Data Protection Declaration

1 Controller

In accordance with EU General Data Protection Regulation (GDPR) and all other regulations concerning data protection, the controller is the Deutsches Institut für Urbanistik gGmbH (German Institute of Urban Affairs). Please find our contact details in the legal notice.

As the operator of this website, the German Institute of Urban Affairs takes the protection of your personal data very seriously and treats your personal data as confidential and in accordance with the statutory provisions. This data protection declaration serves to inform you about the processing of your personal data in accordance with the requirements of GDPR.

For questions regarding the collection, processing or use of your personal data and when seeking information, correction, blocking or deletion of data, please contact us by email at the following email address: difu [at] difu [dot] de

or by post to:

Deutsches Institut für Urbanistik gGmbH
Datenverwendung (use of data)
Zimmerstraße 13-15
10969 Berlin, Germany

In the case of questions, suggestions or comments on the topic of data protection, you can contact our data protection officer at:

Email: datenschutz [at] difu [dot] de

or by post to:

Deutsches Institut für Urbanistik gGmbH
Datenschutzbeauftragter (Data protection officer)
Zimmerstraße 13-15
10969 Berlin, Germany

2 Definition of terms

The data protection declaration of the German Institute of Urban Affairs is based on the definitions of the GDPR. So that our data protection declaration is understandable, we would like to explain the frequently used terms in advance:

Personal data

Personal data is any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing

The restriction of processing is the marking of stored personal data with the aim of limiting its processing in the future.

Profiling

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Controller

The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. If the purposes and means of such processing are determined by the European Union or EU member state law, the controller or the specific criteria for its nomination may be provided for by the European Union or by the EU member state law.

Data processor

The data processor is a natural legal person, authority, institute or other office that processes the personal data on behalf of the controller.

Receiver

The data processor is a natural legal person, authority, institute or other office to whom the personal data is revealed irrespectively of whether they are third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or EU member state law shall not be regarded as recipients.

Third party

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3 General information on data processing

3.1 Extent of the personal data processing

We process the personal data of our users only to the extent that it is necessary to provide a working website as well as our content and services. Our users’ personal data is routinely processed only upon the consent of the user. An exception is made in such cases in which the prior obtaining of consent is not possible for practical reasons and the processing of the data is permitted by statutory provisions.

We protect the transfer of your data with a secure (AES 256 bit) TLS connection. TLS (Transport Layer Security) is a security technology, which guarantees that your personal data is securely transferred via the internet and is not transferred in a manner in which third parties can view it. All data is encrypted. You can directly access our encrypted website at https://difu.de. If you access our unencrypted website (at http://difu.de), you will be immediately redirected to https://difu.de/.

3.2 Legal basis for processing personal data

Insofar as we obtain the consent of the data subject for the data processing, Art. 6, para. 1, lit. a of the EU Data Protection Regulation (GDPR) is the legal basis.

When processing the personal data, which requires an agreement to which the data subject is a party, art. 6, para. 1, lit. b GDPR is the legal basis. That is also applicable in regard to data processing that is necessary for the implementation of pre-agreement measures.

If processing personal data is required to fulfil a legal obligation, to which our company is subject, art. 6, para. 1, lit. c GDPR is the legal basis.

If interests which are essential for the life of the data subject or that of another natural person make processing personal data necessary, art. 6, para. 1, lit. d GDPR is the legal basis.

If processing is necessary for the purposes of the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first named interest, then art. 6, para. 1, lit. f GDPR is the legal basis for the processing.

3.3 Deletion of data and storage period

The personal data of the data subject is deleted or made unavailable as soon as the purpose of saving it no longer applies. Furthermore, data may be saved if it is envisaged by European or national legislators in European Union regulations, laws or other provisions to which the controller is subject. The data is also made unavailable or is deleted when a storage period prescribed by the afore-mentioned standards expires, unless it is necessary to continue to store the data for the conclusion or performance of an agreement. If commercial and tax law retention periods are to be observed, the storage period of certain data may last up to 10 years.

