RV-Online
Login

Politica Sulla Privacy

GDPR-Compliant Privacy Statement of INSTAND e.V.

Status: 29.05.2020

A.      GDPR-Complaint Privay Statement

I.          Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:

INSTAND
Gesellschaft zur Förderung der Qualitätssicherung in medizinischen Laboratorien e.V.
Ubierstr. 20
40223 Düsseldorf

Tel.: +49 5139 9720215

E-Mail: instand@instand-ev.de

Website: www.instand-ev.de

 

II.        Contact details of the data protection officer

The data protection officer of the data controller can be reached at: 

Phone: +49 211 15921376

E-Mail: datenschutz@instand-ev.de

 

III.     General Information on data processing

1.        Scope of the processing of personal data

We only collect and use the personal data of our users insofar as this is necessary to provide a functional website as well as our content and services. The personal data of our users is only collected and used with the consent of the user. An exception is made in such cases where prior consent cannot be obtained for real reasons and the processing of this data is permitted by law. 

2.        Legal basis for the processing of personal data

Art. 6(1)(a) of the EU's General Data Protection Regulation (GDPR) shall serve as the legal basis insofar as we have obtained the consent of the data subject to process personal data.

Art. 6(1)(b) of the GDPR shall serve as the legal basis in the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6(1)(c) of the GDPR shall serves as the legal basis.

In the event that the vital interests of the data subject, or another natural person, require the processing of personal data, Article 6(1)(d) of the GDPR shall serve as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6(1)(f) of the GDPR shall serve as the legal basis for processing.

3.        Erasure of data and length of data storage

The personal data of the data subject shall be erased or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislators in Union regulations, laws or other provisions to which the data controller is subject. The data shall also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract. 

 

IV.     Provision of the website and creation of log files

1.        Description and scope of the data processing
Every time our website is visited, our system automatically collects data and information about the computer system of the computer making the request. 

The following data is collected:

The data are also stored in the log files of our system. This data is not stored together with the user’s other personal data.

2.        The legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Art. 6(1)(f) of the GDPR. 

3.        The purpose of the data processing

It is necessary for the system to temporarily store the IP address in order to deliver the website to the user's computer. This means the user’s IP address must be stored for the duration of the session.

The data is stored in log files to ensure the functionality of the website. Furthermore, the data enables us to optimize our website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6(1)(f) of the GDPR.

4.        Length of storage

The data shall be erased as soon as they are no longer necessary for achieving the purpose for which they were collected. If the data are collected for the purpose of providing access to the website, this is defined as being the time at which the respective session has ended.

If the data are stored in log files, this is deemed to be no later than seven days. Further storage is possible. In this case, the user’s IP addresses is deleted or pseudonymized so that it can no longer be assigned to the client called.

5.        Possibility of objection and removal

The collection of data for the provision of the website and the storage of data in log files are absolutely necessary for the operation of the website. Consequently, there is no possibility to object on the part of the user.

 

V.       Use of cookies

a) Description and scope of the data processing

Bei Cookies handelt es sich um Textdateien, die im Internetbrowser bzw. vom Internetbrowser auf dem Computersystem des Nutzers gespeichert werden. Ruft

Cookies are text files that are stored on the Internet browser or by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is visited again.

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all of our website’s functions.

We use a PHP session cookie to make our website more user-friendly. TYOP3 automatically uses a cookie on the form pages, which contains a hash value and serves to protect against CSRF.

We also use technically unnecessary cookies on our website, which enable the user's surfing behavior to be analyzed. You can find the necessary information on this under point IX.

b) The legal basis for data processing

The legal basis for the processing of personal data with respect to the use of cookies is Art. 6(1)(f) of the GDPR.

c) The purpose of data processing

The purpose of using technically necessary cookies is to make it easier for users to use websites. Some functions of our website cannot be accessed without the use of cookies. This requires that the browser be recognized even after moving to another webpage.

The user data collected by technically necessary cookies are not used to create user profiles.

Analysis cookies are used to improve the quality of our website and its content. By analyzing cookies, we learn how the website is used and can thus continuously optimize our offer.

For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6(1)(f) of the GDPR.

e) Length of Storage, possibility of objection and removal

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If the cookies are deactivated for our website, it may no longer be possible to fully use all of the website's functions.

