Data protection policy

I. Name and Address of Controller

The Controller in the sense of the General Data Protection Regulation (GDPR) and other national data protection laws of the EU member states, as well as other applicable data protection provisions, is:

Paul Reber GmbH + Co. KG
Ludwigstraße 10- 12
83435 Bad Reichenhall
Germany
Telepnone: +49 (0) 8651 60 03 0
Fax: +49 (0) 8651 6003 73
E-mail: info@reber.com
Website: www.reber.com

II. Name and Address of Data Protection Officer

The Controller’s data protection officer is:

Lukas W. Mempel
LS-IP Loth & Spuhler Intellectual Property Law
Partnerschaft von Rechtsanwälten mbB
Garmischer Straße 35
81373 Munich
Germany
Telephone: +49 89 48 90 250
Fax: +49 89 48 90 2510
E-mail: info@ls-ip.com
Website: www.ls-ip.com

III. General Information on Data Processing

1. Scope of Personal Data Processing

We collect, store and use personal data of the visitors of our website (users) and customers in principle only in the extent necessary for us to ensure provision of a functional website and its contents and services. Personal data of our users, customers and business partners is collected and used only with their respective consent. An exception can be applied in cases where consent cannot be obtained in advance for factual reasons and processing is permitted by statutory provisions. If we obtain your express consent, your personal data shall be stored according to our regular operation processes and used to inform you about our products and campaigns, as well as for internal evaluations and analyses (internal evaluations of ordering processes, sending of advertisements).

2. Legal Basis for Personal Data Processing

Where consent has been obtained from the data subject for the processing of their personal data, such processing is based on Art. 6(1)(a) of GDPR.

Where the processing of the data subject’s personal data is necessary for the performance of a contract to which such data subject is a party, such processing is based on Art. 6(1)(b) of GDPR. The same applies to the processing operations necessary for the implementation of pre-contractual measures.

Where the processing of personal data is necessary to comply with a legal obligation binding on our company, such processing is based on Art. 6(1)(c) of GDPR.

Where the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, such processing is based on Art. 6(1)(d) of GDPR.

Where processing is necessary for the purposes of the legitimate interests pursued by our company or a third party and such legitimate interests are not overridden by the interests, fundamental rights and freedoms of the data subject, such processing is based on Art. 6(1)(f) of GDPR.

3. Data Deletion and Storage Period

The data subject’s personal data shall be deleted or blocked as soon as the purpose of such data’s storage ceases to exist. Continued retention is possible only if foreseen by the European or domestic legislator under EU law, or by domestic statutes or other regulations binding on the Controller. Data shall be blocked or deleted also where the retention period stipulated in the above-mentioned regulations expires unless further retention of such data is necessary for the conclusion or performance of a contract.

4. SSL Encryption

For security reasons and to ensure safe transmission of confidential contents, such as, for example, purchase orders or enquiries sent by you to us as a website operator, our website uses SSL encryption. An encrypted connection can be recognized by the address bar of the web browser which changes from “http://” to “https://” with a lock symbol appearing in the status bar of your web browser.

If SSL encrypting is activated, the data you send us cannot be read by third parties.

IV. Access to Website and Creation of Log Files

1. Description and Scope of Data Processing

Whenever our website is accessed, our system automatically records data and information from the requesting computer’s system.

The following data are collected in this manner:

• IP address of the user,
• date and time of access.

Such data are also stored in our system in log files. However, such data are not stored together with other personal data of the same user.

We use carefully selected external service providers to secure the provision of our website and processing of your personal data in connection therewith. Currently, these providers are

Host provider: Hetzner Online GmbH
System administration and maintenance of our website: Reichl und Partner eMarketing GmbH.

These service providers may process the personal data exclusively on the basis of our instructions, for the purposes specified by us and in the framework of a contract on data processing pursuant to Article 28 of GDPR and they are bound to observe the valid legal regulations on data protection.

No other use of such data is permitted. Processing of such data takes place exclusively on the territory of the Federal Republic of Germany, another European Union member state or another country which is a party to the Agreement on the European Economic Area.

2. Legal Basis for Data Processing

Temporary storage of data and log files is based on Art. 6(1)(f) of GDPR.

