Privacy Policy

Liechtenstein

Tel.: +49 (0) 89 1250142 70

Email: info@medicross.com

II. Data processing

1. Scope of processing of personal data

As a matter of principle, we only process our users' personal data to the extent necessary to provide a functional website as well as our content and services. The processing of our users' personal data is, as a rule, only carried out with the user's consent. An exception applies in such cases where obtaining consent in advance is not possible for factual reasons and the processing of the data is permitted by legal provisions.

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis. In the case of processing of personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations necessary to carry out pre-contractual measures. To the extent that processing of personal data is necessary to comply with a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis. In the event that vital interests of the data subject or of another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.
In connection with the order for an individual nutrient formula, personal data — including test result and analysis values, which may constitute health-related data within the meaning of Art. 9 GDPR — may be transferred to a manufacturer of individual nutrient formulations (e.g. Madana GmbH or partner pharmacy). The transfer is carried out exclusively on the basis of explicit consent pursuant to Art. 9 para. 2 lit. a GDPR in conjunction with Art. 6 para. 1 lit. a GDPR.

3. Data erasure and storage period

The personal data of the data subject will be erased or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. Data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for continued storage of the data for the conclusion of a contract or for the performance of a contract.

4. Collected data and processing purposes

When you visit our website, we collect and store various types of data. Some of this data is necessary to guarantee the basic functions of the website, while others are used to analyse usage behaviour or for marketing purposes, provided you have consented to this.

III. Examination order

Within the scope of the examination order, we process your health data in accordance with Art. 9 para. 2 a) GDPR.
If, following the examination, the user expressly requests the production of an individual nutrient formula, we will transfer the personal data required for this purpose — including test result and analysis values, which may constitute health-related data within the meaning of Art. 9 GDPR — to the respective manufacturing company (e.g. Madana GmbH or partner pharmacy).

The transfer is carried out exclusively for the purpose of individual formulation, manufacturing and delivery.
The legal basis is the explicit consent pursuant to Art. 9 para. 2 lit. a GDPR in conjunction with Art. 6 para. 1 lit. a GDPR. Without this consent, individual manufacturing is not possible.
The consent may be withdrawn at any time with effect for the future. The withdrawal does not affect the lawfulness of the processing carried out up to the time of withdrawal.

The respective manufacturing company processes the transferred data under its own data protection responsibility.

IV. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer. The following data is collected in this context:

(1) Information about the browser type and the version used

(2) The user's operating system

(3) The user's internet service provider

(4) The user's IP address

(5) Date and time of access

(6) Websites from which the user's system arrives at our website

(7) Websites accessed by the user's system via our website

The data is also stored in our system's log files. This data is not stored together with other personal data of the user.
This data helps us to guarantee the security and technical functionality of the website. We record activities such as the download of the submission form, the opening of the order confirmation email and the clicking of links in our communications. This information is used for quality assurance, for the improvement of our services and for the fulfilment of legal evidence obligations pursuant to Art. 6 para. 1 lit. a and f GDPR.

2. Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

Storage in log files is carried out to guarantee the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes also constitute our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f GDPR.

4. Duration of storage

The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. In the case of collection of data for the provision of the website, this is the case when the respective session has ended.

In the case of the storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the users' IP addresses are erased or anonymised, so that assignment of the calling client is no longer possible.

5. Options for objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no option for the user to object.

V. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the Internet Browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. Cookies are used in encrypted form and under the highest security standards to guarantee the integrity and confidentiality of the data collected.
Medicross.com uses cookies to analyse the use of the website and to improve the user experience. By accepting the cookie terms, you consent to the processing of this data on the basis of Art. 7 GDPR.

The following cookie categories are used:
(1) Strictly necessary cookies: These cookies are required for the functionality of the website and enable basic security functions.
(2) Performance cookies: These cookies collect information about the use of the website in order to analyse website performance and improve the user experience.

(3) Targeting and advertising cookies: These cookies are used to display personalised advertising and to measure the effectiveness of advertising campaigns.