 

VI.     Newsletter

1.        Voluntary Subscription to the Newsletter

You can subscribe to our newsletter by entering your personal data (first name, last name, e-mail address) in the mask and clicking the "Subscribe" button.

For the registration to our newsletter, we use the so-called double-opt-in procedure. This means that after your registration, we will send you an e-mail to the specified e-mail address, asking you to confirm that you are the owner of the specified e-mail address and wish to receive the newsletter. Your information will only be stored if you confirm your registration. In addition, we save the time of registration and confirmation. This procedure aims to prove your registration and, if necessary, clarify a possible misuse of your personal data. After your confirmation, we store your data to send you the newsletter. The legal basis is your consent, according to Art. 6 para. 1 p. 1 lit. a) DSGVO.

You can revoke your consent to sending the newsletter at any time and unsubscribe from the newsletter. You can declare the revocation by clicking on the link provided in every newsletter email or by sending an email to instand@instand-ev.de.

Your data will be stored until you revoke your consent or unsubscribe from the newsletter in another way, but not longer than two years since registration, unless legal retention requirements stipulate longer storage.

2.        Newsletter Dispatch to existing Customers

Irrespective of consent, we process the e-mail address of our existing customers to send a newsletter insofar as we have

a) have received the customer's e-mail address in connection with the registration for RV-Online or the sale of goods or services,

b) the newsletter contains direct advertising for our own similar goods or services and

c) the customer has not objected to the use.

The legal basis is our legitimate interest in direct advertising, according to Art. 6 para. 1 p. 1 lit. f) DSGVO. The customer may object to this use at any time by clicking on the link provided in each newsletter e-mail or by sending an e-mail to instand@instand-ev.de without incurring any costs other than the transmission costs according to the prime rates.

3.        Newsletter Tracking

By ordering the newsletter, you also consent for us to evaluate your user behavior concerning the newsletter. For this evaluation, the emails sent contain so-called tracking pixels, which are single-pixel image files stored on our newsletter service servers and retrieved by your terminal device as soon as an email is opened. By implementing this pixel, we can count email opens and clicks on forwarding links and determine the so-called user agent and the IP address of the recipient.  

The information about your user behavior is collected exclusively in pseudonymized form, i.e., the collected data is not linked to your other personal data; a direct personal reference is excluded. The data will be stored for 400 days.

You can revoke your consent to this tracking at any time with effect for the future by clicking on the separate link provided in every e-mail or by informing us at instand@instand-ev.de. The information will be stored for as long as we send newsletters to you.

 

VII.   Participation in external quality assessment schemes ("EQA schemes")

1.        Description and scope of the data processing

The guideline of the German Federal Medical Association on quality assurance in medical laboratory testing – German: Richtlinie der Bundesärztekammer zur Qualitätssicherung laboratoriumsmedizinischer Untersuchungen, "Rili-BÄK" - prescribes internal and external quality controls for testing carried out within the framework of laboratory medicine. The latter of the two is conducted by participating in EQA schemes offered and organized by Instand e. V.

For the purposes of initiating, concluding and performing the contract for participation in an EQA scheme (including the issuance of certificates or certificates of participation), we process personal data of the EQA schemes participants, including prospective participants.

The data processed for the purposes of participating in EQA scheme is collected at the time of registration for participation. Registration takes place paper-based or via our website.

The provision of personal data is necessary for the conclusion and performance of the contract for participation in an EQA scheme. Failure to provide the data results in the impossibility of participating in an EQA scheme.

2.        The legal basis for the data processing
 
a.      Where the participant is a natural person, the processing of his or her personal data is based on the performance of the contract to which the participant is party or on the steps taken at the participant's request prior to entering into a contract, Art. 6 (1)(b) GDPR. In this case, the following categories of data are processed: contact data (title, first and last name, company, business email address, address, phone number and fax number); financial data (bank details, credit institute, billing address) as well as all other data necessary for the performance of the EQA scheme (delivery address, billing address, certificate address; hash value of the Instand account's password, test results, EQA schemes orders, time of entry of results and orders, language, order number, number of desired certificates, information about the legitimation to participate in the EQA schemes). Where the participant is a legal person, we process the following categories of data: contact data of the respective contact person (title, first and last name, business email address, address, phone number, job title). The legal basis for the data processing in this case are the legitimate interests of Instand e.V. and the participant in the performance of the EQA scheme, Art. 6 (1)(f) GDPR.

