Data protection information

I. Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States of the EU as well as other data protection provisions is:

Music & Sales Professional Equipment GmbH
Tritschlerstr. 3
66606 St. Wendel, Germany
Tel: +49 6851 905 0
Email: info@musicandsales.com

II. Contact details of the data protection officer

You can contact the data protection officer of the data controller by email at: privacy@musicandsales.com

III. General information about data processing

We only process personal data of our users to the extent necessary to offer a working website and our content and services.

IV. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the browser or by the browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened.

Here, we first use technically necessary cookies to make the website more user-friendly and more appealing to users. We use cookies to store and transmit the following data:

• Language settings
• Products in a shopping cart or on a wish list
• Login details

In addition, we use technically unnecessary cookies, which allow us to analyse the browsing behaviour of the user. These are limited to the cookies of the website analysis tool Google Analytics. For more information about technically unnecessary cookies from Google Analytics, please refer to the chapter on “Website analysis using Google Analytics” in this privacy policy.

2. Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Article 6 (1) (f) GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to facilitate the use of the website for the user. We would not be able to offer some functions and features of our website without the use of cookies. Cookies also help to recognise your browser again after you visit a different website.

4. Duration of storage, available remedies

Technically necessary cookies may be set from the beginning, i.e. also without the prior consent of the user. In this context, the user does not have the option to object.

V. Newsletter

1. Description and scope of data processing

On our website, we offer users the option to subscribe to a free newsletter, which contains promotional information, for example, about our company, products and brands. When users subscribe to our newsletter, the data is entered into an input mask and transmitted to us. We send this newsletter only after the users have subscribed by filling in the relevant form. Once the user has been added to the newsletter list, they will have to click on a link sent to them by email to reconfirm their email address (“double opt-in”). To demonstrate that we have followed this subscription process in accordance with legal requirements, we will collect the following data:

• Name
• Email address
• IP address
• Date and time of subscription
• Date of confirmation of the confirmation email

We use so-called newsletter tracking to determine how often a newsletter has been opened, and what links are clicked on and how frequently. We receive the following data:

• Browser type and version used
• Operating system
• IP address
• Information as to whether you opened the newsletter
• Date and time when you opened the newsletter
• Information about the links you clicked on

We use the CRM tool Pipedrive from Pipedrive OÜ, a limited liability company under Estonian law (EU) with the address Paldiski mnt 80, Tallinn, 10617, Estonia, registered in the Estonian Commercial Register under the code 11958539, to send the newsletter and for the newsletter tracking described.

2. Legal basis for data processing

The legal basis for the use of your subscription data and the sending of the newsletter is the consent of the data subject in accordance with Article 6 (1) (a) GDPR.

The legal basis for the use of Pipedrive OÜ as a service provider for the dispatch of the newsletter as well as the use of newsletter tracking is Article 6 (1) (f) GDPR, as both are based on our legitimate interests. Our interest is to provide the user with a newsletter system that is secure, simple, and reflects the users’ interests and can be further optimised on this basis. In this way, we can meet the information needs of the user and serve our own interests at the same time.

We contract out the newsletter sending and tracking under a data processing agreement within the meaning of GDPR, and we therefore remain responsible for user data.

3. Purpose of data processing

The email addresses of users are used to deliver a newsletter.

We record login data to demonstrate that we have followed the subscription process in accordance with legal requirements.

The purpose of statistical analysis and newsletter tracking analysis is to adapt the content of a newsletter to the reading habits of users and to make it more interesting for them.

4. Duration of storage

The data will be erased as soon as it is no longer required for the purpose for which it was originally collected. Accordingly, the email address of the user will only be stored as long as the subscription to the newsletter is active.

The other personal data collected will typically be erased after a period of seven days.

5. Available remedies

The user has the right to unsubscribe from the newsletter at any time by clicking on the unsubscribe link provided in every newsletter. This also has the effect of withdrawing the consent to the storage and use of other personal data collected.

It is not possible to cancel the newsletter subscription separately from the statistical analysis.

