Hotel Krone
Lingg GmbH & CO KG
A-6883 Au/Bregenzerwald

Telephone: +43(0)5515/2201-0
Fax: +43(0)5515/2201-201

Company Register Number: 174127w
Commercial Court: Regional Court of Feldkirch
Chamber of Commerce: Vorarlberg Economic Chamber, 6800 Feldkirch

E-mail: office@krone-au.at
Internet: www.krone-au.at

Authorised Managing Directors: Birgit and Walter Lingg
VAT ID No.: ATU 4543 5202

Data Protection Officer: Theresa Lingg

Cookie settings
Change cookie settings

Privacy Policy and Consent to Data Use at www.krone-au.at
Data protection is a matter of trust, and your trust is important to us. To ensure that you feel secure when visiting our website, we strictly observe the statutory provisions when processing your personal data and would like to inform you here about our data collection and use. The following privacy policy explains which data are collected about you on our websites, how we process and use these data, and whom you can contact with any concerns.

I. Name and Address of the Data Protection Officer

The data protection officer of the controller is:

Theresa Lingg
Au/Bregenzerwald
Austria

Tel.: ++43(0)5515/2201-0
E-mail: theresa.lingg@krone-au.at
Website: www.krone-au.at

II. General Information on Data Processing

a. Scope of processing of personal data

We generally process personal data of our users only to the extent necessary to provide a functional website as well as our content and services. The processing of personal data of our users regularly takes place only with the user’s consent. An exception applies in cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal provisions.

b. Legal basis for processing personal data

Where we obtain the consent of the data subject for processing operations of personal data, Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

Where processing of personal data is necessary for the performance of a contract to which the data subject is party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for carrying out pre-contractual measures.

Where processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or of another natural person require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.

If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6(1)(f) GDPR serves as the legal basis for the processing.

c. Erasure of data and storage period

The personal data of the data subject are erased or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this is provided for by the European or national legislator in EU regulations, laws, or other provisions to which the controller is subject. Data are also blocked or erased if a storage period prescribed by the aforementioned standards expires, unless continued storage of the data is necessary for the conclusion or performance of a contract.

III. Provision of the Website and Creation of Log Files

a. Description and scope of data processing

Each time our website is accessed, our system automatically records data and information from the computer system of the accessing device.

The following data are collected:

1. Information about the browser type and version used

2. The user’s operating system

3. The user’s Internet service provider

4. The user’s IP address

5. Date and time of access

6. Websites from which the user’s system reaches our website

7. Websites that are accessed by the user’s system via our website

The data are also stored in the log files of our system. These data are not stored together with other personal data of the user.

b. Legal basis for data processing

The legal basis for the temporary storage of the data and log files is Art. 6(1)(f) GDPR.

c. Purpose of data processing

Temporary storage of the IP address by the system is necessary to deliver the website to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session.

Storage in log files ensures the functionality of the website. In addition, the data help us optimise the website and ensure the security of our IT systems. No evaluation of the data for marketing purposes takes place in this context.

These purposes also constitute our legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR.

d. Storage period

The data are erased as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of data collection for provision of the website, this is the case when the respective session ends.

In the case of storage of the data in log files, this occurs after no more than seven days. Storage beyond this period is possible. In this case, the users’ IP addresses are erased or anonymised so that assignment to the accessing client is no longer possible.

e. Right to object and to removal

The collection of data for provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no right of objection on the part of the user.

IV. Use of Cookies

a. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. When a user visits a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string that enables unique identification of the browser when the website is visited again.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can also be identified after a page change.

The following data are stored and transmitted in the cookies:

1. Language settings

2. Login information

We also use cookies on our website that enable analysis of users’ browsing behaviour.

In this way, the following data can be transmitted:

1. Entered search terms

2. Frequency of page views

3. Use of website functions

The data collected in this manner are pseudonymised by technical means. Therefore, it is no longer possible to assign the data to the accessing user. The data are not stored together with other personal data of the users.