4 Difu newsletter (only in German)

4.1 Description and extent of data processing

On our website, there is an option to subscribe to a free newsletter in German. To do so, the data from the newsletter subscription form is transferred to us. The only compulsory field is the email address. You can optionally enter your name. Upon subscribing to the newsletter, your email address and optionally also your name is used with your consent to inform you in the context of the newsletter of our products, such as study results, seminars and publications. In the context of the data processing for sending the newsletter, no data is transferred to the processor or to third parties. The data is used exclusively to send the newsletter.

4.2 Legal basis for data processing

The legal basis for processing the data after the user’s subscription to the newsletter is art. 6, para. 1, lit. a GDPR. It requires the user to give consent. Consent is given in the so-called double opt in procedure. In this procedure, your email address is only used to send this newsletter after you have subscribed and also for email confirmation. In doing so, we obtain the following consent:

„[] I hereby consent to receiving the newsletter from the German Institute of Urban Affairs (Deutsches Institut für Urbanistik gGmbH). My consent may be withdrawn at any time.“

4.3 Purpose of the data processing

The user’s email address is collected in order to deliver the newsletter. The option to enter you name allows us to personalise the newsletter.

4.4 Period of storage

The data is deleted as soon as it is no longer required to fulfil the purpose of its collection. The user’s email address and their optionally entered data are accordingly stored for as long as the subscription is active. Any other personal data, which has been collected in the context of the subscription, is deleted after seven days as a rule.

4.5 Option to object and remedy

The consent to receive our email newsletter may be withdrawn at any time. In every newsletter, you will find a link with which you can withdraw your consent. In addition, you can also unsubscribe from the newsletter at https://difu.de/newsletter and therefore no longer receive the newsletter. As a result, the consent to the storage of personal data collected during the subscription procedure is also withdrawn.

5 Press distribution list

5.1 Description and extent of data processing

On our website, we offer users the option to subscribe to all or selected services of our press distribution list. Our press distribution list offers the following services:

  • press releases from Difu / announcement of events (per email and by post)
  • sending of a print issue of the “Berichte” periodical (published every quarter and free), as well as
  • invitations to the “Difu dialogue for the future of towns and cities” events

When registering for the press distribution list, the data from the input screen is sent to us directly per email to presse [at] difu [dot] de and is stored. Nothing is stored on the internet server. Compulsory fields are:

  • name and surname
  • complete postal address

You can optionally add the following data:

  • department
  • job title
  • country
  • telephone
  • mobile number
  • fax
  • other

Messages to the press distribution list are exclusively sent by us. Only in the case of shipments by post do we give your data to a processor, namely, the commissioned shipping company, insofar as it is necessary to send a print copy of the “Berichte” periodical. Insofar as we make use of the shipping company, the contractual relationship is governed by the provisions of GDPR.

5.2 Legal basis for data processing

The legal basis for processing the data after the subscription to the press distribution list by the user is art. 6, para. 1, lit. a GDPR. It requires the user to give consent. To register to be included in our press distribution list, we obtain the following consent:

„[ ] I hereby consent to being included in the press distribution list of the German Institute of Urban Affairs (Difu) and consent to receiving the services that I have selected. My consent may be withdrawn at any time. In order to do so, please send an email to presse [at] difu [dot] de.“

5.3 Purpose of the data processing

The collection of the email addresses is to enable the delivery of press releases as well as the announcement of and invitation to events per email. The postal address is required to send the print copy of the “Berichte” periodical.

5.4 Period of storage

The data is deleted as soon as it is no longer required to fulfil the purpose of its collection. The user’s email address is accordingly stored for as long as subscription to the press distribution list is active.

5.5 Option to object and remedy

Consent to be included in the press distribution list may be withdrawn at any time. In order to withdraw consent, you will find the following text in every email received via the press distribution list: “Unsubscribe from the press distribution list: Send an email to pressestelle [at] difu [dot] de - Subject: Unsubscribe.”. Furthermore, you can unsubscribe from the press distribution list by post or otherwise. As a result of unsubscribing, the withdrawal of consent for the storage of personal data collected during the subscription procedure is also enacted.

6 Provision of the website and the creation of log files

6.1 Description and extent of data processing

Every time our website is visited, our system collects automated data and information from the computer system of the visiting computer.