VI. CRM

Additional information on the storage of customer data in Pipedrive

1. Description and scope of data processing

We use the CRM system Pipedrive from Pipedrive OÜ, a limited liability company under Estonian law (EU) with the address Paldiski mnt 80, Tallinn, 10617, Estonia, registered in the Estonian Commercial Register under the code 11958539, to manage customer enquiries, contact forms, send the newsletter and organise sales processes.

The data provided in the contact forms (e.g. name, email address, message) and the data collected for the newsletter (e.g. email address and optional name) is processed and stored in Pipedrive. The storage is carried out exclusively on the basis of a legitimate interest in the efficient processing of user requests and the provision of a user-friendly CRM system.

The following data may be processed in the context of using Pipedrive:

• Contact and communication data (e.g. name, email address, telephone number, postal address)
• Content of enquiries, messages or notes
• Newsletter subscriptions and interactions (e.g. opening and click rates)
• Date and time of contact
• Technical information (e.g. IP address, device data)

See also Section “V. Newsletter” and Section “VII. Contact form and email address”.

2. Legal basis for data processing

The processing of customer data in Pipedrive is based on the following legal bases:

• Article 6 (1) (b) GDPR: Fulfilment of contractual or pre-contractual measures, e.g. as part of the processing of customer enquiries.
• Article 6 (1) (a) GDPR: User consent, e.g. when registering for the newsletter or forwarding to international sales partners.
• Article 6 (1) (f) GDPR: A legitimate interest in the efficient processing of requests and the use of a centralised CRM system to optimise customer communication.

See also Section “V. Newsletter” and Section “VII. Contact form and email address”.

3. Purpose of data processing

The storage and processing of customer data in Pipedrive serves the following purposes:

• Managing and processing contact requests, e.g. via the contact form.
• Organisation and optimisation of internal sales processes
• Sending the newsletter and conducting statistical analyses to improve the content
• Traceability and documentation of interactions with users

4. Data transmission and order processing

The use of Pipedrive is governed by a data processing agreement in accordance with Article 28 GDPR. Pipedrive processes the data exclusively on our behalf and on the basis of European data protection regulations.

5. Duration of storage

The customer data stored in Pipedrive will be erased as soon as it is no longer required for the purpose of its processing or the user objects to the processing, provided that there are no statutory retention requirements.

• Data from the newsletter subscription will be deleted when the subscription is cancelled.
• Enquiry data from the contact form or by email will be deleted after the enquiry has been fully processed, unless longer storage is required due to contractual or legal obligations.

6. Options for objection and cancellation

Users have the right to object to the processing of their data in Pipedrive or to revoke their consent at any time. A corresponding message to us is sufficient, e.g. by email to the address given in the privacy policy.

VII. Contact form and email address

1. Description and scope of data processing

We provide contact forms on our website, which can be used to contact us online. Where users take advantage of this option, the data they enter into the form will be transmitted to us and stored. These data include:

Mandatory:

• Department of the recipient
• Subject
• Email address
• Country of origin
• Message

Optional:

• Surname, first name
• Telephone number
• Street, postcode, place of residence

At the time of sending the message, the following data is also stored:

• IP address of the user
• Date and time of contact

To process the data, we obtain the consent from the user as part of the sending process and we refer the user to this privacy policy.

Alternatively, you can use the email address provided to contact us. In this case, the user’s personal data transmitted by email will be stored.

The contact request will either be handled by us, as the data controller, or where it may serve the interests of the user better, by the international sales office for our brand which is responsible for the domicile of the user. In this case, we will forward the enquiry to the relevant international sales office. The international sales offices are legally independent of us. International sales offices will only use the data of the user to process the contact request and not for advertising purposes or pass it on to third parties without the consent of the user.

We use the CRM tool Pipedrive from Pipedrive OÜ, with the address Paldiski mnt 80, Tallinn, 10617, Estonia, registered in the Estonian Commercial Register under the code 11958539, to process and store the above data.