When you visit our website, users are informed by an information banner about the use of cookies for analysis purposes and referred to this privacy policy. In this context, information is also provided on how the storage of cookies can be prevented in the browser settings.

When accessing our website, the user is informed about the use of cookies for analysis purposes and their consent to the processing of the personal data used in this context is obtained. In this context there is also a reference to this privacy policy.

b. Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6(1)(f) GDPR.

The legal basis for the processing of personal data using cookies for analysis purposes is, where the user has given consent, Art. 6(1)(a) GDPR.

c. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised again after a page change.

We require cookies for the following applications:

1. Adoption of language settings

2. Remembering search terms

The user data collected by technically necessary cookies are not used to create user profiles.

Analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus continuously optimise our offering.

These purposes also constitute our legitimate interest in the processing of personal data pursuant to Art. 6(1)(f) GDPR.

d. Storage period, right to object and to removal

Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, you as the user have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Stored cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to use all functions of the website to their full extent.

The transmission of Flash cookies cannot be prevented via the browser settings but by changing the settings of the Flash Player.

V. Newsletter

a. Description and scope of data processing

Our website offers the possibility to subscribe to a free newsletter. When registering for the newsletter, the data from the input form are transmitted to us after confirmation via the double opt-in e-mail.

In addition, the following data are collected during registration:

1. IP address of the accessing computer

2. Date and time of registration

During the registration process, your consent is obtained for the processing of the data and reference is made to this privacy policy.

If you purchase goods or services on our website and provide your e-mail address, this may subsequently be used by us for sending a newsletter. In such a case, only direct advertising for our own similar goods or services is sent via the newsletter.

The newsletter service MailChimp (https://mailchimp.com/legal/privacy/) is used for sending the newsletter. With this tool we only receive the e-mail address that you type into the dialog field; we do not collect any further personal data. If you wish to unsubscribe from the newsletter, you can do so via the “Unsubscribe” link in the newsletter. The data are used exclusively for sending the newsletter.

b. Legal basis for data processing

The legal basis for processing the data after newsletter registration by the user is, if the user has given consent, Art. 6(1)(a) GDPR.

The legal basis for sending the newsletter as a result of the sale of goods or services is Section 7(3) of the UWG (Austrian Unfair Competition Act).

c. Purpose of data processing

The collection of the user’s e-mail address serves to deliver the newsletter.

The collection of other personal data during the registration process serves to prevent misuse of the services or of the e-mail address used.

d. Storage period

The data are erased as soon as they are no longer necessary to achieve the purpose for which they were collected. The user’s e-mail address is therefore stored for as long as the newsletter subscription is active.

The other personal data collected during the registration process are generally erased after a period of seven days.

e. Right to object and to removal

The newsletter subscription can be terminated by the data subject at any time. For this purpose, each newsletter contains a corresponding link. This also enables the withdrawal of consent to store the personal data collected during the registration process.

VI. Other Tools

a. Podbean

We use the podcast hosting service Podbean of the provider Podbean Tech LLC, 135 E 57th St, 14th Floor, New York, NY, 10022, USA. The podcasts are loaded from or transmitted via Podbean.

Podbean processes IP addresses and device information to enable podcast downloads/plays and to determine statistical data such as number of accesses. These data are anonymised or pseudonymised before being stored in Podbean’s database, insofar as they are not required for providing the podcasts.

Further information and opt-out options can be found in Podbean’s privacy policy: https://www.podbean.com/privacy

b. Gravatar

Within our online offering, and in particular on the blog, we use the Gravatar service of Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA.

Gravatar is a service where users register and store profile pictures and their e-mail addresses. If users with the respective e-mail address leave posts or comments on other online presences (especially blogs), their profile pictures can be displayed next to the posts or comments. For this purpose, the e-mail address provided by the users is transmitted to Gravatar in encrypted form to check whether a profile is stored for it. This is the sole purpose of transmitting the e-mail address; it is not used for other purposes and is deleted thereafter.