3. Purpose of Data Processing

Temporary storage of the IP address by the system is necessary to enable access to the website on the user’s computer. For this purpose, the user’s IP address remains stored for the duration of the session.

Storing in log files is necessary to ensure functionality of the website. In addition, the relevant data serve the purpose of optimizing the website and safeguarding the security of our IT systems. No evaluation of the data for marketing purposes is carried out in connection with this.

These purposes also represent our legitimate interests justifying data processing under Art. 6(1)(f) of GDPR.

4. Retention Period

Data are deleted as soon as they no longer are necessary to achieve the purpose for which they were collected. Where data are collected for the purpose of accessing the website, deletion occurs as soon as the relevant session is terminated.

Where data are stored in log files, such data are deleted after one month at the latest. A longer retention period is only permitted where the IP addresses of the users are deleted or altered in a way so as to make impossible the matching of such addresses to the clients accessing the website.

5. Right to Object and Request Removal

As the collection of data enabling access to the website and storage of data in log files are essential for the operation of the website, the user does not have the right to object to such processing.

V. Use of Cookies

1. Description and Scope of Data Processing

Provided that you have expressly agreed to their use, cookies are used on our website. These are text files which are stored on the internet browser, or by the internet browser on the user’s computer system. When the user requests a webpage, a cookie can be stored on such user’s operation system. Such cookie contains a specific character sequence which enables clear identification of the browser whenever the website is accessed again.

We use cookies to make our website user-friendlier. Certain features of our website may require the identification of the requesting browser when switching to another page.

In this context, the following data are stored and transmitted in the cookies:

• general browser recognition,
• IP adress

When accessing our website, the user is informed about the use of cookies and asked for his consent to the processing of the personal data used in connection therewith. In this context, reference to this data protection policy is made.

2. Legal Basis for Data Processing

Personal data processing in connection with the use of technically essential cookies is based on Art. 6(1)(f) of GDPR.

3. Purpose of Data Processing

The purpose of using cookies is to make the use of websites easier for users. Certain functions of our website cannot be offered without the use of cookies. It is essential for such functions that the browser can be recognized again after switching to another page.

The user data collected through cookies are not used for the compilation of user profiles.

These purposes also represent our legitimate interests justifying data processing under Art. 6(1)(f) of GDPR.

4. Storage Period, Right to Object and Request Removal

You may prevent the use of cookies by not allowing it.

Cookies are stored on the user’s computer and transmitted by it to our site. Thus you, as the user, have full control of the use of cookies. If you change the settings in your internet browser, you can deactivate or restrict the transfer of cookies. Cookies already stored can be deleted at any time; this can occur also automatically. If cookies for our website are deactivated, it is possible that some functions of our website will not be available for full use.

In addition, you may prevent the storing of cookies by the corresponding setting of your browser software; however, we would like to draw your attention to the fact that in such event, you may be unable to fully use the functions of our website. You can also prevent the recording of the data generated by cookies regarding your use of our website (incl. your IP address) by Google, as well as the processing of such data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

VI. Newsletter

1. Description and Scope of Data Processing

If you register on our website as a customer and provide your e-mail address, such address can subsequently be used by us to send you our newsletters. We use newsletters exclusively as a means of direct marketing of our own similar goods and services.

As part of the subscription procedure, your consent to the processing of data is requested and reference is made to this data protection policy.

The following persons and/or companies shall have access to the data in connection with data processing for the distribution of newsletters:

MailChimp®
Reichl und Partner eMarketing GmbH

Such data shall be used exclusively for the distribution of newsletters.

2. Legal Basis for Data Processing

Where the customer has given his consent to the processing of data in connection with his subscription of the newsletter, such processing is based on Art. 6(1)(a) of GDPR.

3. Purpose of Data Processing

The customer’s e-mail address is collected for the purpose of distributing newsletters to such customer.

4. Retention Period

The relevant data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The customer’s e-mail address is subsequently stored for as long as his newsletter subscription is active.

5. Right to Object and Request Removal

Subscription of the newsletter can be terminated by the relevant customer at any time. A corresponding link is provided for this purpose in each newsletter.