b.      In addition, we process the analysis results sent in by the participant for the purpose of carrying out scientific evaluations in an anonymized way. This includes the transfer of the (anonymized) analysis results to the manufacturer of the test system used by the participant to carry out the measurements for quality assurance purposes. The legal basis for the anonymization of the measured values are the legitimate interests of Instand e.V. and the manufacturer in improving and promoting both their business and science, Art. 6(1)(f) GDPR.

3.        The purpose of the data processing

The processing of personal data in connection with the EQA schemes serves the purpose of initiating, concluding and performing the contract for participation in the EQA scheme. This includes the issuance of certificates and certificates of participation.

The anonymization of participant data for the purpose of carrying out scientific analyses in accordance with Section VII.2.b above serves the purposes of protecting the participants data as well as complying with data protection principles (inter alias, the data minimization principle).

4.        Storage period

The data are deleted as soon as they are no longer necessary for the purpose for which they were collected. Contractual and legal obligations are taken into account. Personal data are stored for a period of up to 10 years where the data has commercial law relevance (Sec. 257 of the German Commercial Code). Personal data with tax law relevance are stored for a period of up to 10 years (Sec. 147 of the German Tax Code). For other types of personal data, the standard storage period is 10 years from deactivation of the participant's account.

5.       International data transfers

The place of processing is the Federal Republic of Germany. In the context of and for the purpose of carrying out the EQA schemes international data transfers, i.e., transfers of personal data to countries outside of the European Economic Area, take place. In particular, personal data is transferred to the following countries:

·       Switzerland

For Switzerland an adequacy decision by the European Commission exists (2000/518/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland (notified under document number C(2000) 2304)).

6.        Recipients of personal data

The samples are sent to the participants via transport companies. In this context, personal data of the participants (first and last name, company, delivery address) are disclosed to the transport companies.

In addition, we engage the following service providers for the purposes of carrying out EQA schemes:

Logistics:

IT service provider:

 

VIII.    Trainings

1.        Description and scope of data processing

In addition to external quality assessment schemes, the Instand e. V. offers in-service trainings for the medical profession, members of the medical-scientific professional groups and members of the medical-technical professional groups. These are events that either require a person to be present on site (e.g. seminars, microscopy courses) or training courses that are held in online format.

The content of the advanced training offered is coordinated with the following institutions:

In individual cases, these organisations can also issue and send the training certificates and, if necessary, document the training points determined in advance for the respective event after the required evidence of successful participation by the Instand e. V. have been transmitted.

Personal data of the training participants are processed for the purpose of initiating participation in a training offered. The data collection for the purpose of participating in a training event is carried out as part of the registration, which is done via a paper form or via the website of the Instand e.V.

The deployment of personal data is necessary for participation, the implementation of the training and the associated documentation of training success. If this personal data were not provided, the conclusion or implementation of the contract would not be possible.

2.        Legal basis for the data processing

The legal basis for data processing is the contract concluded with the participant or the implementation of pre-contractual measures that take place upon the participant's registration, insofar as the participant is a natural person (Art. 6 Para. 1 lit. b GDPR). In this case, the subject of the data processing is the contact data of the participant (title, academic title, first and last name, company, business email address, address, telephone number and fax number), his payment data (bank connection, bank, billing address), as well as all other data required for the implementation of the training.

3.        Purpose of data processing

The processing of personal data in connection with the training carried out serves to initiate, conclude and execute a contract for participation in the respective training. This also includes the transmission of the necessary data of the training participants to the institutions named under point 1 for the issue of qualification certificates respectively participation certificates and the documentation of the training points achieved.

4.        Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Contractual and legal obligations are taken into account. The duration of the storage of personal data is for data with commercial law relevance up to 10 years (§ 257 HGB), for data with tax law relevance up to 10 years (§ 147 AO).

