Privacy Policy

1 General remarks

BDV Trading, processes and uses your personal data in compliance with the strict Israeli & European data protection regulations. Apart from certain particulars required to offer you our services, you may determine yourself which information to provide.

On our website we use, as far as possible, secure transmission technologies, e.g. TLS encryption. However, data transfer on the Internet, especially the communication via e-mail, may involve security gaps. A complete data protection against access of third parties is not possible.

By using the website www.bdvtrading.com (hereafter: online platform), but at the latest when registering as a user, you grant your consent to the collection, processing and use of the entered personal data by the BDV Trading as responsible entity on their servers. Please note that the data transmitted by you as part of the use of the website are processed and saved by means of an EDP system. It is understood that we treat your personal data strictly confidentially.

Personal data, i.e. specific data about the personal or factual circumstances of a particular or identifiable natural person, are only collected as far as necessary for the performance of the contract and for the provision of contractual services. The collection of data is carried out exclusively to the extent provided by you.

The processing of personal data may consist in saving, changing, transmitting, blocking and deleting of these data. Any personal data are only saved by us as long as this is necessary for the respective specified purpose or we are obligated by law to save this information.

Already when visiting our website, your information may also be saved to the server when having access (e.g. date, time, pages visited). This data is not considered personal data, but they are anonymised, for example name of the Internet provider, type of Internet browser, pages visited on the website. These data are used for statistical purposes only and to improve our services. By accessing the site, data may also be saved on your computer. These data are called “cookies” and they facilitate the use of the website. However, you have the option to deactivate this function in your web browser. This may result in limitations when using our website.

The user’s personal data will not be transmitted to any third party. Exempt from this are only the service partners of the BDV Trading needed for the completion of the contractual relationship, e.g. providers of payment services (such as e.g. PayPal) as well as a transmission of data to authorities within our legal obligations. In these cases, the provisions of the Israeli Data Protection Act will be strictly observed, the data transfer will be restricted in any event to a minimum extent.

You shall be entitled to the right of withdrawal of the consent with effect for the future at all times and without limitations. The contact data for exercising the withdrawal may be found in the About us section of our website.

You have the right to information free of charge on your stored personal data as well as to the correction, deletion or blocking thereof, in as far as personal data are concerned for the purposes of the law. In order to contact us, please use the contact data to be found in the About us section of our website.

2 Controller

Controller for the purposes of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act is

BDV Trading
E-Mail: admin@bdvtrading.com

4 General information on data processing

  1. In general, the processing of personal data is only done to the extent necessary for the provision of a functional website including contents and services. Regular processing of data is only done upon consent of the data subject. As an exception, the processing of data is done without consent of the data subject if this is not possible for practical reasons and the processing of data is permitted by legal provisions.

  2. Art. 6 (1) point (a) GDPR serves as legal basis for the processing of personal data in so far as the consent of the data subject has been obtained for the processing of personal data.

    Art. 6 (1) point (b) GDPR serves as legal basis for the processing of personal data insofar as this is necessary for the performance of a contract to which the data subject is a contractual party. This also applies to processing necessary for the implementation of pre-contractual measures.

    Art. 6 (1) point (c) GDPR serves as legal basis for the processing of personal data insofar as the processing of personal data is necessary for the performance of a legal obligation to which the company is subject.

    Art. 6 (1) point (f) GDPR serves as legal basis for the processing of personal data insofar as this is necessary for the processing for the protection of a legitimate interest of the company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest.

  3. The personal data of the data subject will be deleted or blocked as soon as the purpose of the data storage is no longer applicable. Storage beyond this purpose can be done if this is required by relevant national or European regulations. Blocking or deleting of the data is also done when a retention period prescribed by the aforementioned regulations expires unless further storage of data is required for the conclusion or performance of a contract.

5 Use of the website

  1. With each visit to the website, the system automatically records data and information from the computer system of the calling computer.

    The following data are collected:

    1. IP address
    2. Time and date of the access
    3. Time zone difference with Greenwich Mean Time (GMT)
    4. Contents of the website
    5. Access status (HTTP status)
    6. Data volume transferred
    7. Web browser
    8. Browser language and version
    9. Operating system
    10. The website from which you entered this website

    The data are saved in the log files of the system. Storage of this data together with other personal user data does not take place.

