Data protection declaration

Protection of your personal data is important to us.
Below we would like to inform you of the electronic storage of personal data that we have obtained from you.

Your data are stored by us and processed subject to corresponding regulations in national data protection laws, and subject also to the Basic Data Protection Ordinance (DSGVO).

Under the above regulations, the following party holds data protection responsibility:
Pädagogische Forschungsstelle beim Bund der Freien Waldorfschulen e.V.
Wagenburgstr. 6
70184 Stuttgart
Tel: +49 (0)711 21042-35
Fax: +49 (0)711 21042-31
email: forschung@waldorfschule.de

The data protection officer for the responsible party is:
Dirk Janthur
Datenschutzberatung Janthur GmbH
Hedelfinger Straße 12
73734 Esslingen am Neckar
Phone: +49 (0) 711 . 71530104
email: dirk.janthur@janthur.net
website: janthur.net

I. General
1. Terms

To assure transparency and comprehensibility of our data protection declaration, we will first clarify basic terms used in the DSGVO.

Personal data

Personal data comprise all information that relates to an identified or identifiable natural person (hereinafter “person concerned”). A natural person is regarded as identifiable if they can be identified either directly or indirectly by means especially of the assignment of a distinguishing appellation such as a name, ID number, location data, online ID or by one or several special distinguishing features which express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.

Person concerned

The “person concerned” signifies every identified or identifiable natural person whose personal data are processed by those responsible for doing so.

Processing
Processing signifies any and every procedure conducted either with or without the help of automated procedures, or every such sequence of procedures connected with personal data, such as collection, recording, organising, ordering, storing, adapting, altering, sorting and selecting, requesting, using, disclosing via transmission, dissemination or another form of disclosure, comparing, matching, restricting, erasing or destroying.

Limiting of data processing

Limiting of processing signifies the flagging of stored personal data with the aim of limiting their future processing.

Profiling

Profiling signifies any and every kind of automated processing of personal data that involves use of these personal data to determine particular personal aspects relating to a natural person, especially to analyse or predict aspects relating to work performance, economic status, health, personal preferences, interests, reliability, conduct, location or change of location of this natural person.

Pseudonymisation

Pseudonymisation signifies the processing of personal data in such a way that these data cannot, without drawing on supplementary information, be assigned to a specific person concerned, and insofar as this supplementary information is stored separately and is subject to technical and organisational measures that ensure it cannot be assigned to an identified or identifiable natural person.

The party responsible for processing

Responsibility for data and its processing is held by the natural or juristic person, authority, institution or other body which, either alone or with others, decides on the purposes and means of processing of personal data. If the purposes and means of such processing are prescribed by EU law or the law of member states, the responsible party, or otherwise the specific criteria of its appointment, can be determined under EU law or that of member states.

Processor

The processor signifies a natural or juristic person, authority, institution or other body that processes personal data on behalf of the responsible party.

Recipient

The recipient is a natural or juristic person, authority, institution or other body to which or to whom personal data are disclosed, irrespective of whether the latter is or is not a third party. However, authorities that may receive personal data in the context of a specific enquiry carried out under EU law or the law of member states, are not considered to be recipients.

Third parties

A third party is a natural or juristic person, authority, institution or other body apart from the person concerned, the party responsible, the order processor and the persons authorised to process the personal data under the direct responsibility of the responsible party or the processor.

Consent

Consent signifies any statement of intent given voluntarily and unmistakeably by the informed person concerned for a specific instance, in the form of a declaration or any other clearly confirming action, whereby the person concerned makes known that he agrees with the processing of the personal data relating to himself.

Payment service providers

Payment service providers serve to action payments in the context of agreements that the person concerned concludes with the responsible party.

