V. Your rights
As a data subject, you can assert your statutory rights.
1. Right to confirmation and right of access
Pursuant to Art. 15 of the GDPR, you have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed. Where we do process such data, you have a right to access to your personal data stored, free of charge. This includes the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject: any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Furthermore, the data subject has the right to be informed whether personal data have been transferred to a third country or to an international organisation. Where that is the case, the data subject further has the right to be informed of the appropriate safeguards relating to the transfer. If you have any questions concerning the collection, processing or use of your personal data, or to exercise your right of access or your other rights, please contact us using the contact details at the end of this policy.
2. Right to rectification
You have the right to obtain from the controller rectification and/or completion of any inaccurate or incomplete personal data concerning you. The controller must make such rectification without undue delay.
3. Right to object
Your right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on a balancing of interests pursuant to point (f) of Art. 6(1) of the GDPR, including profiling based on those provisions (cf. II(2) above). In that case, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You have the right to object at any time to the processing of your personal data for direct marketing purposes; the personal data will then no longer be processed for such purposes.
If you object to the identity and credit check, this may result in our being able to offer you only restricted methods of payment or in our refusing to enter into a contract.
4. Right to withdraw your consent
You have the right to withdraw any consent you may have given at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
5. Right to erasure (right to be forgotten)
a) Conditions for erasure
You have the right to obtain the erasure of personal data concerning you. Please note that the right to erasure without undue delay (Art. 17 of the GDPR) (“right to be forgotten”) only exists where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw consent on which the processing is based according to point (a) of Art. 6(1) of the GDPR, or point (a) of Art. 9(2) of the GDPR, and there is no other legal ground for the processing;
- you object to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes pursuant to Art. 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8(1) of the GDPR.
b) Further right to be forgotten
Where we have made the personal data concerning you public and are obliged pursuant to Art. 17(1) of the GDPR to erase the personal data, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions to erasure
In addition to the foregoing conditions, please note the following exceptions, which may justify your request of erasure being refused:
The right to erasure shall not exist to the extent that the processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9(2) as well as Art. 9(3) of the GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) of the GDPR in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
6. Right to restriction of processing
You have the right to restriction of processing if you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data, or if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead. You also have the right to restriction of processing if we no longer need the personal data, but they are required by you for the establishment, exercise or defence of legal claims. Finally, you can assert that right if you have objected to processing pursuant to Art. 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override yours.
Where processing has been restricted, such personal data shall only be processed with the your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The possibility of continued storage remains unaffected. If processing has been restricted pursuant to the above conditions, you will be informed by us before the restriction of processing is lifted.
7. Right to data portability
You also have the right to receive the personal data provided to us by you and which we have processed on the basis of effective consent or whose processing was necessary for entering into and/or performing a valid contract, in a “structured, commonly used and machine-readable format”. You also have the right to have the personal data transmitted directly to another controller, where technically feasible.
The right only exists where the rights and freedoms of other persons are not adversely affected.
8. Asserting your rights
If you have any questions or wish to assert your rights, please contract our customer service (see contact details below).
You may also contact our data protection officer, who is responsible for handling any complaints. You can contact our data protection officer at the following email address: [email protected].
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the General Data Protection Regulation (GDPR).