  2. The legal basis for this is art. 6 (1) point f GDPR.

  3. The collection and temporary storage of the IP address is necessary to enable the presentation of the website on your device. For this, your IP address has to be saved for the duration of your visit of the website. An analysis of these data for marketing purposes does not take place.

  4. The data are deleted when the respective session is ended. If these data are saved in log files, this is done at the latest after seven days. Storage beyond this is possible. In this case, the users’ IP addresses are deleted or alienated so that they can no longer be assigned to the calling client.

  5. The collection of data for the availability of the website and the storage of data in log files for availability of the website are absolutely necessary. Therefore, there is no possibility of appeal.

6 Registration

  1. The website offers users to register by entering personal data. For this, the data is entered into an input mask, then transmitted and saved. A transfer to a third party does not take place. The following data is collected:

    1. Name (first name, surname)
    2. Home address (street, house number, postal code, country)
    3. E-mail address
    4. Time and date of the registration

    5. Phone Number

    Commercial users are also required to enter the company name and the VAT ID. Where applicable, a tax statement is required pursuant to section 22f (1) sentence 2 VAT Act. Users who use our platform as non-commercial sellers are required to enter their birth date in addition to the above mentioned data.

    During the registration process the user’s consent for the processing of these data is obtained with reference to the privacy policy.

  2. The legal basis for this, upon consent of the user, is art. 6 (1) point (a) GDPR. If the registration serves the performance of a contract to which the user is a contractual party or serves the implementation of pre-contractual measures, art. 6 (1) point (b) GDPR is an additional legal basis for the processing of data. As far as we are obliged to process data of commercial users and private sellers, the legal basis is art. 6 (1) point (c).

  3. The registration of the user is required to set up a customer account. It serves to identify the user and to perform the user contract via the service. The data entered by commercial users or private sellers are collected for the fulfillment of our legal obligations to the financial authorities.

  4. The data will be deleted as soon as it is no longer required for the fulfilment of the purpose for which they were collected. This is the case during the registration process for the performance of a contract or the implementation of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after conclusion of the contract, it may be required to save personal data of the contractual partner to meet contractual or legal obligations.

  5. Data subjects may modify at any time the user data (except their name and birthday) in their user profile under www.bdvtrading.com/account. Where the data is required for the performance of a contract or the implementation of pre-contractual measures, an advance deleting of data is only possible in so far as the deletion is not barred by contractual or legal obligations. If the recorded name or birthday is incorrect, please reach out to our customer support team to correct the data.

7 Use of the online marketplace

  1. To use the online marketplace, inventory data (e.g. names and addresses as well as contact data of users, user names of authorised users) and contract data (e.g. services used, names of contact persons, payment information) are processed as well as the IP address and the time of the respective user intervention, the user ID and the accessed URLs. This data is stored in the log files of our system. Apart from that, data of third parties entered by the user are processed.

  2. The legal basis for the processing of data upon consent of the user is art. 6 (1) point (a) GDPR. The consent is obtained upon conclusion of the contract.

    Additional legal basis for the processing of data is art. 6 (1) point (b) GDPR, as the processing of the specified data serves to perform a contract to which the user is a contractual party or to implement pre-contractual measures.

    Furthermore, processing is done to improve our services for the benefit of the analysis, optimisation and the economic operation of our website for the purposes of art. 6 (1) point (f) GDPR.

  3. Purpose of the processing

    1. of the inventory data (e.g. names and addresses as well as user contact data) and contract data (e.g. services used, names of contact persons, payment information) is the implementation of the contract as well as billing purposes.
    2. of user names and the entries of the respective users is to ensure the access authorisation of the service.
    3. of the IP address, time of the respective user intervention as well as the accessed URLs is done to optimise our services and to continually improve the user experience.
    4. of third party data entered by the user is the implementation of the contract and the provision of the contracted services.

  4. The data will be deleted as soon as they are no longer required for the fulfilment of the purpose for which they were collected. This is the case for the data collected during the registration process for the performance of a contract or the implementation of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after conclusion of the contract, it may be required to save personal data of the contractual partner to meet contractual or legal obligations (especially fiscal retention periods).