5.        International data transfers

As participants from Austria and Switzerland also register for the training courses offered, the data transfers described in points 1 and 3 also take place to the respective specialist societies of these countries so that they are able to issue country-specific qualification certificates and certificates of participation. The transfer to Switzerland is covered by data protection law because Switzerland has an adequacy decision by the European Commission (2000/518 / EG: Commission decision of 26 July 2000 in accordance with Directive 95/46 / EG of the European Parliament and of the Council on the Appropriateness of the protection of personal data in Switzerland (announced under file number K (2000) 2304)).

6.        Recipient of the data

Training materials are sent to the participants by using the following transport companies, to which personal data of the participants are transmitted in this context (first and last name, company, delivery address):

The following IT service providers are used as part of the training process:

 
IX.     Contact form and e-mail contacts

1.             Description and scope of the data processing

A contact form on our website can be used to electronically contact us. If a user takes advantage of this option, the following data entered in the input field will be transmitted to us and stored. 

Your consent is obtained for processing the data as part of the submission process and reference is made to this data protection policy.

 Alternatively, you can contact us via the e-mail address provided. In this case, the user's personal data transmitted by the e-mail will be stored.

 In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

2.        The legal basis for the data processing

The legal basis for the processing of the data is Art. 6(1)(a) of the GDPR if consent has been given by the user.

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6(1)(f) of the GDPR.  

If the aim of the e-mail contact or the transmission of the contact form is the conclusion of a contract, then Art. 6(1)(b) of the GDPR forms the additional legal basis for processing.

3.        The purpose of the data processing

We only process the personal data entered into the input field to establish contact. In the event we are contacted by e-mail, this also constitutes a necessary legitimate interest for processing the data. The other personal data processed during the data submission process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

4.        Length of storage

The data are erased as soon as they are no longer necessary for achieving the purpose for which they were collected. With respect to the personal data entered into the input field of the contact form and the data sent by e-mail, this is the case once the conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the matter in question has been conclusively resolved.  

The personal data additionally collected during the form submission process shall be erased after a period of no later than seven days.

5.        Possibility of objection and removal

The user can revoke consent to the processing of personal data at any time. If the user contacts us via the contact form or e-mail, an objection to the storage of personal data can be made at any time. In such case, the conversation cannot be continued.

All personal data stored in the course of contacting us will be deleted in this case.

 

X.     Matomo web analysis (formerly PIWIK)

1.        Scope of the processing of personal data

On our website we use the open source software tool Matomo (formerly PIWIK) to analyze the surfing behavior of our users. The software places a cookie on the user's computer (see above for information on cookies). When individual pages of our website are accessed, the following data is stored:

(1)   Two bytes of the IP address of the user’s system that is calling up

(2)   The website that is visited

(3)   The website from which the user accesses the visited website (referrer)

(4)   The subpages that are called up by the visited website

(5)   Time spent on the website

(6)   How often the website is visited

The software runs exclusively on the servers of our website. The personal data of users is only stored there. The data shall not be passed on to third parties.

The software is set up so that the entire IP address is not stored. Instead 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). This makes it impossible to attribute the abbreviated IP address to the computer that is calling up. 

2.        The legal basis for the processing of personal data

The legal basis for processing the personal data of the user is Art. 6(1)(f) of the GDPR.

3.        Purpose of the data processing

The processing of users' personal data enables us to analyze the surfing behavior of our users. We are in a position to compile information about the use of the individual components of our website by evaluating the data we obtain. This helps us to continuously improve our website and its user-friendliness. For these purposes, it is also in our legitimate interest to process the data in accordance with Art. 6(1)(f) of the GDPR. By anonymizing the IP address, users' interest in protecting their personal data is sufficiently taken into consideration.

4.         Length of storage

Automatic erasure is currently not activated due to the masking of the IP address.

5.         Possibility of objection and removal

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all of our website’s functions.

More information of the privacy settings of the Matomo Software can be found at the following link: https://matomo.org/docs/privacy/.

 

XI.        Rights of the data subject

If your personal data are processed, you are the data subject within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the data controller:

1.        Right of access

You have the right to ask the data controller to confirm whether we process the personal data concerning you.