2. Type and scope of data recording

When accessing our website or downloading data placed on our website, data are recorded and processed. This occurs as a matter of principle only insofar as this is required to run a functioning website and its contents and services. Furthermore, regular recording and use of personal data occurs only after the relevant consent has been given. An exception to this is in cases where the prior obtaining of consent is not possible for practical reasons, and where the processing of such data is permitted under statutory regulations.

a. Legal basis for the processing of personal data
Insofar as the processing of personal data is undertaken in the fulfilment of agreements concluded with us, Art. 6, clause 1, item b DSGVO serves as the legal basis. This applies also for processing procedures required in order to undertake precontractual measures. Insofar as we obtain consent from the person concerned for procedures involved in processing personal data, Art. 6, clause 1, item a DSGVO serves as the legal basis.
Insofar as processing of personal data is required in fulfilment of a legal obligation to which our company is subject, Art. 6, clause 1, item c DGSVO serves as the legal basis.
Where the vital interests of the person concerned or of another natural person necessitate the processing of personal data, Art. 6, clause 1, item d DSGVO serves as the legal basis.
Where processing is required to preserve a justified interest of our company or of a third party, and where the interests, basic rights and basic freedoms of the person concerned do not outweigh the first-named interest, Art. 6, clause 1, item f. DGSVO serves as the legal basis for data processing.

b. Data deletion and duration of data storage
Deletion of personal data recorded by us occurs as soon as the purpose of storage lapses.
Storage occurs where this is permitted by law, by EU ordinance or other regulations. Deletion further occurs if a storage period prescribed by the specified norms expires, except where further data storage is necessary for the purposes of concluding or fulfilling an agreement.

II. In-house data gathering via the website
1. Log files

a. Description and scope of data processing
When you access our website the following are logged:

  • Browser type / version
  • Referrer URL (previously visited website), and pages on our website logged on to
  • IP address
  • Date and time of the server request
  • Internet Service Provider.


b. Legal basis for data processing
The legal basis for the storage of data and log files is Art. 6, clause 1, item f. DGSVO.

c. Purpose of data processing
Storage in log files ensures proper functioning of our website. In addition it serves optimisation and security of our systems. No evaluation of the data for marketing purposes is carried out in this context.

d. Storage duration
The data stored by us will be deleted as soon as they are no longer required for the purpose for which they were collected. This will occur no later than seven days from their collection. It is possible to store data for longer than this, in which case the IP addresses of users will be deleted or disguised so that they can no longer be assigned to the customer who has logged in.

e. Right to object and remove
Collection of the specified data is essential for running the website. The user therefore has no right of objection.

2. Cookies

a. Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored on the visitor’s computer system when logging on to our website. Cookies contain a sequence of symbols that facilitate identification of the visitor’s browser when logging in to our website again. We use technically necessary cookies that serve to make our service more user-friendly, effective and more secure.
The following data, for instance, are stored and transferred in the cookies:

  • Items in the basket
  • Log-in data
  • Language settings

We pseudonymise the data thus obtained, rendering it impossible to assign the data to the visitor. Furthermore, these data are not stored together with other personal data.
You can set your browser so as to be informed of cookies and make decisions about accepting them in certain instances, or to exclude them generally. If cookies are not accepted, this can impair the functionality of our website.
In addition we use cookies that allow analysis of the surfing behaviour of our website visitors (called ‘analysis cookies’). For instance, the following data are stored and communicated in analysis cookies:

  • Website log-ins
  • Uptake of website functions
  • Language settings

b. Legal basis for data processing

The legal basis for processing of personal data with cookie use is Art. 6, clause 1, item f. DSGVO. Processing personal data with cookie use for analysis purposes, where the user gives consent, continues to be governed by Art. 6 clause 1, item a DSGVO.

c. Purpose of data processing

Technically necessary cookies serve to simplify use of websites. Some functions of the website or of the online shop cannot be provided without the use of cookies. For such functions it is necessary for the browser to be recognised again after a site change.
The user data collected through employing these technically necessary cookies are not used to compile user profiles.
Analysis cookies  are used to improve the quality of our website and its contents. Through these cookies we can ascertain how the website is being used, and thus continually optimise our service.

d. Duration of storage, right to decline and remove
Cookies are stored on the user’s computer, and transferred/communicated from it. Thus users have full control over the use of cookies. By changing settings in your internet browser, you can deactivate or restrict transfer of cookies. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all the website’s functions can go on being used in full.