VII. Registration

1. Description and Scope of Data Processing

On our website, we offer the possibility to register as our customer by providing your personal data. The data necessary for such registration are entered in an input mask and transmitted to and stored by us.

a. Registration as Customer

The following data are collected in the framework of the registration procedure to register as a customer:

• first name and surname

• company name (for business customers)

• address

• telephone number

• telefax number

• e-mail address

• VAT identification number (for business customers)

The following additional data are stored also at the moment of registration:

• IP address

• date and time of registration

The customer’s consent to the processing of such data is requested in the framework of the registration procedure.

b. Transmission of Personal Data

We use carefully selected external service providers in the framework of the registration procedure and for the processing of your personal data in connection therewith. Currently, these providers are:

Host provider: Hetzner Online GmbH
Website system administrators and web agency: Reichl und Partner eMarketing

These service providers may process the personal data exclusively on the basis of our instructions, for the purposes specified by us and in the framework of a contract on data processing pursuant to Article 28 of GDPR and are bound to observe the valid legal regulations on data protection.

No other use of such data is permitted. Processing of such data takes place exclusively on the territory of the Federal Republic of Germany, another European Union member state, or another country which is a party to the Agreement on the European Economic Area.

If we receive an enquiry regarding Reber sales outlets, you as our business customer declare your consent to possible transfer of the following data to the person making such enquiry:

• first name and surname

• company name

• address

• telephone number

• telefax number

• e-mail address

2. Legal Basis for Data Processing

Where the customer has given his consent to the processing of data, such processing is based on Art. 6(1)(a) of GDPR.

3. Purpose of Data Processing

A customer registration serves primarily the purpose of authenticating such customer as a customer of Reber. Upon successful verification, certain contents and services (download portal, marketing methods, training courses, on-line shop etc.) are made available to customers on our website.

Customer registration is necessary for the performance of a contract concluded with the relevant customer or implementation of pre-contractual measures.

Customers may order products through our website. Upon acceptation of such order, we ship the relevant product to the customer. Collection of the first name and surname, company name and address is necessary to process the relevant order.

The customer’s telephone number, telefax number and e-mail address is collected to be able to contact the customer, e.g. if we have further enquiries or want to respond to the customer’s questions.

Business customers’ VAT identification numbers must be collected under Section 14a(1) of the Value Added Tax Act (UStG).

4. Retention Period

The data collected in the course of the registration procedure are deleted upon cancellation or change of the registration on our website.

5. Right to Object and Request Removal

You may cancel your registration at any time. You may amend the stored data regarding your person in the “My Account” section or erase your account entirely at any time. Upon the confirmation of your e-mail address and password, your account on our website will be erased.

Where such data are necessary for the performance of a contract or implementation of pre-contractual measures, premature deletion of such data is possible only if such deletion does not preclude the fulfilment of any contractual or statutory obligations.

VIII. Orders and Contract Conclusion after Registration

1. Description and Scope of Data Processing

You can order our products from our online shop and purchase them either as a guest or after registering on our website.

In the framework of the acceptance and processing of an order after registration, the following additional data are collected and stored:

• products

• price

• date of order

• time of order

• date of invoice

• delivery date

• payment method, possibly with bank details (debit, instant transfer, credit card, PayPal)

• device type.

In the framework of the acceptance and processing of a guest order, the following additional data are collected and stored:

• first name and surname

• company name (for business customers)

• address

• telephone number

• telefax number

• e-mail address

• VAT identification number (for business customers)

• products

• price

• date of order

• time of order

• date of invoice

• delivery date

• payment method, possibly with bank details (debit, instant transfer, credit card, PayPal)

• device type.

We use carefully selected external service providers to secure the acceptance and processing of your orders and the processing of your personal data in connection therewith. Currently, these providers are:

Host provider: Hetzner Online GmbH
Website system administration and web agency: Reichl und Partner eMarketing GmbH

These service providers may process the personal data exclusively on the basis of our instructions, for the purposes specified by us and in the framework of a contract on data processing pursuant to Article 28 of GDPR and are bound to observe the valid legal regulations on data protection.

2. Legal Basis for Data Processing

Where the customer has given his consent to the processing of data, such processing is based on Art. 6(1)(a) of GDPR.

