PRIVACY POLICY "ALBERTS.DE"

All personal data is treated confidentially. Our data protection practices comply with the Federal Data Protection Act (BDSG) and the General Data Protection Regulation (GDPR). Below, we provide details regarding data protection.

1. Data controller within the meaning of the GDPR and the BDSG

Gust. Alberts GmbH & Co.KG
Blumenthal 2
58849 Herscheid
Tel.: 02357/9070
Fax: 02357/907189
E-Mail: info@alberts.de

Data Protection Officer:
Contact details: bdsb@alberts.de

2. Reasons for data collection

We collect and process your data to provide our website and to offer you the best possible service through convenient access to our services. We outline these below.

3. Specific data processing activities and services on our website

Below, we inform you about how we collect, store and process data when you use our website.

3.1. Visiting our website

When you access our website, our servers automatically collect general information, in particular for the purposes of establishing a connection, ensuring functionality and maintaining system security. This includes the type of browser used, the operating system used, the domain name of the internet service provider, the connection data of the computer used (IP address), the website from which you visit us (referrer URL), the pages you visit on our site, and the date and duration of the visit. Due to pseudonymisation, it is not possible for us to draw conclusions about specific individuals from this data. This data is not combined with other data sources. The data is deleted after 7 days. The legal basis for the processing of your personal data is Article 6(1)(f) of the GDPR. Our legitimate interest lies in the technically flawless provision of our website and in maintaining the security of the website and the servers used.
Our website is hosted on our behalf by our service provider. Data processed on our website is therefore processed on our behalf on the servers of our service provider, with whom we have a data processing agreement. Processing on the servers of other service providers only takes place if this is expressly stated in this privacy policy. Our service provider is based within a country of the European Union or the European Economic Area.
 

3.2. Contact forms and email contact

If you contact us via the contact form and choose to contact us by email, you must provide your email address and your message to us. If you choose to contact us by telephone, the mandatory details are your telephone number and your message. Mandatory details are marked with an asterisk. All other details are optional. 
The data is stored for the purpose of processing your enquiry. We will not disclose this data without your consent. We will delete the data collected in this context once storage is no longer necessary, or restrict its processing if statutory retention obligations apply. The legal basis for the processing of your personal data is our legitimate interest in responding to your enquiry within the meaning of Article 6(1)(f) of the GDPR, unless your enquiry constitutes a pre-contractual step or relates to an existing contract. In the latter cases, the legal basis for data processing is Article 6(1)(b) of the GDPR.
 

3.3. Handling of calls

To ensure reliable telephone availability, we use an external service provider, sipgate GmbH, Gladbacher Straße 74, 40219 Düsseldorf, to handle incoming telephone calls where necessary, particularly outside our business hours, to assist with high call volumes or the temporary unavailability of internal contacts (such as staff absences due to illness). In this process, calls are answered automatically, the content of the conversation is transcribed using AI-supported speech recognition, and made available to us in text form for further processing. This service is used on a case-by-case basis and serves to ensure the orderly and efficient handling of customer enquiries. In the context of call handling, the following personal data in particular may be processed: the caller's telephone number, the date and time of the call, the content of the call, automatically generated transcripts of the conversation, as well as any contact details provided or other information mentioned during the call. Processing takes place on the basis of your explicit consent in accordance with Article 6(1)(a) of the GDPR. Consent is obtained at the start of the call and may be withdrawn at any time with effect for the future.

An AI-supported speech processing system is used to transcribe the calls. There is no automated decision-making or profiling within the meaning of Article 22 of the GDPR. The evaluation and further processing are carried out exclusively by human staff. The transcripts and associated connection data are stored only for as long as is necessary to process your enquiry, but will be deleted at the latest in accordance with the statutory retention and deletion periods.
 

3.4. Consent management with CookieBot by Usercentrics

We use the consent management tool "CookieBot", which is operated by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark ("Usercentrics").

This enables us to obtain and manage your consent to data processing. The processing is necessary for compliance with a legal obligation (Art. 7(1) GDPR) to which we are subject, so that Art. 6(1)(c) GDPR forms the legal basis for its use. The functionality of the website cannot be guaranteed without this processing.