3. Contact form and email

a. Description and scope of data processing
We offer visitors to our website a contact form for quick electronic contact. The data typed into the message box are transferred to us and stored.
Additionally, at the moment the message is sent, the user’s IP address, and the date and time of the message sending are stored.
Alternatively, users can make contact with us via the available email address. In this case, the user’s personal data that are transferred with the email  will be stored. They will not be passed on to third parties. These data will be used exclusively for processing the request or message.

b. Legal basis for data processing
The legal basis for data processing, where the user has given consent, is Art. 6, clause 1, item a DSGVO.
The legal basis for processing of data that are transferred during the sending of an email is Art. 6. clause 1, item f. DSGVO. If the email contact concerns the concluding of an agreement, an additional legal basis for this processing is Art. 6, clause 1, item b DSGVO.

c. Purpose of data processing
The processing of personal data serves solely for processing the contact request. In the case of email contact, there is implicit justified interest in the processing of the data.
Other personal data processed during the message sending procedure serve to avoid misuse of the contact form and to assure the security of our IT systems.

d. Duration of storage
The data are deleted as soon as they are no longer required for the purpose for which they were collected. For personal data in the message box of the contact form, and those that are sent via email, this occurs upon ending of each respective conversation with the user. The conversation ends when circumstances demonstrate that the matter in question has been clarified or resolved.
Additional personal data collected during sending are deleted after a period of no more than seven days.

e. Right to decline and remove
The user can at any time revoke his consent to processing of personal data. To do so, the user can contact the responsible party via the contact methods offered on the website. If the user makes contact with us by email, he can at any time decline storage of his personal data. In such a case, the conversation cannot continue.

4. Message when goods become available

a. Description and scope of data processing
Users can request an email message to inform them when unavailable items become available. When they sign up for this service, the data requested in the message box will be transferred to us.
In addition, the following data will be collected at sign-up:

  • Date of sign-up/deregistration, confirmation and notification

As part of the sign-up procedure, consent will be obtained via a ‘double opt-in’ system.

b. The legal basis for data processing
The legal basis for data processing following the user’s sign-up to the notification service is, where consent is given, Art. 6, clause 1, item a DSGVO.

c. Purpose of data processing
Collecting the user’s email address facilitates sending of the notification.
Collecting of other personal data as part of the sign-up process serves  to prevent misuse of the services or of the email address used.

d. Duration of storage
The data are deleted as soon as they are no longer required for the purpose for which they were collected. Accordingly, the user’s email address is stored until the notification has been sent.

e. Right to decline and remove
The notification service can be cancelled by the customer at any time. For this purpose, a corresponding link will appear in every confirmation mail.

5. Newsletter

a. Description and scope of data processing
Users can subscribe to our newsletter on our website. When registering for the newsletter, the data collected from the input screen will be transferred to us.
In addition, the following data will be collected at registration:

  • IP address of the registrant
  • Date and time of the registration

During the registration process, consent will be obtained by means of a ‘double opt-in’ procedure.
If customers have purchased goods or services from us, and in doing so have supplied their email address, this can subsequently also be used for sending a newsletter. In this case, only direct advertising of our own similar goods or services will be sent via the newsletter.

b. Legal basis for data processing
The legal basis for processing of data following registration for the newsletter by the user is, where the user’s consent has been obtained, Art. 6, clause 1, item a DSGVO.
The legal basis for sending the newsletter following purchase of goods or services is § 7 clause 3 UWG.

c. Purpose of data processing
Collecting the user’s email address enables us to send out the newsletter. Collection of other personal data during the registration process makes it possible to avoid misuse of the services or the email address.

d. Storage duration
The data stored by us will be deleted as soon as they are no longer required for the purpose for which they were collected. Accordingly, the user’s email address will be stored only for as long as the newsletter subscription remains active.

e. Right to object and remove
Subscription to the newsletter can be cancelled by the user at any time. A corresponding link is found in every newsletter for this purpose.