2. Legal basis for data processing

The legal basis for the processing of data transmitted when sending an email arises from the request of the data subject and, if applicable, from the relationship between the data subject and the controller:

• If the request is related to a contract or pre-contractual measures between the data subject and the controller(s), the legal basis is Article 6 (1) (b) GDPR.
• When using the contact form, the user’s consent is otherwise given in accordance with Article 6 (1) (a) GDPR.
• When making contact by email, the data controller otherwise has a legitimate interest in processing the request submitted by the data subject to their satisfaction. In this case, Article 6 (1) (f) GDPR is the legal basis.
• Forwarding a request to one of our international sales organisations is based on the user’s consent. In this case, Article 6 (1) (a) GDPR is the legal basis.
• We use the CRM system Pipedrive from Pipedrive OÜ on the basis of our legitimate interests in accordance with Article 6 (1) (b) GDPR (efficient and fast processing of user enquiries). Pipedrive OÜ is a limited liability company under Estonian law (EU) with the address Paldiski mnt 80, Tallinn, 10617, Estonia, registered in the Estonian Commercial Register under the code 11958539.

3. Purpose of data processing

We process the data entered into the contact form to efficiently and quickly process user enquiries. In the event of contact by email, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data will be erased as soon as it is no longer required for the purpose for which it was originally collected. For personal data from the input mask of the contact form and those sent by email, this is the case when the respective conversation with the user has ended. The conversation ends when the circumstances indicate that the matter in question has been definitely resolved.

The additional personal data collected during the sending process will be deleted at the latest after seven days.

5. Available remedies

Users are entitled to withdraw their consent to the processing of personal data at any time. Users can use email to contact us and object to the storage of their personal data. In this case, the parties will no longer be able to engage in further communications. In both cases, an informal notice of withdrawal via the respective contact path will suffice. All personal data stored in the course of establishing contact will be deleted in this case, provided that there is no legal obligation or legitimate interest on the part of the data controller.

VIII. Website analysis using Google Analytics

1. Description and scope of data processing

This website uses Google Analytics, a website analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This facilitates the assignment of data, sessions and interactions across several devices to a pseudonymous user ID and thus the analysis of a user’s activities across devices.

To do this, Google Analytics uses cookies, which are small text files stored on your computer that facilitate the analysis of the way users use the website. The information generated by the cookie about the use of the website will typically be transmitted to and stored by Google on servers in the US.

By using IP anonymisation on this website, the IP address of the user will be truncated and, therefore, anonymised within Member States of the European Union or other parties to the Agreement over the European Economic Area. Only in exceptional cases will the full IP address be transmitted to Google servers in the United States and truncated there.

Google will not associate the IP address of the user transmitted by Google Analytics with any other data held by Google.

Google will use this information on behalf of the data controller of this website for the purpose of evaluating the use of the website, compiling reports on website activity for website operators and providing them other services relating to website activity and internet use.

2. Legal basis for data processing

The legal basis for the use of Google Analytics is Article 6 (1) (f) of the General Data Protection Regulation (GDPR). The purposes of data processing under point 3 also reflect the legitimate interest of the data controller for the data processing.

3. Purpose of data processing

The technically unnecessary analysis cookies are used to improve the quality of our website and its content. The analysis cookies tell us how the website is used and enable us to constantly improve the content of our website. For this purpose, we analyse the use of the website and compile reports on website activities.

4. Duration of storage

The data linked to cookies, user identification (e.g. user IDs) or advertising IDs sent by the data controller will be automatically erased after 14 months. When data reaches the end of the retention period, it is deleted automatically on a monthly basis. For more information about terms of use and data protection, please visit https://support.google.com/analytics/answer/6004245?hl=en

5. Available remedies

Users can refuse the use of cookies by selecting the appropriate settings in their browsers. However, please note that if you do this you may not be able to use the full functionality of this website. Furthermore, users can prevent the collection of data generated by the cookie about the use of the website (including your IP address) and its processing by Google by downloading and installing the Google Analytics Opt-out Browser Add-on.

The opt-out cookies prevent future collection of user data when visiting this website. To prevent the collection of data across multiple devices, users have to opt out on all the systems they use. Click here to install the opt-out cookie.

IX. Warranty registration

1. Description and scope of data processing

We offer our customers a free manufacturer’s warranty on many of our products. To qualify, customers/users have to register the product on our website.