  5. Data subjects may modify or delete the saved data at any time. Where the data is required for the performance of a contract or the implementation of pre-contractual measures, an advance deleting of data is only possible in so far as the deletion is not barred by contractual or legal obligations. In particular, the notice periods of current contracts shall remain unaffected.

8 Payments and Payment Service Providers

  1. If you are redirected to the website of a payment service provider for a payment transaction, the data entered by you will be processed directly by the payment service provider. The Privacy Policy of the respective payment service provider applies.

    1. Bank Transfers

      If you choose Bank Transfers as your payment method, you will need to send as a virtual copy of the wire transfer authorization.

      For the payment process, your order will be marked as pending payment until the admin confirms the receipt of funds.

    2. PayPal

      Payments through PayPal as well as credit card payments are processed by PayPal ltd. PayPal UK Ltd., 22-24 Boulevard Royal L-2449, Luxembourg. For these payments, you will be immediately redirected to the paypal user interface where the payment will be processed. The data to be entered there will not be collected, processed, or stored by us. For this data, only the PayPal privacy policy applies, which you can find on their website as well as further privacy statements if applicable.

    3. PayBox or Bit

      These payment options are only allowed for Israeli users.

      For the payment process, you will be redirected to the payment service for a payment transaction, the data entered by you will be processed directly by the payment service provider. Your order will be marked as pending payment until the admin confirms the receipt of funds.

  2. Art. 6 (1) point (a) GDPR is the legal basis for the processing of payment data by the user upon consent from the user.

    Additionally, art. 6 (1) point (b) GDPR serves as legal basis for the processing of personal data, insofar are this data is required for the fulfilment of a contract

  3. The collection of data is done solely for the fulfilment of the contract.

  4. The data will be deleted as soon as it is no longer required for the fulfilment of the contract for which it was collected. This is the case for the personal data if the respective contractual relation with the person concerned was terminated. A contractual relation is considered terminated if the person concerned can no long be considered a client (e.g., by deleting the account).

  5. The person concerned may at any time withdraw consent to the processing of personal data. Any obligation needed to fulfil the contracts remains unaffected by this.

9 Use of data via application programming interface (API)

The use of the API using a permanent Access Token enables you to access your own inventory data as well as publicly available data such as trading card prices etc. Neither you nor other users have access to each other’s’ inventory data.

Commercial developers of apps and similar application programmes are provided with an App Key. Here too, no personal data or granting of access rights to such data will be passed on at first.

However, if you log in with your data (user name and password) via a third-party app, you grant this app a temporary access (read and write), limited to 24 hours, to your own inventory data.

We are not liable for possible damages or misuse arising from the use of such third-party apps. For the terms of use and data protection regulations of such third-party apps please refer directly to the app provider.

10 Contact via e-mail or contact form

  1. The website uses contact forms which may be used for electronic contact. If used, the data entered into the input mask or sent by e-mail are transmitted and saved there. These data are:

    1. E-mail address
    2. Contents of the contact

    Additionally, the following data is collected during contact:

    1. IP address of the calling computer
    2. Time and date of the contact

    A transfer to a third party does not take place in this context. The data will be used exclusively for processing the conversation.

  2. The legal basis for the processing of data upon consent of the user is art. 6 (1) point (a) GDPR.

    The legal basis for the processing of data transmitted when sending an e-mail is art. 6 (1) point (f) GDPR.

    If the contact is aimed at concluding or performing a contract, the additional legal basis for the processing is art. 6 (1) point (b) GDPR.

  3. The processing of personal data from the input mask or by e-mail only serves to process the contact. In case of a contact via e-mail, this shall also constitute the required legitimate interest in the processing of data. Any other personal data processed during sending serves to prevent misuse of the contact form and to ensure the security of the information technology systems.

  4. The data will be deleted as soon as they are no longer required for the fulfilment of the purpose for which they were collected. This is the case for the personal data from the input mask of the contact form and the data transmitted via e-mail when the respective conversation with the data subject has ended. The conversation is ended if the circumstances indicate that the respective issue has been resolved conclusively. The additional personal data collected during sending will be deleted at the latest after seven days.