Where the processing of data is necessary for the performance of a contract to which the customer is a party or for implementation of pre-contractual measures, such processing is additionally based on Art. 6(1)(b) of GDPR.

3. Purpose of Data Processing

Upon acceptation of the order, the products are shipped by us to the customer. Collection of the first name and surname, company name, address, VAT identification number and payment method, possibly with bank details (debit, instant transfer, credit card, PayPal), is necessary for the processing of the respective order.

Business customers’ VAT identification numbers must be collected under Section 14a(1) of the Value Added Tax Act (UStG).

4. Retention Period

Data regarding each order (products, price, date and time of order, date of invoice, delivery date) are deleted after ten years from the completion of the processing of such order.

Customer data (first name and surname, company name, address, telephone number, telefax number, e-mail address, VAT identification number and any other data stored at the moment of registration) are deleted ten years from the completion of the processing of the relevant customer’s last order.

IX. Use of Google reCAPTCHA

1. Description and Scope of Data Processing

Our website additionally uses Google reCAPTCHA, a programme provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google reCAPTCHA is a service that identifies whether data entered on our website is from a human or an automated programme. To this purpose, Google reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. The analysis starts automatically as soon as the website visitor accesses the webpage. Various information is evaluated by Google reCAPTCHA during such analysis (e.g. IP address, time spent by the website visitor on the website or the user’s movements of the mouse). Data recorded during the analysis are transferred to Google.

A reCAPTCHA analysis runs fully in the background, without the website visitor being informed of it.

2. Legal Basis for Data Processing

The data processing is based on Art. 6(1)(f) of GDPR. The website operator has a legitimate interest in protecting the web offer from abusive automated spying and SPAM.

3. Purpose of Data Processing

The purpose of the data processing is to protect our website from abusive automated spying and SPAM.

4. Further Information

Further information regarding Google reCAPTCHA, as well as the privacy policy of Google is available at the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

X. Use of Google Analytics

1. Description and Scope of Data Processing

If you have given your express consent to the use of Google Analytics, our website uses the functions of the web analytics service Google Analytics provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics uses so-called "Cookies", text files which are stored on your computer and enable the analysis of your use of our website. In principle, information generated by a cookie regarding your use of our website is transferred to and stored on a Google server in the USA.

We have activated the IP anonymization function on our website through which your IP address is abbreviated by Google within the European member states or other countries that are parties to the Agreement on European Economic Area before it is transferred to the USA. Only in exceptional cases is the full IP address is transferred to a Google server in the USA and abbreviated there. Google uses this information on the basis of a contract with the operator of our website to evaluate your use of our website, compile reports on activities on the website and provide other services to the website operator in connection with the use of our website and the internet. The IP addresses transmitted by your browser in the framework of Google Analytics is not consolidated with other data by Google.

You can find more information about how user data are handled by Google Analytics in the Google data privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

We have concluded a data processing contract with Google and use Google Analytics in full compliance with the strict requirements of the German data protection authorities.

2. Legal Basis for Data Processing

Storage of Google-Analytics cookies with your consent is based on Art. 6(1)(a) of GDPR.

3. Purpose of Data Processing

The purpose of the data processing is optimisation of our web offer and advertising.

4. Right to Object and Request Removal

You can prevent the use of Google Analytics by not consenting to such use.

In addition, you can prevent the storing of cookies by setting your browser software accordingly; however, we would like to draw your attention to the fact that if you do so, you may be unable to use some of the functions of our website in the full extent. Moreover, you can prevent collection of the data generated by the cookies regarding your use of our website (incl. your IP address) by Google, as well as the processing of such data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

You may prevent collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be activated and prevent collection of your data during your future visits of our website:

XI. Use of Google Web Fonts

1. Description and Scope of Data Processing

To ensure a unified presentation of fonts, our website uses so-called web fonts available from Google. When a web page is requested, your browser loads the necessary web fonts to your browser cache to display texts and fonts correctly.

To achieve this purpose, the browser used by you needs to establish connection with Google servers. This is how Google gains knowledge that our website has been requested by your IP address.

If your browser does not support web fonts, your computer will use standard fonts.