The collection of the following data is mandatory:

• Purchase date
• Product name and serial number
• The name of the dealer from which the product was purchased, including location and country details
• Surname, first name, street, postcode, place of residence, country of the customer
• Email of the customer

In addition, the user can opt to provide the following information:

• Purchase price
• Contact details of the dealer (seller, telephone number, street, postcode)
• Company/organisation of the customer

At the time of sending the message, the following data is also stored:

• IP address of the user
• Date and time of registration

To process the data, we obtain the consent from the user as part of the sending process and we refer the user to this privacy policy.

2. Legal basis for data processing

The legal basis for the processing of data transmitted by users when they enter into a guarantee agreement is Article 6 (1) (f) GDPR.

3. Purpose of data processing

The data transmitted by the user will be used by the data controller to meet its obligations under the guarantee agreement. This includes information to identify the product, information about the warrantee (i.e. the user), the dealer and about the date of registration.

4. Duration of storage

The data will be erased as soon as it is no longer required for the purpose for which it was originally collected. This is the case when the warranty agreement with the user has ended, i.e. after the end of the warranty period.

5. Available remedies

Users are entitled to withdraw their consent to the processing of personal data at any time. Users can object to the storage of their personal data informally by sending an email (privacy@musicandsales.com) or in writing to the data controller. In such a case, the data controller can no longer be bound by the guarantee agreement as it no longer has any information about the registered product or the warrantee. All personal data stored in connection with the guarantee agreement will be erased in this case.

X. Youtube

Our website uses YouTube plugins for the integration and display of video content. The video portal is provided by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When accessing a page with an integrated YouTube plugin, a connection to the YouTube servers is established. This enables YouTube to find out which of our pages you have accessed. YouTube can assign your surfing behaviour directly to your personal profile if you are logged into your YouTube account. You can prevent this by logging out beforehand. YouTube is used in the interest of providing an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Article 6 (1) (f) GDPR. For details on how user data is handled, please refer to YouTube’s Privacy Policy at: https://policies.google.com/privacy.

XI. Facebook

1. Data controllers

We, Music & Sales Professional Equipment GmbH, Tritschlerstraße 3, 66606 St. Wendel, Germany, use the online platform Facebook and the services of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereafter referred to as “Meta”) for our Facebook fan page. We are jointly responsible with Meta for the processing of your personal data in this context within the meaning of Article 26 of the General Data Protection Regulation (GDPR).

We have no influence over the way in which Meta uses the data from visits to Facebook pages for its own purposes, the extent to which activities on the Facebook page are assigned to individual users, how long Meta stores this data and whether data from visits to the Facebook page is passed on to third parties. Information about how Meta processes your personal data can be found in Facebook’s Privacy Policy at http://facebook.com/about/privacy.

2. Purpose of and legal basis for our processing of your personal data

We would like to enable users of our products and prospective customers to exchange information about our products in an up-to-date manner and also provide you with information about our products and our campaigns via this medium.

We can see the Facebook profiles of our fan page users, including the content shared by each user. We also have the option of accessing various statistical data in connection with the Facebook Insights service. As the operator of our fan page, we have no influence on the collection and processing of data by Meta. The statistics that are made available to us are already anonymised, which means that we do not receive any personal data about users in this context. We use user analyses and visitor statistics to better tailor the information we provide to the users of our fan page.

The legal basis for the processing of your data by us is therefore our legitimate interest in accordance with Article 6 (1) (f) GDPR.

3. Your rights

According to Article 15 GDPR, you have the right to obtain information about the processing of your personal data. You are free to exercise your rights to rectification, erasure or, if legitimate interests on our part or, for example, statutory retention requirements prevent erasure, to restriction of processing and data portability under Articles 16, 17, 18, and 20 GDPR. In accordance with Article 21 (1) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation.

Only Meta itself has full access to your data. If you wish to request information about your stored data or exercise any of the above rights, we therefore recommend that you contact Meta directly. We will, of course, be happy to support you in this if required.  If you require assistance with this or if you believe that we are not processing your personal data in compliance with data protection laws, please contact our data protection officer.

You can contact our data protection officer by email at privacy@musicandsales.com or at the following postal address: Music & Sales Professional Equipment GmbH, Data Protection Officer, Tritschlerstraße 3, 66606 St. Wendel, Germany.