(4) Functional cookies: These cookies store user preferences, such as preferred language or currency, and improve usability.

If the respective social media platform operators request your consent (agreement) to data processing, e.g. by means of a checkbox, the legal basis for the data processing is Art. 6 para. 1 lit. a GDPR. Further information on data processing in the context of visiting one of our online presences as well as options for objection can be found on their website.

3. Facebook plug-in

Plugins from the social network Facebook, provided by Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA, are integrated into our pages. You can recognise the Facebook plugins by the Facebook logo or the "Like" button on our site. An overview of the Facebook plugins can be found here: https://developers.facebook.com/docs/plugins/.

When you visit our pages, a direct connection is established between your browser and the Facebook server via the plugin. Facebook thereby receives the information that you have visited our site with your IP address. If you click on the Facebook "Like" button while you are logged into your Facebook account, you can link the content of our pages to your Facebook profile. This allows Facebook to associate the visit to our pages with your user account. We point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Facebook. You can find further information on this in Facebook's data protection declaration at: https://de-de.facebook.com/policy.php.

If you do not want Facebook to associate the visit to our pages with your Facebook user account, please log out of your Facebook user account.

4. Instagram plug-in

Functions of the Instagram service are integrated into our pages. These functions are provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking the Instagram button. This allows Instagram to associate the visit to our pages with your user account.

We point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Instagram. You can find further information on this in the Instagram data protection declaration: https://instagram.com/about/legal/privacy/.

VII. Newsletter

1. Description and scope of data processing

On our website, there is the possibility of subscribing to a free newsletter. When registering for the newsletter, the data from the input mask is transmitted to us. This concerns the user's email address.

In addition, the following data is collected during registration:

(1) IP address of the calling computer

(2) Date and time of registration

For the processing of your data, your consent is obtained in the course of the registration process and reference is made to this data protection declaration.

In connection with the data processing for the sending of newsletters, there is no transfer of the data to third parties. The data is used exclusively for sending the newsletter.

2. Legal basis for data processing

The legal basis for the processing of data following registration for the newsletter by the user, where there is consent from the user, is Art. 6 para. 1 lit. a GDPR

3. Purpose of data processing

The collection of other personal data as part of the registration process serves to prevent misuse of the services or of the email address used.

4. Duration of storage

The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. The user's email address is therefore stored for as long as the newsletter subscription is active.

5. Options for objection and removal

The subscription to the newsletter can be cancelled at any time by the user concerned. For this purpose, a corresponding link can be found in every newsletter.

This also enables a withdrawal of consent to the storage of the personal data collected during the registration process.

VIII. Contact form, email contact, reviews, questionnaire and evaluations

1. Description and scope of data processing

A contact form is available on our website, which can be used for electronic contact. If a user takes advantage of this possibility, the data entered in the input mask is transmitted to us and stored. This data is:

(1) The user's IP address

(2) Date and time of registration

At the time the message is sent, the following data is also stored:

(1) The user's IP address

(2) Date and time of registration

For the processing of the data, your consent is obtained in the course of the sending process and reference is made to this data protection declaration.

Alternatively, contact is possible via the email address provided. In this case, the user's personal data transmitted with the email is stored.

In this context, there is no transfer of the data to third parties. The data is used exclusively for the processing of the conversation.

The legal basis for the processing of the data, where there is consent from the user, is Art. 6 para. 1 lit. a GDPR. The legal basis for the processing of data that is transmitted in the course of sending an email is Art. 6 para. 1 lit. f GDPR. If the email contact is aimed at the conclusion of a contract, an additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

The processing of the personal data from the input mask serves us solely for handling the contact. In the case of contact by email, this also constitutes the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serves to prevent misuse of the contact form and to guarantee the security of our information technology systems. If the user expressly requests the production of an individual nutrient formulation, the processing of individual questionnaire or evaluation data may also serve to prepare a corresponding transfer of data to a manufacturer.

4. Duration of storage

The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those transmitted by email, this is the case when the respective conversation with the user has ended. The conversation has ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

The additional personal data collected during the sending process are erased after a period of seven days at the latest.