In doing so the following data is collected:

  • information on the browser type and the version used
  • the user’s operating system
  • the user’s IP address
  • date and time of the visit
  • the website visited
  • website from which the user’s systems has reached this website (referrer)
  • website from which the user’s system has retrieved this website

The data is stored in our system’s log files. This data is not stored together with the user’s other personal data. After the afore-mentioned data has been anonymised (the last 2 bytes of the user’s IP addresses are deleted so that it is no longer possible to reference the visiting client), the data is processed using the web analysis software AWStats.

6.2 Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is art. 6, para. 1, lit. f GDPR. The storage is necessary for the purposes of the legitimate interests of the German Institute of Urban Affairs.

6.3 Purpose of the data processing

Our legitimate interest in the data processing as per art. 6, para. 1, lit. f GDPR arises from the purpose of the data processing. The temporary storage of the IP address by the system is necessary in order to allow the delivery of the website to the users’ computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

The log files are stored in order to ensure the functionality of the website. Furthermore, we use the data to optimise the website and to ensure the security of our IT systems. It is only in this way that we can recognise abuse early and best protect the data processed by us against unauthorised access by third parties. The data is not evaluated for marketing purposes.

The afore-mentioned anonymised personal data of the user is processed with the web analysis software AWStats for the purpose of improving the quality of our website and its content, in order to make visiting our website attractive and to allow the use of certain functions. It requires the analysis of the surfing behaviour of our users as a whole. Thanks to the evaluation of the data obtained we are able to compile information about the use of the individual components of our website. As a result we can constantly improve our website and its user friendliness. A legitimate interest in processing the data as per art. 6, para. 1, lit. f can also be found in these purposes.

6.4 Period of storage

The data is deleted as soon as it is no longer required to fulfil the purpose of its collection.

  • This is the case for the data collected for the provision of the website when the respective session is ended.
  • The data in log files is stored for 90 days solely for the purpose of maintaining the security of our IT systems. That is the minimum period necessary in order to meet the purpose of the storage - defence against attacks.
  • Furthermore, the data is no longer stored since it is anonymised (user IP addresses are deleted or disassociated so that it is no longer possible to reference the accessing client).

6.5 Option to object and remedy

The collection of the data is absolutely necessary for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no option to object on the part of the user.

7 Social media

There is an external link to our page on “Facebook” behind the button “Difu on Facebook” on our website. Cookies are not saved on your computer nor is your data transferred.

8 Use of cookies

8.1 Description and extent of data processing

Our website uses cookies. Cookies are small text files that are saved in or from the internet browser to the user’s computer system, i.e. to your terminal device. If a user visits a website, a cookie can be saved in the user’s operating system. This cookie contains a string of characters, which allow an unambiguous identification of the browser when the website is visited again. Some of the cookies that we use are deleted after the end of the browser session, i.e., after your browser is closed (so-called session cookies). Other cookies remain on your terminal device and allow us to recognise your browser on your next visit (persistent cookies).

We use cookies to make our website more user friendly. Some elements of our website require the accessing browser to be identified even after the user has left the site. The following data is stored and transferred by the cookies:

  • language settings
  • articles in the basket
  • log-in information
  • sequence of database sessions (extranet)

8.2 Legal basis for data processing

The legal basis for the processing of personal data using cookies is art. 6, para. 1, lit. f GDPR. The storage is necessary for the purposes of the legitimate interests of the German Institute of Urban Affairs. This arises from the purpose of the data processing:

8.3 Purpose of the data processing

The purpose of using cookies is to make it easier for the user to use the website. Some functions on our website cannot be provided without the use of cookies. For these functions, it is necessary that the browser is also recognised again after the site has been left. We use cookies for the following applications:

  • basket
  • acceptance of language settings
  • remembering search terms
  • log-in details and sessions of registered users on the extranet
  • data bank sessions on the extranet

The user data collected through technically necessary cookies are not used to create user profiles.

8.4 Period of storage, option to object and remedy

Cookies are stored on the user’s computer and are transferred from it to our website. Therefore, you as the user also have full control over the use of cookies. By changing the settings on your internet browser you can deactivate or limit the transfer of cookies. Already saved cookies can be deleted at any time. It can also be done automatically. You can find out how at e.g. AllAboutCookies.org. If the cookies for our website are deactivated, then it is possible that some settings must be manually undertaken upon every visit to the website. It is also possible that you may no longer be able to use all functions of our website in full.