By displaying the images, Gravatar becomes aware of users’ IP addresses, as this is necessary for communication between a browser and an online service. Further information on the collection and use of data by Gravatar can be found in Automattic’s privacy notices: https://automattic.com/privacy/.

The legal basis for data processing is Art. 6(1) sentence 1(f) GDPR. Our legitimate interest is the user-oriented design of the website.

c. Google Ads Remarketing

We use Ads Dynamic Remarketing, a web analytics service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin 4, Ireland (“Google”). Ads Dynamic Remarketing uses cookies to analyse your use of our website and then display personalised advertising to you. Google Remarketing is only activated on the basis of your prior active consent via the corresponding interaction with the cookie banner on our website.

The following data are collected by Ads Dynamic Remarketing when you visit our website: information about your browser and device information, unique device identifier, web requests, the pages you visit, telephone number, usage data, date and time of your visit to our website, as well as your IP address. The recipients of the data are Google Ireland Limited, Google LLC, Alphabet Inc.

The collected data are deleted after one year.

d. Google Ads Conversion Tracking

This website uses Google Conversion Tracking. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

With the help of Google Conversion Tracking, Google and we can recognise whether the user has performed certain actions. For example, we can evaluate which buttons on our website are clicked how often and which products were particularly often viewed or purchased. This information is used to compile conversion statistics. We learn the total number of users who clicked on our ads and what actions they performed. We do not receive information that would allow us to personally identify the user. Google itself uses cookies or comparable recognition technologies for identification.

Use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR. Consent can be withdrawn at any time.

More information on Google Conversion Tracking can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=de.

e. YouTube

To integrate and display video content, our website uses plugins from YouTube. The provider of the video portal is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”).

When a page with an integrated YouTube plugin is accessed, a connection to YouTube’s servers is established. YouTube is thereby informed which of our pages you have visited. YouTube also stores a unique ID to track which videos you have watched and how you have used them when visiting our website. YouTube tracks user preferences for YouTube videos embedded on our website and can determine whether the website visitor is using the new or old version of the YouTube interface. YouTube can associate your browsing behaviour directly with your personal profile if you are logged into your YouTube account. You can prevent this by logging out beforehand. YouTube collects user data through the videos embedded on our website, which are combined with profile data from other Google services to show targeted advertising to web visitors across a variety of their own and other websites.

The following data are collected by YouTube: IP address, browsing behaviour, video usage, search queries made, general personal information, user preferences, unique user ID. This information is stored directly by YouTube.

Details on the handling of user and profile data can be found in YouTube’s privacy policy at: https://www.google.de/intl/de/policies/privacy

f. Google Maps

We use Google Maps, a service of Google LLC, on our website for the search for the nearest branch as a function of our contact form and for the branch finder to search for and locate branches. The responsible service provider in the EU is Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin 4, Ireland (“Google”).

Within this service, personal data for identifying the user, their location, and their search behaviour are stored. These data are specified by Google and cannot be influenced by us. For the purpose of personalising the Google Maps experience, Google stores a unique ID via a cookie (“NID”), through which your preferred settings and other information are stored, in particular your preferred language, how many search results should be displayed per page (e.g., 10 or 20), and whether the Google SafeSearch filter should be activated. Google also uses the NID cookie to display Google Ads advertising to users who are not logged in within the services offered by Google.

The following data are collected by Google Maps when you visit our website: search terms, IP address, latitude and longitude coordinates, starting address (for the route planner function). This information is stored directly by Google.

Each “NID” cookie expires 6 months after last use.

g. reCAPTCHA

reCAPTCHA is a free captcha service from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) that protects websites from spam software and misuse by non-human visitors. We use the service when you fill out forms on our website.