The following data is processed for this purpose: the type of browser used, the operating system used, the connection data of the computer used (truncated IP address), the pages you visit on our site, and the date and duration of the visit. In addition, a cookie is stored to record the consent given (see also the "Cookies" section of this privacy policy).

Usercentrics is the recipient of your personal data and our data processor; we have therefore entered into a data processing agreement with Usercentrics in accordance with Article 28 GDPR, meaning that we remain responsible for the data processing and Usercentrics is bound by our instructions. The data will be deleted after 12 months. The processing takes place within the European Union.

You can find Usercentrics' privacy policy at:

• https://usercentrics.com/de/datenschutzerklaerung/

The specific privacy policy for the "CookieBot" service can be found at:

• https://www.cookiebot.com/de/privacy-policy/
   

3.5. Facebook Pixel / Custom Audiences

We use the analytics service "Facebook Pixel" with the additional feature "Custom Audiences", which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based or resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland ("Meta").

This feature enables us to target website visitors with advertising by displaying personalised, interest-based Facebook adverts to visitors of this website when they visit the Facebook social network. If the feature is activated, a direct connection to a Facebook server is established when you visit this website. In doing so, information regarding which of our web pages you have visited is transmitted to the Facebook server. Meta associates this information with your personal Facebook user account, provided you have one with Facebook and are logged into that account. The data processed includes:

• Advertisements viewed,
• Browser information,
• Content viewed,
• Device information,
• Geographical location,
• Interactions with adverts,
• Services and products,
• Your device's IP address,
• Marketing information,
• Pixel ID,
• Referrer URL,
• Success of marketing campaigns,
• Usage data,
• user behaviour,
• where applicable, the Facebook user ID.

We only activate Facebook Pixel on our website if you have given your permission to do so. The basis for data processing is then your consent in accordance with Article 6(1)(a) of the GDPR, which you may have given us on your first visit to our website. You may withdraw your consent at any time with effect for the future. You can use the settings link under section 4.1 of this privacy policy to access our CMT, where you can manage your consents. Alternatively, you may contact our Data Protection Officer.

If you have consented to the use of this feature but do not wish Facebook to link the collected information directly to your Facebook user account, you can edit this setting in your Meta account settings.

Meta processes your personal data on our behalf. We have therefore entered into a data processing agreement with Meta in accordance with Article 28(3) DSGVO, in which Facebook undertakes to protect your personal data and not to disclose it to third parties for purposes other than those mentioned above.

The legal basis for the transfer of personal data to the USA is either standard data protection clauses concluded with Meta within the meaning of Article 46(2)(c) GDPR or an adequacy decision by the European Commission within the meaning of Article 45 GDPR, which exists under the EU-US Data Privacy Framework (DPF) and for which Meta is certified, so that this can be used as the legal basis for data transfers to the USA. Further information on this can be obtained using the contact details provided above.

Further information on the collection and use of data by Facebook, your rights in this regard and options for protecting your privacy can be found in Meta's privacy policy at this link:

• https://www.facebook.com/privacy/policy/?locale=de_DE
   

3.6. Google Tag Manager

We use the "Google Tag Manager" service on our website, which is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or, if you are based or resident in the EU, by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

The service enables us to manage website tags via an online interface. This allows us to centrally manage and configure other services mentioned in this privacy policy, and to integrate them or change their configuration without making changes to our website's source code. The service is delivered via a domain that does not itself collect any personal data. Although the service facilitates the integration of other services, it does not have access to this data.

The legal basis for the use of the Tag Manager is our legitimate interest in the simple and efficient management of services integrated into our website (in particular with your consent, as described in this privacy policy). The legal basis for the processing of data is therefore Article 6(1)(f) of the GDPR.

The legal basis for the transfer of personal data to the USA is either standard data protection clauses concluded with Google within the meaning of Article 46(2)(c) GDPR or an adequacy decision by the European Commission within the meaning of Article 45 GDPR, which exists under the EU-US Data Privacy Framework (DPF) and for which Google is certified, so that this can be used as the legal basis for data transfers to the USA. Further information on this can be obtained using the contact details provided above.