If you no longer want us to process your data, you can avoid this in the future by cancelling your subscription to our fan page or by selecting the “Unlike” function.

You also have the right to lodge a complaint with the competent supervisory authority at any time.

XII. Instagram

1. Data controller

We, Music & Sales Professional Equipment GmbH, Tritschlerstraße 3, 66606 St. Wendel, Germany, use the online platform Instagram, provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereafter referred to as “Meta”), to operate our Instagram company page.

Meta processes personal data in connection with your use of the Instagram service. We have no influence over the way in which Meta uses the data from your use of Instagram for its own purposes, the extent to which activities on Instagram are assigned to individual users, how long Meta stores this data and whether data from visits to Instagram is passed on to third parties. Information about how Meta processes your personal data can be found in Instagram’s Privacy Policy at https://help.instagram.com/519522125107875.

2. Purpose of and legal basis for our processing of your personal data

If we “like”, share or comment on your content, it will also be made available to our followers.

We would like to enable users of our products and prospective customers to exchange information about our products in an up-to-date manner and also provide you with information about our products and our campaigns via this medium.

The legal basis for the processing of your data by us is our legitimate interest in accordance with Article 6 (1) (f) GDPR.

3. Your rights regarding our processing of your personal data

According to Article 15 GDPR, you have the right to obtain information from us about the processing of your personal data. You are free to exercise your rights to rectification, erasure or, if legitimate interests on our part or, for example, statutory retention requirements prevent erasure, to restriction of processing and data portability under Articles 16, 17, 18, and 20 GDPR. In accordance with Article 21 (1) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation.

Only Meta itself has full access to your data. If you wish to request information about your stored data or exercise any of the above rights, we therefore recommend that you contact Meta directly. We will, of course, be happy to support you in this if required.  If you require assistance with this or if you believe that we are not processing your personal data in compliance with data protection laws, please contact our data protection officer.

You can contact our data protection officer by email at privacy@musicandsales.com or at the following postal address: Music & Sales Professional Equipment GmbH, Data Protection Officer, Tritschlerstraße 3, 66606 St. Wendel, Germany.

You also have the right to lodge a complaint with the competent supervisory authority at any time.

XIII. HK Audio Service Shop

1. Description and scope of data processing

We collect the following personal data when you place an order:

• Surname, first name
• Country
• Street
• Postcode
• Town/city
• Telephone number
• Email address

Your email address will be collected on a mandatory basis as part of your registration in the Service Shop. You can choose to provide the other data mentioned above before placing an order.

You also have the option to provide information on:

• Flat/building
• Company name
• EU VAT identification number
• Different delivery address (surname, first name, company name, country, street, flat/building, postcode, town/city)
• Order note

In addition, we may process the following data, depending on the method of payment (invoice, bank transfer):

• Bank details (IBAN, BIC)

For information on the use of cookies, please see Section IV.

2. Legal basis for data processing

The legal basis for the processing of data transmitted by you when initiating or entering into a contract is Article 6 (1) (b) GDPR.

When you place an order, there are also statutory retention and proof obligations; in this respect, Article 6 (1) (c) GDPR is the legal basis.

If you have given us your consent to pass on your email address to the shipping service provider, the legal basis for this is Article 6 (1) (a) GDPR.

Where processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis will be Article 6 (1) (f) GDPR.

3. Purpose of data processing

The data you provide is used to fulfil the contract in the context of the Service Shop, including identifying you as a contractual partner, your form of address, registration confirmation, order confirmation, invoicing/payment, dispatch and delivery, warranty and, if necessary, contacting you, e.g. for queries.

4. Recipients or categories of recipients of the personal data

Shipping: In this context, we pass on your data exclusively for the stated purpose and to the extent necessary (first name, surname and delivery address) to the respective shipping service provider.

We will only pass on your email address to the shipping service provider if you have given your consent and only for the purpose of notifying you of the time of delivery / for shipment tracking.

Payment via PayPal: If you choose to pay via PayPal, we will forward your payment data to PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg for the purposes of payment processing. The data will only be passed on to the extent necessary for payment processing, namely your email address and the respective purchase amount. For further information, please refer to PayPal’s Privacy Statement: https://www.paypal.com/uk/legalhub/paypal/privacy-full.