A captcha service is a type of automated Turing test designed to ensure that an action on the Internet is performed by a human and not by a bot. reCAPTCHA uses modern risk analysis techniques to distinguish humans from bots. A JavaScript element is integrated into the source code for reCAPTCHA. The tool then runs in the background and analyses your user behaviour. From these user actions, the software calculates a so-called captcha score. Even before the captcha input, Google calculates with this score how likely it is that you are a human. We use reCAPTCHA on our website to prevent bots from manipulating or abusing certain actions (such as newsletter registrations).

reCAPTCHA collects personal data from users to determine whether the actions on our website actually originate from people. The IP address and other data required by Google for the reCAPTCHA service may therefore be transmitted to Google. IP addresses are almost always shortened within the member states of the EU or other parties to the Agreement on the European Economic Area before the data are transferred to a server in the USA. The IP address is not combined with other data from Google unless you are logged into your Google account while using reCAPTCHA.

First, the reCAPTCHA algorithm checks whether Google cookies from other Google services (YouTube, Gmail, etc.) are already placed on your browser. reCAPTCHA then sets an additional cookie in your browser and captures a snapshot of your browser window. The reCAPTCHA service is only activated on the basis of your prior active consent via the corresponding interaction with the cookie banner on our website. Before that, no processing of the data by Google takes place. If you want your personal data to be deleted, you must contact Google Support (https://support.google.com).

The following list of collected browser and user data is not intended to be exhaustive; rather, these are examples of data that, to our knowledge, are processed by Google:

• Referrer URL (the address of the page from which the visitor comes)

• IP address (e.g., 256.123.123.1)

• Information about the operating system (the software that enables your computer to operate; well-known systems include Windows, Mac OS X, or Linux)

• Cookies (small text files that store data in your browser)

• Mouse and keyboard behaviour (each action you perform with the mouse or keyboard is stored)

• Date and language settings (which language and date you have preset on your PC are stored)

• All JavaScript objects (JavaScript is a programming language that enables websites to adapt to the user; JavaScript objects can collect all kinds of data under a name)

• Screen resolution (indicates how many pixels the display consists of)

VII. Google Fonts

We use Google Fonts on our website. These are the “Google Fonts” of Google Inc. For the European area, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is responsible for all Google services.

You do not need to register or set a password to use Google Fonts. Furthermore, no cookies are stored in your browser. The files (CSS, fonts) are requested via the Google domains fonts.googleapis.com and fonts.gstatic.com. According to Google, requests for CSS and fonts are completely separate from all other Google services. If you have a Google account, you do not need to worry that your Google account data will be transmitted to Google while using Google Fonts. Google records the use of CSS and the fonts used and stores these data securely. We will look into the details of data storage further.

a. What are Google Fonts?

Google Fonts (formerly Google Web Fonts) is a directory of over 800 fonts that Google makes available to users free of charge.

Many of these fonts are released under the SIL Open Font License, while others are released under the Apache License. Both are free software licenses.

b. Why do we use Google Fonts on our website?

With Google Fonts, we can use fonts on our own website without having to upload them to our own server. Google Fonts is an important building block for keeping the quality of our website high. All Google fonts are automatically optimised for the web, which saves data volume and is a great advantage especially for mobile devices. When you visit our site, the low file size ensures fast loading times. Furthermore, Google Fonts are secure web fonts. Different rendering systems in various browsers, operating systems, and mobile devices can lead to errors. Such errors can sometimes distort text or entire websites. Thanks to the fast Content Delivery Network (CDN), there are no cross-platform issues with Google Fonts. Google Fonts supports all common browsers (Google Chrome, Mozilla Firefox, Apple Safari, Opera) and works reliably on most modern mobile operating systems, including Android 2.2+ and iOS 4.2+ (iPhone, iPad, iPod). We therefore use Google Fonts so that we can present our entire online service as nicely and uniformly as possible.

c. Which data are stored by Google?

When you visit our website, the fonts are reloaded via a Google server. This external request transmits data to Google’s servers. In this way, Google also recognises that you or your IP address have visited our website. The Google Fonts API was designed to reduce the collection, storage, and use of end-user data to what is necessary for proper serving of fonts. (API stands for “Application Programming Interface” and serves, among other things, as a data transmitter in the software area.)