Google's privacy policy can be found at the following link:

https://policies.google.com/privacy?hl=de

Google's cookie policy can be found at this link:

https://policies.google.com/technologies/cookies?hl=de
 

3.7. Google Analytics

Provided you have given your voluntary consent, which may be withdrawn at any time, we are entitled to use Google Analytics on this website. Google Analytics is a web analytics service provided to users in the EU/EEA and Switzerland by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Google Analytics uses cookies, i.e. small text files stored on your device that enable the analysis of website traffic. Please note that we use Google Analytics exclusively with IP address anonymisation enabled. We use the "anonymizeIp" function, which ensures the anonymised collection of IP addresses (IP masking); usually by truncating the IP address, so that numerous IP addresses are grouped together. Only in exceptional cases (e.g. in the event of a technical fault within the European Union) is the full IP address transmitted to a Google server outside the EEA and truncated there. The method used by Google to anonymise IP addresses does not store IP addresses on the end device, as the anonymisation takes place in the working memory immediately upon receipt of the request. The IP address transmitted via the browser is also not combined with other data held by Google.

The data collected is used to evaluate the use of our website and to generate reports on website activity. These reports, in turn, enable the analysis of our website's performance. Consent applies only to the specified purposes. The data collected may not be used or stored for any purpose other than those listed below.

The data processed includes:

• IP address,
• usage data,
• Scrolls (when a user scrolls to the bottom of the page),
• click path,
• clicks on external links,
• browser information,
• Device information,
• JavaScript support,
• Pages visited,
• Referrer URL,
• Downloads,
• Ads viewed / clicked,
• Flash version,
• Location information,
• purchasing activity,
• Internet service provider,
• widget interactions,
• Date and time of visit,
• Duration of visit,
• page search,
• Logins,
• registrations.

The legal basis for data processing is your consent within the meaning of Article 6(1)(a) of the GDPR, which you may have given to us via the Consent Management Tool. You may withdraw your consent at any time with effect for the future. You can use the settings link under section 4.1 of this privacy policy to access our CMT, where you can manage your consents. Alternatively, you may contact our Data Protection Officer.

The legal basis for the transfer of personal data to the USA is either standard data protection clauses concluded with Google within the meaning of Article 46(2)(c) GDPR or an adequacy decision by the European Commission within the meaning of Article 45 of the GDPR, which exists under the EU-US Data Privacy Framework (DPF) and for which Google is certified, so that this can be used as the legal basis for data transfers to the USA. Further information on this can be obtained using the contact details provided above.

Google's privacy policy can be found at the following link:

https://policies.google.com/privacy?hl=de

Google's cookie policy can be found at this link:

https://policies.google.com/technologies/cookies?hl=de

4. Cookies and similar services

Cookies and similar technologies are used to enhance the user experience and cater to the preferences of website visitors. This allows us, for example, to save your language selection. Cookies are text files stored on your hard drive to enable the browser to be recognised when you visit the website again. You can prevent cookies from being stored on your hard drive by adjusting your browser settings accordingly. Cookies that have already been set can be deleted at any time. Please refer to your browser's instructions for information on how to delete cookies or prevent them from being stored. If you do not accept cookies, this may impair your use of our website.

4.1 Your current cookie settings and cookies used

4.2 Essential 

Essential cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies. The legal basis for the processing of essential cookies is our legitimate interest in the technically flawless provision of our website within the meaning of Article 6(1)(f) of the GDPR.

Insofar as the "CookieConsent" cookie is concerned, the legal basis is also our obligation to document any consent you may have given or to respect your past refusal of consent within the meaning of Article 6(1)(c) of the GDPR and in accordance with Section 25(1)(2) of the TDDDG.

4.3 Statistics 

Statistics cookies help website owners understand how visitors interact with websites by collecting and analysing information anonymously. The legal basis for processing is the consent you have given us to use these cookies, Article 6(1)(a) of the GDPR.