2. Legal Basis for Data Processing

Google web fonts are used in the interests of unified and attractive presentation of our on-line offer. This represent a legitimate interest in the sense of Art. 6(1)(f) of GDPR.

3. Purpose of Data Processing

The purpose of data processing is a unified and attractive presentation of our on-line offer.

4. Further Information

You can find further information on Google web fonts at https://developers.google.com/fonts/faq and in the Google data privacy policy at: https://www.google.com/policies/privacy/.

XII. Use of Social Media Plugins

1. Description and Scope of Data Processing

Provided that you have individually expressly agreed to their use, the following plugins are used by our website:

Facebook, operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland;

If you visit our website and expressly agree to the transfer of your personal data, connection is established with the servers of the above-specified websites. At the same time, the relevant server is informed about which of our pages you have visited.

When you are logged on your own respective Facebook account, you enable the operator of the relevant website to match your surfing behaviour directly with your personal profile.

2. Legal Basis for Data Processing

The use of Facebook with your consent is based on Art. 6(1)(a) of GDPR.

3. Purpose of Data Processing

We use Facebook in the interests of an attractive presentation of our on-line offer.

4. Further Information

You can find further information on how user data are handled in the following data privacy policies:

Facebook: https://www.facebook.com/privacy/explanation

5. Purpose of Data Processing

The purpose of data processing is to optimize our web offer and advertisement.

6. Right to Object and Request Removal

You may prevent the respective operator of the above-specified websites from matching your surfing behaviour directly with your personal profile by not consenting to the transfer of your personal data.

When you are logged on your Facebook account, you enable the operator of the given website to match your surfing behaviour directly with your personal profile. You can also prevent this by logging out of your respective Facebook account.

XIII. Establishing Contact, Ordering and/or Otherwise Initiating Business via Contact Form, E-mail, Letter or Telephone

1. Description and Scope of Data Processing

An alternative to your registration on our website is the possibility to establish contact and/or order via a contact form on our website, or by e-mail, letter or telephone.

A contact form used for electronic establishment of contact is available on our website. If you take advantage of this option, the data entered by you in the input mask are transferred to and stored by us. Such data include:

• first name and surname

• address

• telephone number

• e-mail address

• VAT identification number (for business customers)

The following data are stored at the moment of dispatch of the relevant message:

• user IP address

• date and time of contact establishment.

To process the data, your consent is requested as part of the dispatch process and reference is made to this data protection policy.

If you establish contact with us via e-mail, letter or telephone, the data provided by you in such e-mail or letter or during the telephone call is stored. The same applies also when we purchase goods and/or services from you.

We use carefully selected external service providers to ensure acceptance and processing of orders or contracts on the basis of which we purchase goods and/or services from you, as well as your personal data processing in connection therewith. Currently, such providers are:

Host provider: Hetzner Online GmbH
Web system administration and web agency: Reichl und Partner eMarketing GmbH

These service providers may process the personal data exclusively on the basis of our instructions, for the purposes specified by us and in the framework of a contract on data processing pursuant to Article 28 of GDPR and are bound to observe the valid legal regulations on data protection.

2. Legal Basis for Data Processing

Where the data subject has given his consent to the processing of data, such processing is based on Art. 6(1)(a) of GDPR.

Processing of data transferred in the course of the establishment of contact via a contact form, e-mail, letter or telephone is based on Art. 69(1)(f) of GDPR. Where an order is placed or the e-mail, letter or telephone call aims at the conclusion of a contract, data processing is additionally based on Art. 6(1)(b) of GDPR.

3. Purpose of Data Processing

Processing of the personal data from the contact form, e-mail, letter or telephone call serves the purpose of facilitating communication which represents a legitimate interest for the purposes of data processing.

The purpose of processing other personal data in connection with the contact form during the dispatching process is to prevent abuse of the contact form and guarantee security of our IT systems.

Where an order is placed, the collection of your first name and surname, company name, and address is necessary to process the relevant order.

The collection of your telephone number, telefax number and e-mail address is necessary for us to be able to contact you, e.g. if we have further enquiries or want to respond to your questions.