  5. Your data will be erased after processing of your enquiry is completed. This is the case if it is possible to infer from the circumstances that the situation in question has been conclusively clarified and insofar as no legal retention periods prevent it.

  6. The data subject may at any time withdraw consent to the processing of personal data. In case of a contact via e-mail, you can object to the storage of personal data at any time. However, in such a case the conversation cannot be continued. In this case, any personal data saved during contact will be deleted.

11 Use of cookies

  1. The website uses cookies. Cookies are text files, which are saved in the web browser or by the web browser on the user’s computer system. This cookie contains a distinctive string of characters that enable the clear identification of the browser upon re-entering the website. Cookies cannot transmit viruses onto the device or execute programs.

    Cookies help to make the website more user-friendly. Some elements of the website require the identification of the calling browser even after the page was changed.

    Insofar as cookies are technically not necessary, these are only loaded when the user has given consent. For this, we are using a plugin that will not collect any personal data itself. The information about an existing consent, for its part, is saved as a cookie. However, no personal data is collected for this purpose.

    Transient cookies are deleted automatically when the session is closed. These include e.g. session cookies which save the so-called session ID and by means of which the different web inquiries can be allocated to the joint session. This allows for the device to be recognized in a new session.

    Persistent cookies are deleted automatically after a prescribed retention period, which may be different for each cookie. The corresponding settings may be deleted at any time in the settings of the web browser.

    Cookies save the following data:

    1. Log-in information

    2. Language settings

    3. Entered search terms

    4. Number of website calls

    5. Use of different function of the website

  2. The legal basis for the use of technically necessary cookies is art. 6 (1) point (f) GDPR.

  3. The purpose of the application of technically necessary cookies is to simplify the use of websites for the user. Some functions of the website cannot be offered without the use of cookies. For this, it is necessary that the browser be recognised after a change of page.

    The user data collected by technically necessary cookies are not used to create user profiles.

  4. The legal basis for the application of technically necessary cookies is art. 6 (1) point a GDPR, if the user has given consent to the respective cookie. The purpose for the application of technically not necessary cookies is to analyse the use of the website and to continually improve individual functions and offers as well as the user experience. By means of statistical analysis of the user experience, the offer can be improved and designed to be more interesting for the user. Further details may be taken from the respective sections of the privacy statement.

  5. Cookies are saved on the user’s computer and are transmitted from there to our website. Hence, you as user also have full control over how cookies are used. By changing the settings in your web browser, you can deactivate or limit the transmission of cookies separately from the opt-in banner. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

    Open Cookies Settings

12 Google Analytics

  1. The website uses “Google Analytics”, a web analytics service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter referred to as: “Google”). Google uses cookies, text files which are saved on your device and which enable an analysis of the website use. The information about the use of this website generated by the cookie are usually transmitted to a Google server in the USA and saved there. If an anonymisation of the IP address to be transmitted by the cookie is activated on the website by the extension “_anonymizeIp()” (hereafter referred to as: IP anonymisation”), the IP address will be shortened beforehand by Google within the member states of the European Union or other signatory states of the Agreement on the European Economic Area. The full IP address will be transmitted to a Google server in the USA and shortened there only in exceptional cases. Google will use this information on behalf of the controller to evaluate the website use, to compile reports about website use and to perform further services connected to website and Internet use. During this process, pseudonymous user profiles may be created from the processed data. The IP address transmitted using Google Analytics will not be merged with other Google data.

    The website uses Google Analytics only with the activated IP anonymisation as described above. This means that Google will process your IP address only in the shortened form. Therefore, a personal traceability can be excluded.

  2. Google Analytics is only activated via our cookie banners. Therefore, The legal basis for the processing is the the user's consent for the purposes of art. 6 (1) point (f) GDPR.

  3. The website uses Google Analytics in order to analyse the website use and to continually improve different functions and offers as well as the user experience. Using statistical analysis of the user behaviour, the offer can be improved and designed to be more interesting for the user. Herein also lies the legitimate interest in the processing of the above data by Google.