4.4 Preferences and marketing 

We do not currently use cookies in these categories.

5. LinkedIn profile

The LinkedIn service is a social network operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn Ireland") or LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA ("LinkedIn Corp."), if your place of residence or habitual residence is outside the European Union or the European Economic Area.

Data relating to social media users may be processed for market research and advertising purposes; in particular, user profiles may be created and used to display advertisements both within and outside the networks. Furthermore, data may be stored regardless of the devices used by users (in particular, if users are members of the respective platforms and are logged in to them). The data processed generally includes: contact details, content data, usage data (in particular websites visited, interest in content and access times) and so-called metadata such as device information and IP addresses of the end devices used.

The legal basis for the collection and processing of data is your consent within the meaning of Article 6(1)(a) of the GDPR, which you may have given to LinkedIn Ireland / LinkedIn Corp. You may withdraw your consent to data processing at any time with effect for the future; to do so, please contact the network operator directly. The withdrawal of consent does not affect the lawfulness of the data processing carried out prior to the withdrawal.

Furthermore, legitimate interests within the meaning of Article 6(1)(f) of the GDPR may form the legal basis for data processing. This is the case, for example, where the purpose of data processing is the technically secure operation of the website. For detailed information on the processing and use of data by LinkedIn on its own website, as well as contact details, your rights in this regard and settings to protect your privacy, please refer to LinkedIn's privacy policy, which you can find at the following link:

• https://www.linkedin.com/legal/privacy-policy

Data processing is carried out on the basis of an agreement between joint controllers in accordance with Article 26 of the GDPR, which you can view via the following link:

• https://legal.linkedin.com/pages-joint-controller-addendum

The legal basis for the transfer of personal data to the USA is either the standard data protection clauses agreed with LinkedIn within the meaning of Article 46(2)(c) GDPR or an adequacy decision by the European Commission within the meaning of Article 45 of the GDPR, which exists under the EU-US Data Privacy Framework (DPF) and for which LinkedIn is certified, meaning that this can be used as the legal basis for data transfers to the USA. Further information on this is available via the contact details provided above.

6. YouTube channel

The video platform "YouTube" is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or, if you have your registered office or place of residence in the EU, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

When you visit our channel on YouTube, your data may be automatically collected and stored for market research and advertising purposes. So-called usage profiles are created from this data using pseudonyms. These may be used, for example, to display advertisements within and outside the video platform that are presumed to correspond to your interests. Cookies are generally used on your device for this purpose. Information on how cookies work is provided in the privacy policy on that site; please therefore refer to the relevant information there. These cookies store visitor behaviour and user interests.

Furthermore, we receive a statistical analysis from the data collected, showing which groups of people are interested in our individual videos posted on YouTube. In particular, we are provided with the view counts and playback times of videos in this context. The data is provided in such an anonymised form that it is not possible to identify individual persons. The information contained includes, for example, the approximate geographical location, the age group and other summary characteristics.

The legal basis for the collection and processing of data is your consent within the meaning of Article 6(1)(a) of the GDPR, which you may have given or may give to Google when accessing their website. You may withdraw your consent to data processing at any time with future effect; to do so, please contact Google directly. The withdrawal of consent does not affect the lawfulness of the data processing carried out prior to the withdrawal.

For detailed information on the processing and use of data by Google on the YouTube website, as well as contact details and your rights and settings options regarding the protection of your privacy, please refer to Google's privacy policy, which you can find at the following link:

• https://policies.google.com/privacy?hl=de&gl=de

The legal basis for the transfer of personal data to the USA is either standard data protection clauses concluded with Google within the meaning of Article 46(2)(c) GDPR or an adequacy decision by the European Commission within the meaning of Article 45 GDPR, which exists under the EU-US Data Privacy Framework (DPF) and for which Google is certified, meaning that this can be used as the legal basis for data transfers to the USA. Further information on this can be obtained using the contact details provided above.

