Data protection

Privacy Policy

 

SW Healthservices appreciates your visit to our websites and your interest in our company and our services. For us, data protection is more than just lip service. Therefore, we take the protection of your personal data very seriously and treat it carefully and confidentially. The current data protection regulations, especially those of the General Data Protection Regulation (GDPR), are our highest principle of action.

 

  1. Name and Address of the Controller

The controller in the sense of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

Company: SW Healthservices GmbH

Managing Director: Michael Staudenmeier

Julius-Hölder-Straße 47

70597 Stuttgart

 

Email: info@belehrung-ifsg.de

 

  1. General Information on Data Processing

1. Definitions

Based on Art. 4 GDPR, the following definitions apply to this privacy policy:

  • "Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Identifiability can also be given by linking such information or other additional knowledge. The origin, form, or embodiment of the information is irrelevant (even photos, video, or sound recordings can contain personal data).

 

  • "Processing" (Art. 4 No. 2 GDPR) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection (i.e. acquisition), recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, as well as the modification of a target or purpose previously assigned to data processing.

 

  • "Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

  • "Third party" (Art. 4 No. 10 GDPR) means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other legal entities belonging to the group.

 

  • "Processor" (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with his instructions (e.g. IT service provider). In terms of data protection law, a processor is not a third party.

 

  • "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Scope of Processing of Personal Data

We process personal data of our users generally only insofar as this is necessary to provide a functional website as well as our content and services. The processing of our users' personal data usually only takes place with the user's consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal provisions.

3. Legal Basis for the Processing of Personal Data

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis.

For the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.

Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, then Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

4. Data Erasure and Storage Duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

However, storage may occur beyond the specified period in the event of an (imminent) legal dispute with you or other legal proceedings, or if storage is provided for by legal regulations to which we as the controller are subject (e.g., Section 257 German Commercial Code, Section 147 German Tax Code). If the storage period prescribed by legal regulations expires, the personal data will be blocked or deleted, unless further storage by us is necessary and there is a legal basis for it.

  1. Conditions for the Transfer of Personal Data to Third Countries

Within the scope of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e., in third countries. Such processing takes place exclusively for the fulfillment of contractual and business obligations and for maintaining your business relationship with us (legal basis is Art. 6 para. 1 lit b or lit. f, each in conjunction with Art. 44 et seq. GDPR). We will inform you about the respective details of the transfer in the relevant sections below.

The European Commission certifies to some third countries, through so-called adequacy decisions, a level of data protection comparable to the EEA standard (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. Where this is the case, we ensure that data protection is adequately guaranteed. This can be achieved through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 para. 1, 2 lit. c GDPR (the standard contractual clauses of 2021 are available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en), certifications or recognized codes of conduct).

  1. Data Security

We employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties (e.g., TLS encryption for our website), taking into account the state of the art, implementation costs, and the nature, scope, context, and purpose of processing, as well as the existing risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

 

III. Data Collection on Our Website

  1. Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

  • IP address of the user
  • Referrer, date, and time of access
  • Access method and transmitted input values of the requesting computer
  • Access status of the web server (file transferred, not found, command not executed, etc.)
  • Name of the requested file
  • Browser and operating system version of the user
  • the IP address of the requesting computer, which is shortened so that personal reference can no longer be established
  • the amount of data transferred
  • the operating system
  • the message whether the access was successful (access status/Http status code)
  • the GMT time zone difference

 

  1. Legal Basis for Data Processing

The legal basis for the temporary storage of data is Art. 6 para. 1 lit. f GDPR.

  1. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this, the user's IP address must remain stored for the duration of the session.

These purposes also constitute our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f GDPR.

  1. Duration of Storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collection for the provision of the website, this is the case when the respective session has ended.

  1. Right to Object and Erasure

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Therefore, there is no possibility for the user to object.

 

 

 

 IV. Inquiries by Email or Phone

  1. Description and Scope of Data Processing

If you contact us by email or phone, your inquiry, including all personal data resulting therefrom, will be stored and processed by us for the purpose of handling your request. We will not pass on this data without your consent.

  1. Legal Basis for Data Processing

The processing of this data is based on Art. 6 para. 1 lit. b GDPR, provided that your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent, if this has been requested (Art. 6 para. 1 lit. a GDPR).

  1. Purpose of Data Processing

The data is used to process your inquiries and thus to carry out contractual or pre-contractual measures.

  1. Duration of Storage, Right to Object and Erasure

The data you send us via contact inquiry will remain with us until you request its deletion, revoke your consent for storage, or the purpose for data storage ceases to apply (e.g., after your request has been fully processed). Mandatory legal provisions - in particular statutory retention periods - remain unaffected.

 V. Use of Cookies

  1. Description and Scope of Data Processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. If a user accesses a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that enables unique identification of the browser when the website is accessed again.

We use cookies to make our website user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change.

  1. Legal Basis for Data Processing

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR.

  1. Purpose of Data Processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized again after a page change.

User data collected by technically necessary cookies is not used to create user profiles.

These purposes also constitute our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 lit. f GDPR.