Business customers’ VAT identification numbers must be collected under Section 14a(1) of the Value Added Tax Act (UStG).

Dates of birth are collected for the purpose of clear identification of the relevant individual and verification of their legal capacity. In addition, we collect dates of birth also for the purpose of sending congratulations to the relevant individual.

4. Retention Period

The data collected through a simple contact establishment (i.e. without ordering) are deleted when the relevant conversation is terminated. A conversation is terminated when one can judge, based on the circumstances, that the relevant matter has been conclusively clarified.

Data regarding a specific order (products, price, date and time of order, date of invoice, delivery date) are deleted ten years from the completion of the processing of such order.

Business partners’ data (first name and surname, company name, address, telephone number, telefax number, e-mail address, VAT identification number and any other data stored at the moment of contact establishment) are deleted ten years from the completion of the processing of the last contract.

5. Right to Object and Request Removal

You can withdraw your consent to the processing of your personal data at any time. If you have contacted us via a contact form, by e-mail, letter or telephone, you can object to the storage of your personal data at any time. In such event, the conversation cannot be continued.

Your revocation of your consent and objection to the storing of your data can be sent by e-mail, letter or telephone to the contact information specified under Article I. of this Data Protection Policy.

All personal data stored in connection with your contact with us and/or your order will be deleted in such case.

XIV. Rights of Data Subjects

If your personal data is being processed, you are the data subject in the sense of GDPR and have the following rights vis-à-vis the Controller:

1. Right of Access

You have the right to obtain from the Controller confirmation as to whether personal data concerning you are being processed by us.

If such processing is being performed, you have the right to request from the Controller access to the following information:

(1) the purpose of the processing of your personal data;

(2) the categories of the processed personal data;

(3) the recipients or categories of recipients to whom the personal data concerned have been or will be disclosed;

(4) the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine such period;

(5) the existence of the right to request from the Controller rectification, erasure, or restriction of processing of the personal data concerning you, or to object to such processing;

(6) the existence of the right to lodge a complaint with a supervisory authority;

(7) where the personal data were not collected from the data subject, any available information as to their source;

(8) the existence of automated decision-making, including profiling referred to in Art. 22(1) and (4) of GDPR, and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subjects.

You have the right to request information about whether any personal data concerning you are transferred to a third country or to an international organisation. In this connection, you have the right to request information of the appropriate safeguards pursuant to Article 46 GDPR relating to such transfer.

2. Right to Rectification

You have the right to have inaccurate personal data concerning you rectified and/or incomplete personal data concerning you completed by the Controller. The Controller shall carry out such rectification and/or completion without undue delay.

3. Right to Restriction of Processing

Provided that one of the following grounds applies, you have the right to request from the Controller restriction of the processing of personal data concerning you:

(1) you contest the accuracy of the personal data concerning you for a period enabling the Controller to verify their accuracy;

(2) the processing is unlawful and you oppose erasure of the personal data and request restriction of their use instead;

(3) the Controller no longer needs your personal data for the purposes of the processing but you require such data for the establishment, exercise or defence of legal claims; or

(4) you have objected to the processing pursuant to Art. 21(1) of GDPR pending the verification on whether the Controller’s legitimate grounds override yours.

Where processing of personal data concerning you has been restricted, such data may – with the exception of storage – be processed only with your consent or for the establishment, exercise or defence of legal claims or protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or its member state.

Where processing has been restricted on the basis of the above-specified grounds, you shall be informed by the Controller before the restriction of processing is lifted.

4. Right to Erasure

a. Erasure Obligation

You have the right to request from the Controller that personal data concerning you be erased without delay, and the Controller is obliged to erase such data without delay where one of the following grounds applies:

(1) the personal data concerned are no longer needed for the purposes for which they were collected or otherwise processed;

(2) you have withdrawn your consent on which the processing pursuant to Art. 6(1)(a) or Art. 9(2)(a) of GDPR was based, and there is no other legal ground for such processing;

(3) you object the processing pursuant to Art. 21(1) of GDPR and there are no overriding legitimate grounds for such processing, or you object to the processing pursuant to Art. 21(2) of GDPR;

(4) the personal data concerning you have been unlawfully processed;

(5) erasure of the personal data concerning you is necessary in order to comply with a legal obligation under the EU law or the law of the member state to which the Controller is subject.