7. Facebook fan page and Instagram profile

Our presence on social media networks and platforms, such as Facebook and Instagram, enables us to communicate actively and in a contemporary manner with our customers and prospective clients. We use these platforms to provide information about our services, products and interesting special offers relating to our company. We use the social networks "Facebook" and "Instagram", which are operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta").

When you visit our online presence on these platforms, your data may be automatically collected and stored for market research and advertising purposes. So-called usage profiles are created from this data using pseudonyms. These may be used, for example, to display advertisements within and outside the platforms that are presumed to match your interests. Cookies are generally used on your device for this purpose. Information on how cookies work can be found in the "Cookies" section of this privacy policy. These cookies store visitor behaviour and user interests. The legal basis for the processing is Article 6(1)(a) of the GDPR.

The legal basis for the transfer of personal data to the USA is either standard data protection clauses concluded with Meta within the meaning of Article 46(2)(c) GDPR or an adequacy decision by the European Commission within the meaning of Article 45 GDPR, which exists under the EU-US Data Privacy Framework (DPF) and for which Meta is certified, so that this can be used as the legal basis for data transfers to the USA. Further information on this can be obtained using the contact details provided above.

For detailed information on the processing and use of data by the providers on their websites, as well as contact details and your rights and settings options regarding the protection of your privacy, in particular options to object (so-called opt-out), please refer to the providers' privacy policies linked below.

The privacy policy provided by Meta for the social networks Facebook and Instagram can be found at the following link:

• https://privacycenter.instagram.com/policy/

You can find the options for objecting and opting out as follows:

• Facebook: https://www.facebook.com/settings/?tab=privacy
• Instagram: https://www.instagram.com/accounts/privacy_and_security/

Data processing for Facebook is carried out on the basis of an agreement between joint controllers in accordance with Article 26 of the GDPR, which you can view here:

• https://www.facebook.com/legal/terms/page_controller_addendum

8. Applications

We also collect and process personal data from applicants for the purpose of conducting the recruitment process. This processing may also take place electronically. This is always the case when an applicant submits their application documents to us electronically, i.e. by email or via a web form on our website. The legal basis for the processing is the conduct of a recruitment process for the purpose of selection and the conclusion of an employment contract; therefore, the initiation of a contract within the meaning of Article 6(1)(b) of the GDPR constitutes the legal basis under data protection law.

The applicant portal is operated on our behalf by BITE GmbH, Resi-Weglein-Gasse 9, 89077 Ulm (BITE). If we conclude an employment contract with an applicant, the data submitted will be stored for the purpose of administering the employment relationship in accordance with the statutory provisions. However, if no employment contract is concluded between us and the applicant, the application documents will be deleted four months after notification of the rejection decision, provided that no other legitimate interests of the controller preclude such deletion. An example of such a legitimate interest is the obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG). We wish to assess all applicants solely on the basis of their qualifications and therefore ask that you refrain as far as possible from including information in your application regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the unique identification of a natural person, health data, or data concerning sex life or sexual orientation.

9. Data security

We protect our website and other systems against the loss, destruction, unauthorised access, alteration or dissemination of your data by unauthorised persons through technical and organisational measures. Depending on the browser used, data is transmitted using 128 to 256-bit SSL encryption. Despite regular checks and continuous improvement of our security measures, complete protection against all risks is not possible.

10. Deletion

Personal data will be deleted or blocked as soon as the purpose for which it was stored no longer applies, or if you request its deletion and we are no longer subject to any further retention obligations. Data will also be deleted when a retention period prescribed by the aforementioned standard expires, unless there is a need to continue storing the data for the conclusion or performance of a contract, or you have given your consent in this regard.

11. Data transfer to third countries

We use various service providers who supply us with technologies and/or products. Some of these use servers in third countries, i.e. outside the European Union or the European Economic Area, for which the European Commission has determined, by means of an adequacy decision, that the level of data protection is in principle equivalent to that under European data protection law. The associated transfer of personal data must be permissible under Article 44 et seq. of the GDPR. To ensure compliance with the requirements for transfers to third countries, standard data protection clauses issued by the European Commission are in place with service providers who process personal data in a third country for which the European Commission has not determined that data protection law is sufficiently equivalent.