  1. Duration of Storage, Right to Object and Erasure

Cookies are stored on the user's computer and transmitted from it to our site. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all functions of the website.

  1. Technically Non-Essential Cookies

Insofar as other cookies (e.g., cookies for analyzing your browsing behavior) are stored, these will be treated separately in this privacy policy.

 

VI. Payment Procedures

  1. Description and Scope of Data Processing

Within the contractual relationship, the service provider "Shopify" (Shopify Inc., a Canadian corporation with offices at 151 O’Connor Street, Ground floor, Ottawa, ON, K2P 2L8, on behalf of itself, its Singaporean affiliate Shopify Commerce Singapore Pte. Ltd., and its Irish affiliate Shopify International Ltd.) is used for efficient and secure payment processing. The data processed by the payment service provider includes name, company name, email address, address, bank details (account number or credit card number, PayPal account, AmazonPay account). This information is necessary to complete transactions. The data is processed only by the payment service provider. We have concluded a corresponding Data Processing Agreement with Shopify.

  1. Legal Basis for Data Processing

The legal basis for processing personal data using Shopify is Art. 6 Para. 1 lit. b GDPR and Art. 6 Para. 1 lit. f GDPR.

  1. Purpose of Data Processing

The data is processed so that we can provide our online services fully and in a user-friendly manner. The transmission of data is necessary for the performance of the contract or for the implementation of pre-contractual measures.

  1. Duration of Storage, Right to Object and Erasure

The duration of storage of processed data, as well as data subject rights, can be found in Shopify's privacy policy: https://www.shopify.com/legal/privacy.

  1. Third Country Transfer

Personal data may be processed at Shopify's aforementioned locations.

To meet GDPR requirements, Shopify relies on the European Commission's adequacy decision for Canada (https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) when Shopify International Limited transfers personal data to its Canadian-registered parent company Shopify Inc.

Furthermore, Shopify uses comprehensive data transfer and processing agreements (DPAs) that incorporate the latest version of the Standard Contractual Clauses approved by the European Commission (https://commission.europa.eu.eu/publications/standard-contractual-clauses-international-transfers_en) to regulate the following:

  • All transfers within the Shopify Group
  • Further transfers to its sub-processors

All other arrangements made by Shopify for secure data transfer can be found here: https://help.shopify.com/de/manual/privacy-and-security/privacy/international-data-transfers/onward-transfers

VII. Cloud Services

  1. Description and Scope of Data Processing

We use software services accessible via the Internet and running on their providers' servers (so-called "cloud services") for storing and managing content (e.g., document storage and management). In this context, personal data may be processed and stored on the providers' servers, insofar as it is part of communication processes with us or is otherwise processed by us, as set out in the privacy policy.

  1. a) Google Drive

The uploaded identification documents are stored on Google Drive. The following personal data are processed: name, address, date of birth, place of birth, image, nationality, eye color, height, issuing authority. We have concluded a corresponding Data Processing Agreement with Google Drive.

  1. b) Airtable

The Airtable cloud service is used for storing and retrieving created certificates. The certificate processes the following personal data: name, address, email address, company name, date of birth.

  1. Legal Basis for Data Processing

The legal basis for processing personal data using Google Drive and Airtable is Art. 6 para. 1 lit. a, b and f GDPR.

  1. Purpose of Data Processing

The data is processed in order to properly issue the acquired certificates and provide them to customers. The Stuttgart Health Department obliges us in writing, according to current regulations, to identify the respective person by means of an identification document before we are allowed to issue a corresponding certificate.

 

  1. Duration of Storage, Right to Object and Erasure

The duration of storage, as well as data subject rights, can be found in the privacy policy of Google Drive (https://policies.google.com/privacy?hl=de) and Airtable (https://www.airtable.com/company/privacy/de).

The respective uploaded identification document will be deleted at the latest 24 hours after verification. The verification of the identification document takes place within 48 hours after its upload.

The uploaded certificates will be deleted by us from Airtable after one year at the latest.

  1. Third Country Transfer
  2. a) Google Drive

The service provider of Google Drive is Google Ireland Limited. However, personal data may also be transferred to the parent company Google LLC. This company is based in the USA. There is an adequacy decision for data transfer to the USA. Google LLC is also DPF (Data Privacy Framework) certified. Further details can be found in the privacy policy: https://policies.google.com/privacy?hl=de

  1. b) Airtable

Airtable's servers are located in the USA, meaning personal data is processed in the USA. The adequacy decision and corresponding standard contractual clauses also serve as the legal basis here. Further details can be found in the privacy policy: https://www.airtable.com/company/privacy/de

 

VIII. Data Collection on Our Server

  1. Description and Scope of Data Processing

We transfer the data stored on Airtable to our own server (US-i-1 located in the USA) after one year. Thus, the personal data associated with the issuance and storage of the certificate are processed.

  1. Legal Basis for Data Processing

The legal basis for processing personal data using Google Drive and Airtable is Art. 6 para. 1 lit. b and f GDPR.