5. Duration of storage

Your data will be erased as soon as it is no longer required for the purpose of its processing and no warranty periods and statutory retention periods (e.g. retention and verification periods under commercial and tax law) conflict with this.

6. Available remedies

You have the option to object to the processing of your personal data based on Article 6 (1) (b), (c), (f) GDPR at any time with future effect. You can object to the processing of your personal data by email (privacy@musicandsales.com) or informally in writing to the controller.

XIV. Software and Apps

HK Audio apps collect aggregate, anonymous statistics, such as crash reports and the percentage of users who use particular features, to improve the app. Some HK Audio apps allow the creation of user images for channel individualisation. These images are not shared with HK Audio.

XV. Rights of the data subject

1. Right to information

The user has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.

Where that is the case, the user may request the following information from the data controller:

1. The purposes of the processing of personal data;
2. The categories of personal data concerned;
3. The recipients or categories of recipients to whom the personal data have been or will be disclosed;
4. The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the user or to object to such processing;
6. The right to lodge a complaint with a supervisory authority;
7. Where the personal data are not collected from the data subject, any available information as to their source;
8. The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The user has the right to request information as to whether the personal data concerning him/her are transferred to a third country or to an international organisation. In this regard, the user has the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification

The user has the right to have inaccurate or incomplete personal data rectified and/or completed by the controller without undue delay.

3. Right to restriction of processing

The user has the right to obtain from the controller restriction of processing of personal data where one of the following applies:

1. the accuracy of the personal data is contested by the user, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and the user opposes the erasure of the personal data and requests the restriction of their use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the user for the establishment, exercise or defence of legal claims, or
4. the user has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the user.

Where processing of the user’s personal data has been restricted, such personal data shall, with the exception of storage, only be processed with the user’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the processing has been restricted under the above conditions, the user shall be notified by the controller before the restriction is lifted.

4. Right to erasure

The user has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase this data without undue delay where one of the following grounds applies:

1. The personal data concerning the user are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
2. The user withdraws consent on which the processing is based according to Article 6 (1) (a), or Article 9 (2) (a) GDPR, and where there is no other legal ground for the processing.
3. The user objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the user objects to the processing pursuant to Article 21 (2) GDPR.
4. The personal data concerning the user have been unlawfully processed.
5. The personal data concerning the user have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
6. The personal data concerning the user have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

Where the controller has made the personal data public and is obliged pursuant to Article 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the user has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to erasure does not apply to the extent that processing is necessary

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3) GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in paragraph (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise or defence of legal claims.

5. Right to receive notifications

If the user has exercised his or her rights with respect to rectification or erasure of personal data or restriction of processing, the controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

The user is entitled to receive information about those recipients from the controller.

6. Right to data portability

The user has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format. The user also has the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, as long as

1. the processing is based on consent pursuant to Article 6 (1) (a), or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR, and
2. the processing is carried out by automated means.

In exercising this right, the user also has the right to have the personal data transmitted directly from one controller to another, where technically feasible. These rights shall not adversely affect the rights and freedoms of others. The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

The user has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1) (e) or (f) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data of the user unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the user or for the establishment, exercise or defence of legal claims.

Where personal data concerning the user are processed for direct marketing purposes, the user will have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the user objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the user may exercise his or her right to object by automated means using technical specifications.

8. Right to withdraw consent to data processing

The user has right to withdraw his or her consent to data processing at any time. The withdrawal of consent will not affect the lawfulness of the processing based on consent before the withdrawal.

9. Automated individual decision-making, including profiling

The user has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This does not apply if the decision

1. is necessary for entering into, or performance of, a contract between the user and the data controller;
2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the user’s rights and freedoms and legitimate interests; or
3. is based on the user’s explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Article 9 (1) GDPR, unless Article 9 (2) (a) or (g) GDPR applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, the user has the right to lodge a complaint with a supervisory authority, in particular, in the Member State of the user’s habitual residence, place of work or place of the alleged infringement if the user considers that the processing of personal data relating to him or her infringes GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.