(6) the personal data concerning you has been collected in relation to the offer of information society services referred to in Art. 8(1) of GDPR.

b. Informing Third Parties

Where the Controller has made personal data concerning you public and is obliged to erase them pursuant to Art. 17(1) of GDPR, the Controller shall take reasonable steps, including technical measures, taking into account the available technology and implementation costs, to inform other controllers processing such personal data that you, as the data subject, have requested that any links to, and any copies and replications of such data be erased.

c. Exceptions

The rights to erasure does not apply where the processing of personal data concerning you is necessary for

(1) the exercise of the freedom of speech and information;

(2) the fulfilment of a legal obligation requiring such processing under the EU law or the law of a member state which the Controller is subject to, or the performance of a task carried out in the public interest, or in the exercise of official authority vested in the Controller;

(3) reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i), as well as Art. 9(3) of GDPR;

(4) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) of GDPR in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair achievement of the objectives of such processing, or

(5) the establishment, exercise or defence of legal claims.

5. Right to Information

If you have exercised your right to rectification, erasure or restriction of processing vis- à-vis the Controller, the Controller is obliged to communicate to all recipients to whom personal data concerning you have been disclosed, of such rectification or erasure of the personal data or restriction of their processing unless it proves impossible or involves disproportionate effort.

You have the right vis-à-vis the Controller to be informed of such recipients.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you provided to the Controller, in a structured, commonly used and machine-readable format. In addition, you have the right to have such data transferred to another controller without hindrance from the Controller to whom you have provided such data, where

(1) the processing is based on consent pursuant to Art. 6(1)(a) of GDPR or Art. 9(2)(a) of GDPR or a contract pursuant to Art. 6(1)(b) of GDPR and

(2) the processing is carried out by automated means.

In exercising this right, you furthermore have the right to have the relevant personal data transmitted directly from one controller to another controller if technically feasible and provided that the freedoms and rights of other persons are not prejudiced.

The right to data portability does not apply to the processing of personal data which is necessary for the performance of a task in the public interest or exercise of public authority vested in the Controller.

7. Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you carried out on the basis of Art. 6(1)(e) or (f) of GDPR; the same applies to profiling based on the same provisions of GDPR.

The Controller shall no longer process such personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data concerning you are processed for direct marketing purposes, you shall have the right at any time to object to such processing; the same applies also to profiling to the extent that it is related to such direct marketing.

If you object to the processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

In the context of the use of information society services – notwithstanding Directive 2002/58/EC – you can exercise your right to object by means of automated procedure using technical specifications.

8. Right to Withdraw Declaration of Consent

You have the right to withdraw your declaration of consent to the processing of personal data concerning you at any time. The lawfulness of the processing based on your consent carried out until the moment of such withdrawal shall not be affected by such withdrawal.

9. Automated Decision-Making in Individual Cases including Profiling

You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning your person or affects you in another similarly significant manner. This does not apply where such decision

(1) is necessary for the conclusion or performance of a contract between you and Controller;

(2) permitted under the EU law or the law of the member the Controllers is subject to and such legal regulations contain adequate measures to safeguard your rights and freedoms, as well as your legitimate interests; or

(3) is made with your express consent.

However, such decisions must not be based on the special categories of personal data specified in Art. 9(1) of GDPR unless Art. 9(2)(a) or (g) of GDPR applies and adequate measures to protect the rights and freedoms, as well as legitimate interests, of data subjects have been implemented.

With regard to the cases mentioned above in paragraphs (1) and (3), the Controller shall implement adequate measures to safeguard your rights and freedoms and legitimate interests, including at least the right to human intervention on the part of the Controller, the right to express your point-of-view and contest the decision.

10. Right to Lodge Complaint with Supervisory Authority

Irrespective of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you are of the opinion that the processing of personal data concerning you violates the provisions of GDPR.

The supervisory authority with which your complaint is lodged shall inform you on the progress and the outcome of the complaint including the possibility of judicial remedy pursuant to Article 78 of GDPR.

Confectionery

Reber Quality

About Reber

Cafè Reber