Both the data collected in the questionnaire and the evaluation data of the results are erased after 18 months (1½ years).

5. Options for objection and removal

The user has the option to withdraw his/her consent to the processing of the personal data at any time. If the user contacts us by email, he/she can object to the storage of his/her personal data at any time. In such a case, the conversation cannot be continued.

You can withdraw consent, e.g. by email to info@medicross-labs.com or also by post to the address indicated under 7. d).

All personal data stored in the course of contact will be erased in this case.

IX. Payment providers

1. PayPal

On our website we offer, among other things, payment via PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal").

If you select payment via PayPal, the payment data you enter is transmitted to PayPal. The transmission of your data to PayPal is based on Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract). You have the option to withdraw your consent to data processing at any time. A withdrawal has no effect on the validity of data processing operations that took place in the past.

On our website we offer, among other things, payment by "Sofortüberweisung". The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereinafter "Sofort GmbH").

With the "Sofortüberweisung" procedure, we receive a payment confirmation from Sofort GmbH in real time and can immediately begin to fulfil our obligations. If you have opted for the "Sofortüberweisung" payment method, you transmit the PIN and a valid TAN to Sofort GmbH, with which it can log into your online banking account. Sofort GmbH automatically checks your account balance after logging in and carries out the transfer to us using the TAN you have transmitted. It then immediately sends us a transaction confirmation. After logging in, your turnover, the credit limit of the overdraft facility and the existence of other accounts and their balances are also automatically checked.

In addition to the PIN and the TAN, the payment data entered by you as well as data about your person are also transmitted to Sofort GmbH. The data about your person consists of first and last name, address, telephone number, email address, IP address and, if applicable, further data required for payment processing. The transmission of this data is necessary to establish your identity beyond doubt and to prevent fraud attempts. The transmission of your data to Sofort GmbH is based on Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract). You have the option to withdraw your consent to data processing at any time. A withdrawal has no effect on the validity of data processing operations that took place in the past.

For details on payment with Sofortüberweisung, please refer to the following links: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.

3. Stripe/credit card

On our website we offer, among other things, payment via Stripe, which is used to process orders as a means of payment for credit cards.
The provider of this payment service is Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland (hereinafter referred to only as "Stripe").
If payment is made on our website via Stripe, the payment data is transmitted to Stripe and processed there. If you choose payment via Stripe, the payment data you enter is transmitted to Stripe. The transmission of your data to Stripe is based on Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract). You may withdraw your consent to the processing of your data at any time. A withdrawal has no effect on the lawfulness of the data processing carried out until then. Stripe processes personal data such as name, address, email address and payment information in order to process the transaction and prevent fraud attempts. For further information on the processing of your data by Stripe and on the security measures, please refer to Stripe's privacy policy at https://stripe.com/privacy.

X. Analysis tools

1. Google Analytics

For the purpose of needs-based design and continuous optimisation of our pages, we use Google Analytics, a web analytics service of Google Inc. (https://www.google.de/intl/de/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google"). In this context, pseudonymised usage profiles are created and cookies (see under section IV) are used. The information about your use of this website generated by the cookie, such as

(1) browser type/version,
(2) operating system used,
(3) referrer URL (the previously visited page),
(4) hostname of the accessing computer (IP address),
(5) time of the server request,

are transmitted to a Google server and stored there. The information is used to evaluate the use of the website, to compile reports on website activities and to provide further services related to website use and internet use for the purposes of market research and the needs-based design of these internet pages. This information will also be transferred to third parties if required, insofar as this is required by law or insofar as third parties process this data on our behalf. Under no circumstances will your IP address be merged with other Google data. IP addresses are anonymised so that assignment is not possible (IP masking). You can prevent the installation of cookies by adjusting the settings of your browser software; however, we would like to point out that in this case you may not be able to make full use of all functions of this website. You can also prevent the collection of the data generated by the cookie and related to your use of the website (incl. your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de).
It is therefore up to you whether personal data is collected via the cookie set by Google.
Google conversion tracking records how effectively ad clicks lead to usable activities on the website.
Insofar as personal data is transferred to third countries in the context of the use of analysis and tracking tools, this is done exclusively in compliance with the requirements of Art. 44 et seq. GDPR, in particular on the basis of standard contractual clauses or comparable appropriate safeguards.