6. Newsletter tracking

a. Description and scope of data processing
The newsletters dispatched by us contain what are called tracking bugs. These are miniature graphics embedded in emails that are sent in HTML format in order to facilitate log data recording and analysis. The personal data collected in this way are not passed to third parties. Your consent to this as part of the registration process is obtained via a ‘double opt-in’ procedure.

b. Legal basis for data processing
The legal basis for processing of data following registration for the newsletter is, where the user’s consent is obtained, Art. 6, clause 1, item a DSGVO, or otherwise Art. 6, clause 1, item f DSGVO

c. Purpose of data processing
Newsletter tracking is undertaken for the purpose of evaluating the success or failure of online marketing campaigns. By this means we can record whether and when an email is opened, and which links in it are clicked on. Newsletter tracking also helps us to improve and optimise the newsletter.

d. Storage duration
The data stored by us will be deleted when they are no longer required for our commercial purposes, and as long as they do not contravene statutory data storage obligations.

e. Right to object and remove
The user can revoke consent at any time by cancelling the newsletter. Every newsletter carries a corresponding link for this purpose.

7. Registration during order placing or input for a guest checkout

a. Description and scope of data processing
Users can register on our website. When they do so, the data collected from the input screen will be transferred to us and stored. The same applies to data input in a guest checkout process.
Personal data thus obtained can be passed to third parties, e.g. packaging service providers, insofar as this is necessary for fulfilling an agreement. The latter will use these data exclusively for internal processes on our behalf. More details on this can be found in section III of this data protection declaration.

b. Legal basis for data processing
Where registration serves to fulfil an agreement to which the user is a contractual party, or to perform precontractual measures, the legal basis for processing of data is Art. 6, clause 1, item b DSGVO.
Data input during a guest checkout serves the performance of precontractual measures; the legal basis for processing of these data is Art. 6, clause 1, item b DSGVO.
A further legal basis for data processing where the user’s consent has been obtained, is Art. 6, clause 1, item a DSGVO.

c. Purpose of data processing
Registration of the user is necessary for the fulfilment of agreements with users or the performance of precontractual measures. The same applies to input of data relating to guest checkout. In addition, user registration is necessary for maintaining certain contents and services on our website.

d. Storage duration
The data stored by us will be deleted when they are no longer required for the purposes for which they were collected.
This will be the case for data recorded during the registration process if registration on our website is cancelled or altered.
This will be the case for data recorded during the registration process or guest checkout process in order to fulfil an agreement or to perform precontractual measures if the data for performing the agreement are no longer needed. A need to store personal data can continue even after concluding an agreement, for the purposes of fulfilling contractual or statutory requirements.

e. Right to object and remove
Users can cancel their registration at any time. Users themselves can change stored data, or have them changed, at any time.
The responsible party can provide information on ways of cancelling registration. If the data are required for fulfilling an agreement or for performing precontractual measures, premature deletion of the data is only possible if this does not contravene contractual or statutory requirements relating to deletion.

III. Data transfer to third parties for the purpose of fulfilling an agreement
1. General

a. Description and scope of data processing
When you order, we will collect and use your personal data only insofar as this is necessary for fulfilling and completing your order and to handle your requests and enquiries. The data inputted by you during the ordering process will, where required for fulfilling the agreement or where permitted by you, be passed to third parties whom we need in order to fulfil our contractual relationship, or to service providers whom we employ when processing the order. Besides data recipients named in the clauses of this data protection declaration, this may for instance include recipients in the following categories:
Dispatch service providers, payment service providers, merchandise management service providers, service providers for order fulfilment, webhosters, IT service providers and dropshipping handlers.

b. Legal basis of data processing
The data processing described above serves to fulfil an agreement to which the user is a contractual party. The legal basis for processing of the data is Art. 6, clause 1, item b DSGVO. A further legal basis for data processing, where the user’s consent is obtained, is Art. 6, clause 1, item a DSGVO.

c. Purpose of data processing
Transfer of data serves the fulfilment of our contractual obligations.

d. Duration of storage
Your data will be deleted when they are no longer needed in order to fulfil the agreement, except where this would contravene contractual or statutory requirements.

e. Right to decline or remove
The user has the right to revoke the consent given to the responsible party or the provider of goods or services at any time. It is not possible to revoke consent for data processing essential for fulfilling the agreement.

