the right to receive in a current, structured and machine-readable form the personal data that you have provided to the data controller. You also have the right to transfer this data to another data controller without hindrance by the data controller to whom you provided the data, provided:

(1) The processing is based on consent under art. 6 para. 1 a GDPR or art. 9 para. 2 a GDPR or on a contract as per art. 6 para. 1 b GDPR; 

(2) The data processing is automated.

In exercising this right you further have the right, insofar as is technically feasible and insofar as the rights and freedoms of third parties are not infringed, to have your personal data transferred directly from one data controller to another.

The right to data portability does not apply where personal data needs to be processed in order to comply with an order in the public interest or that is required on official orders to which the data controller is subject. 

Right to object

You have the right at any time and on grounds unique to you to object to the processing of your personal data as based on art. 6 para. 1 e or f GDPR. This right also includes any profiling based on these regulations.

The data controller will then cease to process your personal data unless it can prove compelling grounds for processing that outweigh your interests, rights and freedoms or unless the processing serves the assertion of or defence against claims or the exercise of rights.

Where your personal data is processed for direct marketing purposes, you have the right at any time to object to such processing, including to any profiling related to such direct marketing.

If you do raise such objection, your personal data will not be processed for direct marketing purposes. 

In connection with the use of information society services, and regardless of Directive 2002/58/EC, you can exercise your right to object by using automated processes for which technical specifications are used. 

You further have the right to object on grounds specific to you to the processing of your personal data, as per art. 89 para. 1 GDPR, for the purpose of historical or scientific research or for statistical purposes.

Your right to object can be restricted insofar as is there is reason to believe it might jeopardise research or statistical aims and if such restriction is necessary to meet such aims.

 

Right to revoke your declaration of consent as given under data protection law

You have the right to revoke at any time your declaration of consent as given under data protection law. Such revocation will not affect the lawfulness of any data processing carried out prior to the revocation on the basis of your consent. 

Automated one-off decision-making, including profiling

You have the right not to be the subject of a decision-making process based solely on automated processes, including profiling, that exposes you to negative legal consequences or that has similar significantly negative effects for you. This shall not however apply if the decision:

(1) Is required for formation or performance of contract between you and the data controller;

(2) Is permissible under the legal regulations of the European Union or of a member state to which the data controller is subject and these regulations contain appropriate measures for protecting your rights and freedoms as well as your legitimate interests; 

(3) Is based on your express consent.

Regardless of the aforementioned exceptions, these decisions must not be based on special categories of personal data as per art. 9 para. 1 GDPR unless art. 9 para. 2 a or g GDPR applies and appropriate measures have been put in place to protect your rights and freedoms as well as your legitimate interests. 

In cases covered by (1) and (3) the data controller must take appropriate measures to protect your rights and freedoms as well as your legitimate interests, such measures to include as a minimum the right for a person to intervene with the data controller, the right to have your own point of view represented and the right to contest the decision.

Right to complain to a supervisory authority

Without prejudice to any other legal or judicial remedy, you have the right to complain to a supervisory authority, especially one in the EU member state where you live or work or where the alleged infringement has taken place, if you believe that the processing of your personal data is in breach of the GDPR. 

The supervisory authority to which the complaint is submitted will keep you informed as to the status and outcome of your complaint, including your options for judicial remedy as per art. 78 GDPR.