  4. Separately from the opt-in banner, the storage of cookies generated by Google Analytics may be blocked by adjusting the corresponding settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website. If you wish to block the collection of data generated by the cookie and related to the user behaviour (including your IP address), you may download and install the web browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout.

    In order to oblige Google to process the transmitted data only as instructed and to comply with the data protection regulations, the controller has concluded a processing contract with Google.

    In the exceptional cases where personal data have been transmitted to the USA, Google has submitted to the Privacy Shield Agreement between the European Union and the USA and has been certified. Hence, Google is obliged to comply with the standards and regulations of the European Data Protection Law. Further information may be found under the following link: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

    Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Further information on data use by Google, on settings and appeal options as well as on privacy policy may be found on the following Google websites:

    1. User conditions:
      http://www.google.com/analytics/terms/
    2. Overview on privacy policy:
      http://www.google.com/intl/de/analytics/learn/privacy.html
    3. Privacy statement:
      https://www.google.com/intl/de/policies/privacy/
    4. Data use by Google upon your use of our partners’ websites or apps:
      https://www.google.com/intl/de/policies/privacy/partners/
    5. Data use for advertising purposes:
      https://www.google.com/policies/technologies/ads/
    6. Settings on personalised advertising by Google:
      http://www.google.de/settings/ads

    For users who visit our website from the People’s Republic of China (PRC), it is possible to use the services of Site Monitor of the provider Miaozhen Ltd, Beijing, PRC with servers in the PRC instead of Google Analytics for the same purpose and subject to the same restrictions. In order to deactivate Site Monitor, visit http://i.miaozhen.com.cookie_opt.html.

13 Google (Invisible) reCAPTCHA

  1. The website uses “Google reCAPTCHA”, a Turing test by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter referred to as: “Google”). Google checks whether the data entries on the website are made by a person or an automated programme. For this, user behaviour is analysed using different attributes. The analysis starts automatically upon entering the website. For the analysis, reCAPTCHA analyses various information (e.g. IP address, time spent on the website or mouse movements by the user). The data collected in the analysis are transmitted to Google.

    The reCAPTCHA analyses are running completely in the background. Website visitors are not notified that an analysis takes place.

  2. The legal basis for the processing is art. 6 (1) point f GDPR

  3. The controller has the legitimate interest that the website be protected against improper automated spying and SPAM.

  4. For further information on Google reCAPTCHA as well as on Google’s privacy policy go to the following links:

    1. https://www.google.com/intl/de/policies/privacy/

    2. https://www.google.com/recaptcha/intro/android.html

14 Encrypted data transfer

When logging in (“Login”) or establishing a contact all data is transmitted via an encrypted connection using TLS technology. The certificate required for this, which has been installed on the server, has been issued by an independent organisation. An encrypted connection may be recognised by the change in the address bar of the browser from http:// to https://.

As soon as the encrypted TLS connection has been established, your entries transmitted to the shop can no longer be read by a third party.

15 Rights of the data subject

If personal data is processed, the users are “data subjects” for the purposes of the GDPR and are entitled to the following rights towards the controller:

  1. Right of access

    The data subject may demand a confirmation from the controller on whether personal data is processed.

    If such a processing takes place, the following information may be requested from the controller:

    1. the purposes for which personal data are processed;
    2. the categories of personal data which are processed;
    3. the recipient or categories of recipients to whom the respective data have been disclosed or will be disclosed;
    4. the envisaged period for storing personal data or, if specific information is not available, the criteria used to determine that period;
    5. the existence of a right to rectification or deletion of personal data, of a right to restriction of processing by the controller or right of appeal against this processing;
    6. the existence of the right to lodge a complaint with a supervisory authority;
    7. any available information about the source of the data where personal data are not collected from the data subject;
    8. the existence of automated decision-making, including profiling, referred to in art. 22 (1; 4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such data processing for the data subject.

    The data subject shall have the right to information about whether personal data are transmitted to a third country or an international organisation. In this context, the data subject may request information on the appropriate safeguards pursuant to art. 46 GDPR relating to the transmission.

  2. Right to rectification

    The data subject shall have the right to rectification and/or completion of data against the controller if the processed personal data are inaccurate or incomplete. The controller has to correct these data immediately.