2. PayPal (Plus)

a. Description and scope of data processing
If, to make an order, the user decides to employ “PayPal” or “PayPal PLUS” (purchase on account / credit card / direct debit), automatised data of the user will be transferred to the payment service provider. With the choice of PayPal as payment option, the user consents to transfer of the personal data  required for completing payment. The provider is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxemburg. Data transferred are necessary for completing payment. These are for example first name, surname, address, email address, IP address, phone number, mobile phone number and order details. Data protection terms of PayPal can be accessed at paypal.com/de/webapps/mpp/ua/privacy-full

b. Legal basis of data processing
Where use of the payment service provider serves to fulfil an agreement to which the user is a contractual party, the legal basis for data processing is Art. 6, clause 1, item b DSGVO. The basis for data processing, where the user’s consent is obtained, is Art. 6, clause 1, item a DSGVO.

c. Purpose of data processing
Transfer of data serves payment completion, prevention of misuse, and identity and credit checking.

d. Duration of storage
Your data will be deleted when they are no longer needed for our commercial purposes, and where this does not  contravene statutory data storage requirements. We have no power over the storage of data by the payment service provider, who can be contacted via the details given above.

e. Right to decline or remove
The user has the right to revoke the consent given to the responsible party or the provider of payment services at any time. It is not possible to revoke consent for data processing essential for making payment.

IV. Data transfer for the purpose of newsletter dispatch

1. Newsletter2Go

a. Description and scope of data processing
If you wish to order the newsletter offered on the website, we will need an email address for you and information that enables us to check that you are the owner of this email address, and have agreed to receiving the newsletter. To send out the newsletter and for email marketing purposes, we use the newsletter service Newsletter2Go. This is managed by Newsletter2Go GmbH, Köpenicker Str. 126, 10179 Berlin, Germany.

Data stored and processed by this provider include those listed below. Newsletter2G is prohibited from selling your data or using it for purposes other than for sending out newsletters. Newsletter2Go is a German, certified provider, chosen in compliance with the requirements of the basic ordinance on data protection and the German Federal Data Protection Law.

  • IP address
  • Page log-in and click data
  • Browser type and browser language
  • Hardware employed by the user
  • Name and email address

In addition, the provider will place cookies on users’ terminals.

You can find more information here:
newsletter2go.de/informationen-newsletter-empfaenger

b. Legal basis for data processing
The legal basis for processing data after registration for the newsletter is, where the user’s consent is obtained, Art 6, clause 1, item a DSGVO.
Here we use the ‘double opt-in’ procedure, during which the potential recipient allows himself to be included in a distribution list. Subsequently, via email confirmation, the user can confirm registration in a legally admissible way. The user’s address only becomes active in the distribution list once confirmation has been given.

c. Purpose of data processing
By means of the above data processing, we receive information that enables us to analyse user behaviour. In turn we can then optimise our newsletter and improve its display.

d. Duration of storage
Your data will be deleted once they are no longer needed for our commercial purposes, and insofar as we are not required to store them by law. We have no influence on storage of data by the provider named above. You can contact the provider via the details given there.

e. Right to decline and remove

Users can at any time revoke consent for the responsible party or the provider to process their data. For this purpose, the user can contact the responsible party or the provider via available means of communication. The user can also require the provider to delete these data.

In addition, users have full control over the use of cookies. By changing settings in their internet browser, they can deactivate or limit the transfer of cookies. Cookies already stored  can be deleted at any time. This deletion can be automated. If cookies are deactivated for our website, it is possible that the website’s functions can no longer be used in full.

V. Data transfer for the purpose of utilisation analysis
1. Matomo (formerly Piwik)

a. Description and scope of data processing
This website uses the web analysis service Matomo (Piwik). The provider is the company InnoCraft Ltd., 150 Willis St , 6011 Wellington, New Zealand. Matomo places cookies on users’ terminals for the purposes of analysis, and these cookies store the following data.