2. Google Fonts

The script code "Google Fonts" is integrated into this website. Google Fonts is an offer from Google Ireland Limited, a company registered and operated under Irish law with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. In this context, a connection is established between the browser you are using and Google's servers. Google thereby learns that our website has been accessed via your IP address. Insofar as information is transferred to Google servers in the USA and stored there, the American company Google LLC is certified under the EU-US Privacy Shield. Further information on data processing by Google can be found in Google's data protection notices.

3. Klaviyo

We use the service Klaviyo provided by Klaviyo Inc., 125 Summer Street, Boston, MA 02110, USA, for the automated processing of events and for customer-related communication.

If an analysis is completed in our system and you have expressly consented to this in advance, we transmit certain personal data to Klaviyo in real time in order to create or update a customer profile there and to process a corresponding event.

Within the scope of the transmission, the following data in particular may be processed:

The data is processed exclusively for the purpose of providing automated information and offers in connection with the completed analysis.

2. Legal basis

The processing and transfer of the data takes place exclusively on the basis of your explicit consent pursuant to:

Without your consent, no transfer to Klaviyo takes place.

3. Third-country transfer

Klaviyo processes data on servers in the USA. There is no adequacy decision by the European Commission for the USA.
The transfer therefore takes place exclusively on the basis of your explicit consent. You are aware that there is no level of data protection in the USA comparable to that of the EU and that state authorities may potentially access the data.

4. Storage period

The data stored with Klaviyo is erased as soon as it is no longer required for the stated purposes or you withdraw your consent.

5. Withdrawal

You may withdraw your consent at any time with effect for the future.
The withdrawal does not affect the lawfulness of the processing carried out up to the time of withdrawal.
For further information on data processing by Klaviyo, please refer to:
https://www.klaviyo.com/privacy

4. Customer Journey Tracking simptrack / campaign tracking

We use the services of HOFE Media GmbH in order to conduct effective market research/analysis, to collect statistical data for campaign tracking or to optimise the user-friendliness of our offering. This is done by means of pseudonymous usage profiles, in which no personal but only anonymised or pseudonymised data is used. So-called cookies may be used for this purpose. The following data, among others, is collected: time of access, channel information including possible parameters as well as the domain of the referrer. The data is not used to personally identify the visitor to this website. HOFE Media GmbH will, on our behalf, use the transmitted data in particular to implement campaign tracking with simptrack (tracking system). All the data mentioned above is collected exclusively for this purpose and stored without personal reference. You can opt out of the recording of campaign tracking by HOFE Media GmbH with the simptrack tracking system and prevent the processing of this data by performing a so-called opt-out under the following link: https://d.simptrack.com/privacy/v0rur7gqspb3/

This objection applies for as long as the associated opt-out cookie is not deleted. This cookie is set for the domain, per browser and per user of a computer. If you access our website from several end devices and browsers, you must therefore separately object to the data collection again on each of these devices and in each browser.

5. Adobe Typekit

The script code "Adobe Typekit" of the company Adobe Systems Incorporated 345 Park Avenue San Jose, CA 95110-2704, USA (hereinafter: Adobe) is integrated on this website. In this context, a connection is established between the browser you are using and Adobe's servers. Adobe thereby learns that our website has been accessed via your IP address.

Adobe is certified under the EU-US Privacy Shield.

Further information on data processing in the context of Adobe Typekit can be found in Adobe's data protection notices.

6. Social media plugins

Our website uses social media plugins from platforms such as Facebook, Instagram, Twitter and LinkedIn. These plugins enable you to share content directly on the respective social networks or to interact with them.