9 Web analysis by Matomo

9.1 Extent of the personal data processing

On our website, we use the open source software tool Matomo to analyse the surfing behaviour of our users. This software uses cookies (see above re. cookies), which are stored on your computer and allow us to analyse the use of the website so that we can optimise the website. If individual pages of our website are visited, then the following data is saved:

  • two bytes of the IP address of the user’s accessing system
  • the website visited
  • the website from which the user reached the visited website (referrer)
  • the subpages that can be visited from the visited website
  • time spent on the website
  • frequency in accessing the website.

In doing so, the software runs exclusively on the servers of our website. No personal data of the user is stored there. The data is not transferred to processors or third parties.

The user’s data that is collected in this way is pseudonymised using technical measures. The software is set up so that the IP address is not stored in full and the last two bytes of the IP address are deleted (e.g. 192.168.xxx.xxx). In this way, it is no longer possible to reference the accessing computer by using the shortened IP address. The data is not stored together with other personal data of the user.

9.2 Legal basis for processing personal data

The legal basis for the processing personal data is art. 6, para. 1, lit. f GDPR. The processing is necessary for the purposes of the legitimate interests of the German Institute of Urban Affairs. It arises from the purpose of the data processing:

9.3 Purpose of the data processing

The analyse cookies are used for the purpose of improving the quality of our website and its content, in order to make visiting our website attractive and to allow the use of certain functions. It requires the analysis of the surfing behaviour of our users as a whole. Thanks to the evaluation of the data obtained we are able to compile information about the use of the individual components of our website. It helps us to constantly improve our website and its user friendliness. A legitimate interest in processing the data as per art. 6, para. 1, lit. f GDPR can also be found in these purposes. Through the anonymisation of the IP address, the user’s interest in the protection of their personal data is adequately taken into account.

9.4 Period of storage

The data is deleted at the latest 24 hours after anonymisation. The anoymisation takes place immediately after the data has been recorded. The thus anonymised data is permanently stored in such a way that it does not allow any reference towards any person.

9.5 Option to object and remedy

Cookies are stored on the user’s computer and are transferred from it to our website. Therefore, you as the user also have full control over the use of cookies. By changing the settings on your internet browser you can deactivate or limit the transfer of cookies. Already saved cookies can be deleted at any time. It can also be done automatically. If cookies have been deactivated for our website, it is possible that all functions of the website are unable to be used in full.

We offer the users of our website the opportunity to opt-out of the analysis procedure. If you do not consent to the storage and analysis of this data from your visit, then you can object to this storage and usage by a click of your mouse below. In this case, an opt-out cookie will be stored on your browser, which means that Piwik will not collect any session data. Please note: when you delete all your cookies, it means that the opt-out cookie is also deleted and if applicable must be reactivated by you. You can find more information about the privacy settings of the Matomo software through the following link: https://matomo.org/docs/privacy/.

Objection

10 Rights of the data subject

If your personal data is processed, then you are a data subject in accordance with GDPR and you are entitled to the following rights over the controller:

10.1 Right of access

You have the right to obtain from the controller confirmation as to whether or not your personal data is being processed by us.

If such processing is taking place, you have the right to obtain from the controller access to the following information:

(1) the purposes for which the personal data is being processed;

(2) the categories of personal data concerned;

(3) the recipients or categories of recipient to whom your personal data has been or will be disclosed;

(4) the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;

(5) the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing;

(6) the right to lodge a complaint with a supervisory authority;

(7) where the personal data has not been collected from the data subject, any available information as to its source;

(8)the existence of automated decision-making, including profiling, referred to in art. 22, paras. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to be informed if your personal data is transferred to a third country or to an international organisation. In this regard, you have the right to be informed of the appropriate safeguards pursuant to art. 46 GDPR relating to the transfer.

This right to access may be limited insofar as it is likely to make the achievement of the research or statistical purpose impossible or would seriously impair it, and the limitation is necessary for the fulfilment of the research or statistical purposes.