  • Two bytes of the IP address of the user’s accessing system
  • The opened website
  • The website from which the user reached the opened website (referrer)
  • The sub-pages that are opened from the accessed website
  • The time spent on the website
  • The frequency of using the website

The provider’s software runs exclusively on our website’s servers, and storage of the personal data of the user only happens there. It is not passed on to third parties.

b. Legal basis of data processing
The legal basis for processing of the user’s personal data is Art. 6, clause 1, item f DSGVO.

c. Purpose of data processing
Processing of personal data of the user enables us to analyse the user’s surfing behaviour. Through evaluation of the data thus collected, we are able to compile information about use of the various constituents of our website. This helps us to continually improve our website and its user-friendliness. These aims also govern our justified interest in processing data as under Art. 6, clause 1, item f DSGVO. By anonymising IP addresses, sufficient account is taken of the user’s interest in protecting their personal data.

d. Duration of storage
The data are deleted as soon as they are no longer needed for our record-keeping purposes. This will be after no more than 6 months.

e. Right to decline and remove
Cookies are stored on the user’s computer and transferred from there. Thus users have full control over the use of cookies. By changing settings in your internet browser you can deactivate or limit the transfer of cookies. Cookies already stored can be deleted at any time. This can also be done by automated procedure. If cookies for our website are deactivated, it is possible that the functions of the site can no longer be fully utilised.
It is also possible to opt out of the analysis procedure. To do so, users must open the link below.

By clicking on the link, an opt-out cookie is allowed. If the user deletes it, it will need to be replaced once more.

VI. Data transfer to social media services

1. Two-click solution for integration of Youtube

We have integrated parts of Youtube into our website. Youtube is an internet video portal that enables video publishers to place video clips on the internet free of charge, and other users to watch, evaluate and comment on them, likewise free of charge. Youtube facilitates publication of all kinds of videos, and for this reason whole films and TV broadcasts, as well as music videos, trailers, or videos made by users themselves, can be accessed via this internet portal.
The provider is Youtube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is an affiliate of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The website does not directly embed Youtube videos into its pages, and so profiling by third parties is excluded.
However, to see our videos nevertheless, users must first click on the pre-view image. Only after clicking off the disclaimer, or logging in, can they see the video. Only at that moment are data transferred. You can find more information on this at youtube.com/yt/about and in the data protection terms and conditions published by Youtube, accessed at google.de/intl/de/policies/privacy
These provide information about the collecting, processing and use of personal data by Youtube and Google.

The legal basis, following click-off of the disclaimer is Art. 6, clause 1, item a DSGVO

VII. Rights of the persons concerned
1. Right to information

Any person concerned with processing of personal data can require the responsible party to confirm whether their personal data are being processed.
If this is the case, they can require the responsible party to provide the following information:

  • Purposes of processing
  • Categories of personal data that are being processed
  • Recipients or categories of recipients with whom the personal data in question have been or are being shared
  • Planned duration of storage of the personal data concerning you or, where no specific information on this is available, criteria for determining the duration of data storage.
  • Applicability of the right to correction or deletion of the personal data relating to you, a right to limitation of data processing by the responsible party or the right to decline this processing.
  • Applicability of the right to lodge a complaint with a monitoring authority
  • All available information about the source of data if the personal data were not collected from the person concerned.
  • Applicability of an automated decision-making process including profiling as under Art. 22, clause 1 and 4 DSGVO and – at least in these cases – robust information about the logic, scope and desired effects of such processing for the person concerned.
  • Furthermore, the person concerned has the right to require information as to whether their personal data are being passed to a third country or an international organisation. In this context you can require to be informed about appropriate guarantees relating to transfer as under Art. 46 DSGVO.
  • In the case of data processing for academic, scientific, historical or statistical purposes, this right of information can be limited insofar as it may render impossible or seriously impede the realisation of research or statistical purposes, where such limitation is necessary for meeting the said purposes of research or statistics.


2. Right of correction

Persons concerned have a right to require the responsible party to correct or complete personal data relating to them insofar as these data are incorrect or incomplete. The responsible party must undertake such correction without delay.
In the case of data processing for academic, scientific, historical or statistical purposes:
Your right to correction can be limited insofar as it may render impossible or seriously impede the realisation of research or statistical purposes, where such limitation is necessary for meeting the said purposes of research or statistics.