Google Fonts stores CSS and font requests securely at Google and is thus protected. Through the collected usage figures, Google can determine how well the individual fonts are received. Google publishes the results on internal analysis pages, such as Google Analytics. In addition, Google also uses the data of its own web crawler to determine which websites use Google Fonts. These data are published in the Google Fonts BigQuery database. Entrepreneurs and developers use the Google web service BigQuery to examine and move large amounts of data.

It should be noted that with each Google Font request, information such as language settings, IP address, browser version, browser screen resolution, and browser name is also automatically transmitted to Google servers. Whether these data are also stored cannot be clearly determined and is not clearly communicated by Google.

d. How long and where are the data stored?

Google stores requests for CSS assets for one day on its servers, which are mainly located outside the EU. This allows us to use the fonts via a Google stylesheet. A stylesheet is a template that allows you to change, for example, the design or font of a website quickly and easily.

The font files are stored by Google for one year. Google’s goal is to generally improve the loading time of websites. If millions of websites refer to the same fonts, they are cached after the first visit and appear immediately on all subsequently visited websites. Google occasionally updates font files to reduce file size, increase language coverage, and improve design.

e. How can I delete my data or prevent data storage?

The data that Google stores for one day or one year cannot simply be deleted. The data are automatically transmitted to Google when the page is accessed. To have these data deleted prematurely, you must contact Google Support at https://support.google.com/?hl=de&tid=121716211. You can prevent data storage in this case only by not visiting our site.

Unlike other web fonts, Google grants us unrestricted access to all fonts. We can therefore access an unlimited pool of fonts and thus get the best out of our website. More about Google Fonts and further questions can be found at https://developers.google.com/fonts/faq?tid=121716211. Google addresses data protection issues there, but truly detailed information on data storage is not included. It is relatively difficult to obtain truly precise information from Google about stored data.

You can also read which data are generally collected by Google and what these data are used for at https://www.google.com/intl/de/policies/privacy/.

VIII. Web Analytics

a. Scope of processing of personal data

We use Google Analytics, a web analytics service of Google Inc. (“Google”). Google uses cookies. The information generated by the cookie about users’ use of the online offering is generally transmitted to a Google server in the USA and stored there.

Google will use this information on our behalf to evaluate users’ use of our online offering, to compile reports on activities within this online offering, and to provide us with further services related to the use of this online offering and Internet usage. Pseudonymous user profiles can be created from the processed data.

We use Google Analytics only with IP anonymisation enabled. This means that the users’ IP addresses are shortened by Google within member states of the European Union or in other parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user’s browser is not merged with other Google data.

Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection by Google of the data generated by the cookie and related to their use of the online offering, as well as the processing of these data by Google, by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Further information on data use for advertising purposes by Google, settings, and opt-out options can be found on Google’s websites: https://www.google.com/intl/de/policies/privacy/partners/ (“How Google uses information from sites or apps that use our services”), http://www.google.com/policies/technologies/ads (“Data use for advertising purposes”), http://www.google.de/settings/ads (“Control the information Google uses to show you ads”), and http://www.google.com/ads/preferences/ (“Decide what ads Google shows you”).

The software sets a cookie on the user’s computer (see above on cookies). When individual pages of our website are accessed, the following data are stored:

1. Two bytes of the IP address of the accessing system

2. The accessed web page

3. The website from which the user reached the accessed web page (referrer)

4. The subpages accessed from the accessed web page

5. Time spent on the web page

6. Frequency of page access

The software runs exclusively on the servers of our website. Storage of users’ personal data takes place only there. There is no transfer of data to third parties.