10.2 Right to rectification

You have the right to obtain from the controller the rectification and/or completion of your personal data that is incomplete or inaccurate. The controller must undertake this rectification immediately. Your right to rectification may be limited insofar as it is likely to make the achievement of the research or statistical purpose impossible or would seriously impair it, and the limitation is necessary for the fulfilment of the research or statistical purposes.

10.3 Right to restriction of processing

Where one of the following applies you have the right to obtain from the controller restriction of processing:

(1) if you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;

(3) the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims, or

(4) if you have objected to processing pursuant to art. 21, para. 1 GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of an EU member state.

If the restriction of processing pursuant to the above conditions has been obtained, you shall be informed by the controller before the restriction of processing is lifted.

Your right to the restriction processing may be limited insofar as it is likely to make the achievement of the research or statistical purpose impossible or would seriously impair it, and the limitation is necessary for the fulfilment of the research or statistical purposes.

10.4 Right to erasure

10.4.1 Obligation to erase

You have the right to obtain from the controller the erasure of your personal data without undue delay and the controller shall have the obligation to erase this data without undue delay where one of the following grounds applies:

(1) your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed,

(2) you withdraw your consent on which the processing is based according to art. 6, para. 1, a, or art. 9, para. 2, lit. a GDPR, and where there is no other legal ground for the processing,

(3) you object to the processing pursuant to art. 21, para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to art. 21, para. 2 GDPR,

(4) your personal data has been unlawfully processed,

(5) your personal data has to be erased for compliance with a legal obligation under European Union or a member state law to which the controller is subject,

(6) your personal data has been collected in relation to the offer of information society services referred to in art. 8, para. 1 GDPR.

10.4.2 Information to third parties

Where the controller has made your personal data public and is obliged pursuant to art. 17, para. 1 GDPR to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing your personal data that you have requested that they erase any links to, or copy or replication of your personal data.

10.4.3 Exceptions

The right to erasure does not exist if the processing is necessary

(1) for exercising the right of freedom of expression and information;

(2) for compliance with a legal obligation which requires processing under European Union or EU member state law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the area of public health in accordance with art. 9, para. 2, lit. h and i GDPR as well as art. 9, para. 3 GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art. 89, para. 1 GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5) for the establishment, exercise or defence of legal claims.

10.5 Right to be informed

If you asserted your right to rectification, erasure, or restriction of the data processing to the controller, then the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom your personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed by the controller of these recipients.

10.6 Right to data portability

You have the right to receive your personal data, which you have provided to a controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data was provided, where:

(1) the processing is based on consent pursuant to art. 6, para. 1, lit. a GDPR or art 9, para. 2, lit. a GDPR or on an agreement pursuant to art. 6, para. 1, lit. b GDPR, and

(2) the processing is carried out by automated means.

In exercising this right, you further have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others may not be harmed in this regard.

The right of data portability does not apply to processing personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

10.7 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on art. 6, para. 1, lit. e or f GDPR, including profiling based on those provisions.

The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means where technical specifications are used.

Where personal data is processed for academic or historical research purposes or statistical purposes pursuant to art. 89, para. 1, GDPR, on grounds relating to your particular situation, you also have the right to object to processing of your personal data.

Your right to the restriction processing may be limited insofar as it is likely to make the achievement of the research or statistical purpose impossible or would seriously impair it, and the limitation is necessary for the fulfilment of the research or statistical purposes.

10.8 Right to withdraw the consent according to data protection legislation

You have the right to withdraw your consent according to data protection legislation at any time. The legality of the processing that occurred on the basis of the consent until its withdrawal is not affected by withdrawing the consent.

10.9 Automated individual decision-making including profiling

You have the right to be subject to a decision that is not based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for entering into, or performance of, an agreement between you and the data controller,

(2) is authorised by European Union or EU member state law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or

(3)is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in art. 9, para. 1 GDPR, unless art 9, para. 2, lit. a or g GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain a human intervention on the part of the controller, to express your own point of view and to contest the decision.

10.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 GDPR.

11 Changes to the data protection declaration

Since changes to legislation or changes in our internal processes may make the adaptation of this data protection declaration necessary, we request that you regularly read through the data protection declaration.

As on: January 2020