3. Right to limit data processing

Under the following conditions persons concerned can require limitation of the processing of data relating to them:

  • if the correctness of the personal data in question is disputed for a period of time that allows the responsible party to check the correctness of the said data
  • if processing is contrary to the law, and the person concerned declines deletion of the personal data, and instead demands limitation of use of the personal data
  • the responsible party no longer needs the personal data for the purposes of processing, but the person concerned does however need them to assert, exercise or defend legal claims; or
  • if the person concerned has submitted an objection to processing as under Art. 21, clause 1 DSGVO, and it is not yet clear whether the substantiated reasons of the responsible party outweigh the reasons of the person concerned.

If processing of the personal data in question has been limited, these data – apart from their storage – can only be processed with the consent of the person concerned or in order to assert, exercise or defend legal claims, or to protect the rights of another natural or juristic person or for reasons of an important public interest of the EU or a member state.

If such limitation of processing is itself limited under the above conditions, the person concerned will be informed by the responsible party before the limitation is revoked.

In the case of data processing for academic, scientific, historical or statistical purposes:

The right of the person concerned to limit processing can itself be restricted insofar as it may render impossible or seriously impede the realisation of research or statistical purposes, where such restriction is necessary for meeting the said purposes of research or statistics.

4. Right to delete

a. Duty to delete
The person concerned can require the responsible party to immediately delete personal data relating to them, and the responsible party is obliged to delete these data immediately insofar as one of the following reasons applies:

  • the relevant personal data are no longer necessary for the purposes for which they were collected or for which they were processed in some other way;
  • the person concerned has revoked their consent upon which processing was based as under Art. 6, clause 1, item a or Art. 9, clause 2, item a DSGVO, and no other legal basis exists for processing;
  • the person concerned objects to processing, as under Art. 21, clause 1 DSGVO, and there are no overriding lawful reasons for processing, or else the person concerned objects to processing as under Art. 21, clause 2 DSGVO;
  • the personal data were processed in an unlawful manner;
  • deletion of the relevant personal data is necessary to fulfil a legal requirement under EU law or the law of member states to which the responsible party is subject;
  • the relevant personal data were collected in respect of information society services provided under Art. 8, clause 1 DSGVO.

b. Information to third parties
If the responsible party has published the relevant personal data, and if he is required to delete them as under Art. 17, clause 1 DSGVO, then, allowing for the available technology and implementation costs, he is to undertake appropriate measures, also of a technical kind, to inform those responsible for data processing that you, as person concerned, have required the deletion of all links to these personal data or of copies or replications of these personal data.

c. Exceptions
The right to deletion does not apply insofar as processing is necessary

  • to exercise the right of free speech and information;
  • to fulfil a legal obligation that requires processing under the law of the EU or member states to which the responsible party is subject, to undertake a task that lies in the public interest, or in the exercise of public office that has been invested in the responsible party;
  • for reasons of public interest in the field of public health as under Art. 9, clause 2, item h and I, and also Art. 9, clause 3 DSGVO;
  • for archiving, academic, scientific or historical research purposes, or statistical purposes, that are in the public interest, as under Art. 89, clause 1 DSFVO, insofar as the right named under section a) may render impossible or seriously impede the realisation of the aims of this processing; or
  • to assert, exercise or defend legal claims.

5. Right to be informed

Where the person concerned has asserted to the responsible party their right to correction, deletion or limitation of data processing, the latter is obliged to inform all recipients to whom the relevant data have been disclosed of such correction, deletion or limitation, except where this proves impossible or would involve an incommensurate expense. The person concerned has the right to require the responsible party to inform him of these recipients.

6. Right to data transferability

Persons concerned have the right to receive personal data about them that have been made available to the responsible party, in a structured, customary and machine-readable format. In addition, persons concerned have the right to pass these data to another responsible party, without impediment from the responsible party to whom the personal data were made available, insofar as

  • processing is based on consent as under Art. 6 clause 1, item a DSGVO or Art. 9,  clause 2, item a DSGVO, or an agreement as under Art. 6, clause 1, item b DSGVO; and
  • processing occurs with the aid of automated procedures.