With regard to the use of these social media plugins, there are joint responsibilities (joint controllership) with the respective providers (e.g. Facebook, Google) pursuant to the GDPR. This means that both we and the providers of the social media platforms are responsible for the processing of your personal data collected in connection with the use of the plugins.
For further information on the data protection practices and the options for managing your privacy settings with the respective providers, please refer to their privacy policies:

You have the option to prevent the processing of your data by these social media platforms by deactivating the use of the plugins or by making appropriate adjustments in the privacy settings of the respective network.

7. Additional analysis tools for web analysis

For website analysis, data is also automatically collected and stored using technologies of econda GmbH, etracker GmbH, Webtracker GmbH and InnoCraft Ltd. (matmo), from which usage profiles are created using pseudonyms. The pseudonymised usage profiles are not merged with personal data about the bearer of the pseudonym without a separately granted, explicit consent.

Within the framework of the web analytics software Matmo, all data processed in the context of the website analysis described above is processed on our servers.

8. Legal basis for the processing of personal data

The legal basis for the processing of the users' personal data is Art. 6 para. 1 lit. f GDPR.

9. Purpose of storage

The tracking measures used enable a needs-based design and continuous optimisation of our website. In addition, tracking measures are used to record the use of our website statistically and to evaluate it for the purpose of optimising our offering for you. These interests are to be regarded as legitimate within the meaning of the aforementioned provision. The respective data processing purposes and data categories can be found in the corresponding tracking tools.

The analysis tools used serve exclusively the stated purposes and are not used to create comprehensive personality profiles or for automated decision-making.

10. Duration of storage

The data is erased as soon as it is no longer required for our recording purposes.

11. Options for objection and removal

Cookies are stored on the user's computer and transmitted from there to our site. Therefore, as a user you also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

XI. Rights of data subjects

If personal data is processed by you, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right of access

You may request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing is taking place, you may request information from the controller on the following:

(1) the purposes for which the personal data is being processed;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed; (4) the envisaged duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;

(5) the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;

(6) the existence of a right to lodge a complaint with a supervisory authority;

(7) all available information on the origin of the data, where the personal data is not collected from the data subject;

(8) the existence of automated decision-making, including profiling, pursuant to Art. 22 paras. 1 and 4 GDPR and — at least in these cases — meaningful information about the logic involved, as well as the scope and envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation.

In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

2. Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller, provided that the processed personal data concerning you is inaccurate or incomplete. The controller must carry out the rectification without undue delay.

Under the following conditions, you may request the restriction of the processing of the personal data concerning you:

(1) if you contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you oppose the erasure of the personal data and request instead the restriction of their use;

(3) the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims, or

(4) if you have objected to the processing pursuant to Art. 21 para. 1 GDPR, pending the verification of whether the legitimate grounds of the controller override yours.

If the processing of the personal data concerning you has been restricted, such data — apart from storage — may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

1. Right to erasure

You may request the controller to erase the personal data concerning you without undue delay, and the controller shall be obliged to erase such data without undue delay, if one of the following grounds applies:

(1) The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

(2) You withdraw consent on which the processing is based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal ground for the processing.

(3) You object to the processing pursuant to Art. 21 para. 1 GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.

(4) The personal data concerned has been unlawfully processed.

(5) The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.

(6) The personal data concerning you has been collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

1. Information to third parties

If the controller has made the personal data concerning you public and is obliged pursuant to Art. 17 para. 1 GDPR to erase it, the controller shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, such personal data.

2. Exceptions

The right to erasure does not exist insofar as processing is necessary

(1) for exercising the right of freedom of expression and information;

(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR; As of May 2018 24

(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or

(5) for the establishment, exercise or defence of legal claims.

4. Right to information

If you have exercised the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you has been disclosed, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

5. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that

(1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and

(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons must not be adversely affected hereby.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in the context of the use of information society services — notwithstanding Directive 2002/58/EC — to exercise your right to object by automated means using technical specifications.

7. Right to withdraw the data protection consent declaration

You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until its withdrawal.

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the controller,

(2) is permitted under Union or Member State law to which the controller is subject, and which law lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or

(3) is made with your explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and suitable measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases mentioned under (1) and (3), the controller shall take suitable measures to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of the personal data concerning you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.