If such processing is being conducted, you can request the following information from the data controller:

(1)         the purposes for which the personal data are being processed;

(2)         the categories of personal data being processed;

(3)         the recipients or categories of recipients to whom the personal data concerning you have been or are being disclosed;

(4)         the envisaged period for which the personal data concerning you will be stored, or, if specific information is not possible, criteria used to determine the storage period;

(5)         the existence of a right to rectify or erase personal data concerning you, a right to restrict processing by the data controller or a right to object to such processing;

(6)         the right to lodge a complaint with a supervisory authority;

(7)         any available information on the origin of the data if the personal data are not collected from the data subject;

(8)         the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) of the GDPR and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 of the GDPR in connection with the transfer.

2.       Right to rectification  

You have a right to request that the data controller rectify and/or complete the personal data concerning that is being processed if these data are incorrect or incomplete. The data controller shall make the correction without delay.

3.       Right to restriction of processing

Under the following conditions, you may request that the processing of personal data concerning you be restricted:

(1)       if you contest the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of the personal data;

(2)       the processing is unlawful and you oppose the erasure of the personal data and instead request that the use of the personal data be restricted;

(3)       the data controller no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or

(4)       if you object to the processing pursuant to Art. 21(1) of the GDPR pending verification of whether the legitimate grounds of the data controller override yours.

If the processing of your personal data has been restricted, such data, with the exception of storage, may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

If the processing restriction has been limited in accordance with the above conditions, you will be informed by the data controller before the restriction is lifted.

4.        Right to erasure

a)        Right to be forgotten
You may request that the data controller delete your personal data without delay, and the data controller shall be obliged to erase this data without delay if one of the following reasons applies:

(1)  Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

(2)   You revoke your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) of the GDPR, and there is no other legal ground for the processing.

(3)   You object to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) of the GDPR.

(4)   Your personal data have been processed unlawfully.

(5)   The erasure of your personal data is necessary to fulfil a legal obligation in Union or Member State law to which the data controller is subject.

(6)   Your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) of the GDPR.

b)        Information to third parties

Where the data controller has made your personal data public and, in accordance with Art. 17(1) of the GDPR, the data controller, taking account of available technology and cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers who are processing the personal data that you, as the data subject, have requested the erasure by such data controllers of any links to, or copy or replication of, those personal data.

c)         Exceptions

The right to erasure shall not apply insofar as the processing is necessary

(1)         for exercising the right of freedom of expression and information;

(2)         for compliance with a legal obligation that requires processing by Union or Member State law to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;

(3)         for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) of the GDPR;

(4)         for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) of the GDPR, insofar as the right referred to under a) is likely to make it impossible or seriously impair the attainment of the objectives of such processing; or

(5)         for the assertion, exercise or defense of legal claims.

5.        Right to information

If you have exercised your right to have the data controller erase or restrict the processing of your data, the data controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to every recipient to whom your personal data have been disclosed, unless this proves impossible or involves a disproportionate degree of effort.

You have the right to be informed of such recipients by the data controller.

6.        Right to data portability

You have the right to receive, in a structured, conventional and machine-readable format, the personal data concerning you that you have provided to the data controller. Furthermore, you have the right to pass this data on to another data controller without being obstructed by the data controller to whom your personal data was given, provided that

(1)      processing is based on consent pursuant to Art. 6(1)(a) of the GDPR or Art. 9(2)(a) of the GDPR, or on a contract pursuant to Art. 6(1)(b) of the GDPR and

(2)      the processing is carried out by automated means.

In exercising this right you shall have the right to have the personal data concerning you transmitted directly from one controller to another, provided this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to portability shall not apply to processing personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.        Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1) (e) or (f) of the GDPR, including profiling based on those provisions. 

The data controller shall no longer process the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8.        Right to revoke consent pertaining to data protection

You have the right to revoke your consent pertaining to data protection at any time. By revoking this consent, the legality of the processing carried out on the basis of this consent until it was revoked shall not be affected.

9.        Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

(1)         is necessary for entering into, or performance of, a contract between you and the data controller;

(2)         is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms, as well as your legitimate interests; or

(3)         is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Art. 9(1) of the GDPR unless Art. 9 (2) (a) or (g) applies and suitable measures are in place to safeguard your rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms, as well as your legitimate interests, not least the right to obtain human intervention on the part of the data controller, to express your point of view and to contest the decision.

10.    Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you are of the opinion that the processing of the personal data concerning you violates the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.