In exercise of this right, persons concerned have the further right to require that their personal data are directly transferred from one responsible party to another insofar as this is technically feasible. The freedoms and rights of other persons must not thereby be impaired.
The right to data transferability does not apply to the processing of personal data that are necessary for undertaking a task that is in the public interest or in exercise of a public authority that has been invested in the responsible party.

7. Right of objection

Persons concerned have the right, for reasons arising from their particular situation, to lodge an objection at any time to the processing of data relating to them that is undertaken based on Art. 6, clause 1, item e or f DSGVO. This also applies to profiling based on these clauses. The responsible party will then no longer process the relevant personal data, except where he can show compelling reasons for processing that outweigh the interests of persons concerned, their rights and freedoms, or where processing serves the assertion, exercise or defence of legal claims.

If the relevant personal data are processed for the purposes of direct marketing, persons concerned have the right to lodge objection at any time to the processing of their personal data for the purposes of such marketing; this applies also to profiling insofar as this is connected with direct marketing. If persons concerned object to processing for the purpose of direct marketing, the personal data relating to them will no longer be processed for such purposes. Persons concerned can, in connection with use of information society services – and irrespective of Guideline 2002/58/EG -  exercise their right of objection by means of automated procedures in which technical specifications are utilised.
In the case of data processing for academic, scientific, historical or statistical research purposes:
Persons concerned also have the right, for reasons arising from their particular situations, to object to the processing of their personal data undertaken for academic, scientific or historical research purposes, or statistical purposes as under Art. 89, clause 1 DSGVO.
The right of objection can be restricted insofar as it may render impossible or seriously impede the realisation of research or statistical purposes, and where such restriction is necessary for fulfilling the said research or statistical purposes.

8. Right to revoke the data protection law declaration of consent

Persons concerned have the right to revoke their declaration of consent under data protection law at any time. Revoking consent does not affect the legality of processing based on the consent carried out up to the point of revocation.

9. Automated decision in individual cases including profiling

Persons concerned have the right not to be subject to a decision determined exclusively by automated processing – including profiling – when such decision takes legal effect on them or in similar manner affects them negatively to a considerable degree. This does not apply if the decision

  1. is necessary for conclusion or fulfilment of an agreement between the person concerned and the responsible party;
  2. is permissible based on legal regulations of the EU or member states to which the responsible party is subject, and these legal regulations contain appropriate measures to preserve the rights and freedoms of persons concerned and their justified interests; or
  3. occurs with express consent.

However, such decisions must not be based on special categories of personal data as under Art. 9, clause 1 DSGVO, insofar as Art. 9, clause 2, items a or g DSGVO do not apply, and insofar as appropriate measures to protect the rights, freedoms and justified interests of persons concerned have been implemented.
In relation to the instances itemised in points 1 and 3 above, the responsible party will take appropriate measures to protect the rights, freedoms and justified interests of persons concerned, including at least the right to require the involvement of a person representing the responsible party, to explain their own point of view, and to contest and challenge the decision.

10. Right to lodge a complaint with a supervisory authority

Irrespective of any other legal recourse under administrative law or judicial appeal, persons concerned have the right to lodge a complaint with a supervisory authority, especially in the member state where they or their workplace are domiciled, or where the supposed infringement occurred, if they are of the view that the processing of their personal data violates the terms of DSGVO.
The supervisory authority to which the complaint is submitted will inform the complainant of the status and outcome of the complaint, including the right to judicial appeal as under Art. 78 DSGVO.

Copyright: Lawyer Anne-Kathrin-Renz (it-recht-deutschland.de)

 

 Subscribe to the newsletter (German)
 Subscribe to the newsletter (German)
Contact
Any questions about our publications? We’ll be glad to help:

email info waldorfbuch.de

tel: +49-711-21042-25
fax: +49-711-21042-31

Mon - Fr:8:00 - 12:30
13:30 - 17:00
Shipping
* 2-5 working days (inside Germany)

 Shipping and delivery times

Payment methods
Cash-free payments: Prepayment, PayPal, debit transfer, credit card

Zahlungsarten
close 
shopping cart

There are no items in your shopping cart