  3. Right to restriction of processing

    The restriction of processing of personal data may be requested if one of the following conditions applies:

    1. the accuracy of the personal data is contested for a period enabling the controller to verify the accuracy of the personal data;
    2. the processing is unlawful and the deletion of personal data is opposed and the restriction of their use is requested instead;
    3. the controller no longer needs the personal data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims, or
    4. the processing has been objected pursuant to art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

    Where the processing of personal data has been restricted, such data shall – with the exception of storage – only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

    Where the restriction of the processing has been restricted under the above conditions, the data subject shall be informed by the controller before restriction is lifted.

  4. Right to deletion

    Obligation to deletion

    The data subject shall have the right to request from the controller the deletion of personal data without undue delay and the controller shall have the obligation to delete these data without undue delay where one of the following grounds apply:

    1. the personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed.
    2. the consent is withdrawn on which the processing is based pursuant to point (a) art. 6 (1) or point (a) art. 9 (2) GDPR and where there is no other legal basis for the processing.
    3. the processing is objected to pursuant to art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the processing is objected to pursuant to art. 21 (2) GDPR.
    4. the personal data have been unlawfully processed.
    5. the personal data have to be deleted to comply with a legal obligation according to Union or Member State law to which the controller is subject.
    6. the personal data have been collected in relation to the offer of information society services referred to in art. 8 (1) GDPR.

    Information to third parties

    Where the controller has made the personal data public and is obliged pursuant to art. 17 (1) GDPR to delete these data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the deletion of any links to, or copies or replications of, those personal data.

    Exceptions

    The right to deletion shall not apply to the extent that processing is necessary

    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interests in the area of public health pursuant to points (h) and (i) of art. 9 (2) and art. 9 (3) GDPR;
    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to art. 89 (1) GDPR in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
    5. for the establishment, the exercise or defence of legal claims.

  5. Right to notification

    Where a right to rectification, deletion or restriction of the processing is claimed against the controller, the controller shall be obliged to communicate this rectification or deletion of data or the restriction of the processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

    The data subject shall have the right against the controller to be informed about those recipients.

  6. Right to data portability

    The data subject shall have the right to receive the personal data provided to the controller in a structured, commonly used and machine-readable format. The data subject shall also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    1. the processing is based on consent pursuant to point (a) of art. 6 (1) GDPR or point (a) art. 9 (2) GDPR or on a contract pursuant to point (b) art. 6 (1) GDPR and
    2. the processing is carried out by automated means.

    In exercising this right, the data subject shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons shall remain unaffected by this.

    The right to data portability shall not apply for a processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  7. Right to object

    The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data based on point (e) or (f) art. 6 (1) GDPR; including profiling based on those provisions.

    The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

    Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such marketing; this includes profiling to the extent that it is related to such direct marketing.

    Where processing for direct marketing purposes was objected to, the personal data shall no longer be processed for such purposes.

    The data subject shall have the possibility, in the context of the use of information society services – notwithstanding Directive 2002/58/EG – to exercise your right to object by automated means using technical specifications.

  8. Right to withdraw declaration of consent to the data protection law

    The data subject shall have the right to withdraw the declaration of consent to the data protection law at any time. The withdrawal of consent shall not affect the lawfulness of the processing which has taken place based on the consent before its withdrawal.

  9. Automated individual decision-making, including profiling

    The data subject shall have the right not to be subject to a decision based on automated processing - including profiling – which produces legal effects concerning the data subject or similarly significantly affects them. This shall not apply if the decision:

    1. is necessary for entering into or performance of a contract between the data subject and the controller,
    2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms as well as legitimate interests, or
    3. is based on the data subject’s explicit consent.

    However, these decisions shall not be based on special categories of personal data referred to in art. 9 (1) GDPR, unless point (a) or (g) of art. 9 (2) apply and suitable measures to safeguard the rights and freedoms and legitimate interests are in place.

    In the cases referred to in points (1) and (3) the controller shall implement suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

  10. Right to lodge a complaint with a supervisory authority

    Without prejudice to any other administrative or judicial remedy all data subjects shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if it is considered that the processing of data infringes the GDPR.

    The supervisory authority to which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 GDPR.

End of the Privacy Statement