In addition, some service providers have so-called Binding Corporate Rules (BCRs) in place, which ensure that European data protection standards are complied with within the organisation. Where these are in place, we do not agree separate standard contractual clauses with service providers subject to the relevant BCRs. The BCRs are reviewed by one of the European data protection supervisory authorities and approved on a case-by-case basis. This is particularly relevant in the event of intended data processing in the USA or access to data from the USA: There, authorities and intelligence services such as the National Security Agency (NSA) may have access rights and the ability to read personal data without us, as the data exporter, or you, as the data subject, being aware of this, and without effective legal remedies being available to prevent this or to take action against such access. However, some of our service providers undertake to exercise and exhaust the legal remedies available to you under US law against any government access to your data. Some of them also publish transparency reports in which – where legally possible – government requests and responses are listed.

Furthermore, in July 2023, the European Commission adopted the 'EU-US Data Privacy Framework' (DPF), a new adequacy decision for data transfers to the US; however, this applies only to service providers that, through self-certification, submit to specific rules and legal remedies for data subjects. You can check whether a provider has certified itself under the DPF on the DPF website via the following link:

• https://www.dataprivacyframework.gov/s/participant-search

In this privacy policy, we indicate for each individual service whether we base data transfers to a third country on standard contractual clauses, BCRs, the DPF or other legal bases.

12. Rights of the data subject 

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

12.1. Right of access 

You may request confirmation from the controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you may request the following information from the controller:

• the purposes for which the personal data is processed;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the envisaged period for which the personal data concerning you will be stored, or, if this is not possible, the criteria used to determine that period;
• the existence of a right to rectification or erasure of the personal data concerning you, and a right to restriction;
• the processing by the controller or the right to object to such processing; the right to lodge a complaint with a supervisory authority;
• all available information regarding the origin of the data, where the personal data are not collected from the data subject.

12.2. Right to rectification

You have a right to have the data controller rectify and/or complete the data, provided that the personal data concerning you that is being processed is inaccurate or incomplete. The data controller must carry out the rectification without undue delay.

12.3. Right to restriction of processing 

You may request the restriction of the processing of your personal data under the following conditions:

• if you contest the accuracy of the personal data concerning you for a period that enables the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;
• the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims, or
• if you have objected to the processing pursuant to Article 21(1) of the GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.

Where the processing of your personal data has been restricted, such data – apart from storage – may only be processed with your consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of an important public interest of the Union or of a Member State. If the restriction on processing has been imposed in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

12.4. Right to erasure

12.4.1. Obligation to erase

You may request that the controller erases your personal data without delay, and the controller is obliged to erase such data without delay if any of the following grounds apply:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed;
• You withdraw your consent on which the processing was based pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing;
• You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;
• The personal data concerning you has been unlawfully processed;
• The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject
• The personal data concerning you was collected in relation to information society services offered pursuant to Article 8(1) of the GDPR

12.4.2. Information to third parties

Where the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, the controller shall, taking into account available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers processing the personal data that you, as the data subject, have requested the erasure of all links to such personal data or of copies or replications of such personal data.

12.4.3. Exceptions

The right to erasure does not apply where processing is necessary:

• for the exercise of the right to freedom of expression and information;
• to comply with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
• for the establishment, exercise or defence of legal claims.

12.5. Right to information 

If you have exercised your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed by the controller of these recipients.

12.6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and
• the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the freedoms and rights of others.

13. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you carried out on the basis of Article 6(1)(a) or (f) of the GDPR; this also applies to profiling based on these provisions. The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

Where personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for these purposes. In connection with the use of information society services – notwithstanding Directive 2002/58/EC – you have the option of exercising your right to object by means of automated procedures using technical specifications.

13.1. Right to withdraw consent

You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

13.2. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and the outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

14. Updates to this Privacy Policy

Our website is constantly being developed. We therefore update this privacy policy from time to time. We therefore recommend that you check this privacy policy regularly. You can see whether any changes have been made by checking the date below.

Date: 19.02.2026