The software is configured so that IP addresses are not stored in full, but two bytes of the IP address are masked (e.g., 192.168.xxx.xxx). In this way, the shortened IP address can no longer be assigned to the accessing computer.

b. Legal basis for processing personal data

The legal basis for processing the personal data of users is Art. 6(1)(f) GDPR.

c. Purpose of data processing

Processing users’ personal data enables us to analyse our users’ browsing behaviour. By evaluating the obtained data, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes also constitute our legitimate interest in processing the data pursuant to Art. 6(1)(f) GDPR. By anonymising the IP address, users’ interest in protecting their personal data is adequately taken into account.

d. Storage period

The data are deleted as soon as they are no longer needed for our recording purposes. In our case, this is after 26 months.

e. Right to object and to removal

Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, you as the user have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Stored cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to use all functions of the website to their full extent.

We offer our users the option to opt out of the analytics process on our website. To do this, you must follow the corresponding link. In this way, another cookie is set on your system that signals to our system not to store the user’s data. If the user deletes the corresponding cookie from their own system in the meantime, they must set the opt-out cookie again.

Further information on privacy settings can be found at the following link:
https://myaccount.google.com/privacy.

IX. Retargeting and Data Collection by Third Parties

As part of retargeting and banner advertising, we use third-party services that set cookies on our site. These providers are:

– DoubleClick by Google, Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; https://www.google.de/intl/de/policies/technologies/ads/
– Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA; https://www.facebook.com/about/privacy
– Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland; https://policy.pinterest.com/de/privacy-policy

X. Rights of the Data Subject

The following list covers all rights of data subjects pursuant to the GDPR. Rights that are not relevant to your own website do not need to be mentioned; the list may be shortened accordingly.

If your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

a. Right of access

You may request confirmation from the controller as to whether personal data concerning you are being processed by us.

If such processing is taking place, you may request information from the controller about the following:

1. the purposes for which the personal data are processed;

2. the categories of personal data which are processed;

3. the recipients or categories of recipients to whom the personal data concerning you have been disclosed or will be disclosed;

4. the envisaged period for which the personal data concerning you will be stored, or, if specific information is not possible, the criteria used to determine that period;

5. the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;

6. the existence of a right to lodge a complaint with a supervisory authority;

7. any available information as to the source of the data if the personal data are not collected from the data subject;

8. the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and—at least in those cases—meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to be informed as to whether personal data concerning you are transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

b. Right to rectification

You have the right to obtain from the controller without undue delay the rectification and/or completion of personal data concerning you if the processed personal data are inaccurate or incomplete.

c. Right to restriction of processing

You may request restriction of processing of personal data concerning you under the following conditions:

1. if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

3. the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defence of legal claims; or

4. if you have objected to processing pursuant to Art. 21(1) GDPR and it is not yet verified whether the legitimate grounds of the controller override your grounds.

Where processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where restriction of processing has been obtained under the above conditions, you shall be informed by the controller before the restriction is lifted.

d. Right to erasure

1. Obligation to erase

You may request from the controller the erasure of personal data concerning you without undue delay, and the controller is obliged to erase such data without undue delay where one of the following grounds applies:

1. The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

2. You withdraw your consent on which the processing is based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal ground for the processing.

3. You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.

4. The personal data concerning you have been unlawfully processed.

5. The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

6. The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

2. Information to third parties

Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) GDPR to erase them, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Exceptions

The right to erasure does not apply to the extent that processing is necessary

1. for exercising the right of freedom of expression and information;

2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

3. for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) and Art. 9(3) GDPR;

4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

5. for the establishment, exercise, or defence of legal claims.

e. Right to be informed

If you have asserted the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed about those recipients by the controller.

f. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

1. the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR; and

2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others shall not be adversely affected thereby.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

g. Right to object

You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In connection with the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

h. Right to withdraw consent under data protection law

You have the right to withdraw your consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

i. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

1. is necessary for entering into, or performance of, a contract between you and the controller;

2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

3. is based on your explicit consent.

However, such decisions must not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, which include at least the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.

j. Right to lodge a complaint with the data protection authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.