  1. Purpose of Data Processing

The data is transferred from Airtable to our own server so that the data can be deleted from Airtable after one year at the latest. To comply with legal retention periods and to give you the opportunity to receive the certificate again if it is lost, the data is stored on our server.

  1. Duration of Storage, Right to Object and Erasure

The personal data from the issued certificate will remain with us until you request its deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions – in particular statutory retention periods – remain unaffected.

  1. Third Country Transfer

The data is processed on a server located in the USA. There is an adequacy decision for data transfer to the USA.

 

IX. Google Analytics

  1. Description and Scope of Data Processing

We use cookies on our website that enable an analysis of your browsing behavior. For this purpose, we use Google Analytics (Google Ireland Limited, Google Building House, 4 Barrow Street, Dublin D04 E5W5, Ireland). We process data on browsing and purchasing behavior to create anonymized statistical evaluations and analyses that help us optimize our processes and workflows. The following data is processed: IP address, postcode, city. Order data (OrderID, shopping cart value, product ID, order period), cookie ID, browser information (browser version, operating system, screen and browser resolution, device type, browser apps), information about previously visited websites and/or advertisements.

We use the code extension "anonymizeIP", which serves to activate IP anonymization on our website. By using this extension, the IP address is truncated within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a server in the USA and truncated there. The IP address transmitted by the browser within the scope of Google Analytics is not merged with other Google data.

  1. Legal Basis for Data Processing

The legal basis for the further processing of personal data collected using analysis cookies is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Insofar as the purpose of processing is fraud prevention/prevention and control of misuse when using our online shop, the legal basis is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

  1. Purpose of Data Processing

The purpose of the processing is to analyze the browsing behavior of website visitors to improve our website and our offerings.

  1. Duration of Storage, Right to Object and Erasure

Data is stored for a maximum of 6 months. Data subject rights can be found in Google's privacy policy (https://policies.google.com/privacy?hl=de).

  1. Third Country Transfer

The service provider for Google Analytics is Google Ireland Limited. However, personal data may also be transferred to its parent company, Google LLC, which is based in the USA. There is an adequacy decision for data transfer to the USA. Google LLC is also DPF (Data Privacy Framework) certified. Further details can be found in the privacy policy: https://policies.google.com/privacy?hl=de

 

X. Google Tag Manager

  1. Description and Scope of Data Processing

Google Tag Manager is a tag management system that allows us to embed and manage code snippets such as tracking codes or conversion pixels on our website. The following personal data is collected but not stored: name, address, date of birth, email address.

  1. Legal Basis for Data Processing

The legal basis for the processing of collected personal data is your consent according to Art. 6 para. 1 lit. a GDPR.

  1. Purpose of Data Processing

The purpose of data processing is the transmission of data and serves to implement and manage tracking tags on websites. The Tag Manager enables efficient management and implementation of various tracking tags on websites without the need for direct code changes. No data is stored.

  1. Duration of Storage, Right to Object and Erasure

No data is stored. The Tag Manager is exclusively used for data processing and transmission. Data subject rights can be found in Google's privacy policy (https://policies.google.com/privacy?hl=de).

  1. Third Country Transfer

The service provider for Google Tag Manager is Google Ireland Limited. However, personal data may also be transferred to the parent company, Google LLC, which is based in the USA. There is an adequacy decision for data transfer to the USA. Google LLC is also DPF (Data Privacy Framework) certified. Further details can be found in the privacy policy: https://policies.google.com/privacy?hl=de

 

XI. Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller.

1. Right to Information

You can request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing exists, you can request information from the controller about the following:

(1) the purposes for which the personal data are processed;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;

(4) the planned duration for which the personal data concerning you will be stored or, if specific information on this is not possible, the criteria for determining the storage period;

(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;

(6) the existence of a right to lodge a complaint with a supervisory authority;

(7) all available information about the origin of the data if the personal data are not collected from the data subject;

(8) the existence of automated decision-making, including profiling, in accordance with Art. 22(1) and (4) GDPR, and – at least in these cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether personal data concerning you are transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards in accordance with Art. 46 GDPR in connection with the transfer.

2. Right to Rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

3. Right to Restriction of Processing

Under the following conditions, you can request the restriction of the processing of personal data concerning you:

(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

(3) the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims, or

(4) if you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

Where the processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted according to the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to Erasure

a) Obligation to Erase

You can request the controller to erase personal data concerning you without undue delay, and the controller is obliged to erase these data without undue delay if one of the following reasons applies:

(1) The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

(2) You withdraw your consent on which the processing is based according to Art. 6(1) lit. a or Art. 9(2) lit. a GDPR, and there is no other legal ground for the processing.

(3) You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.

(4) The personal data concerning you have been unlawfully processed.

(5) The erasure of personal data concerning you is necessary for compliance with a legal obligation in Union or Member State law to which the controller is subject.

(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

b) Information to Third Parties

Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions

The right to erasure does not apply to the extent that processing is necessary

(1) for exercising the right of freedom of expression and information;

(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the area of public health in accordance with Art. 9(2) lit. h and i as well as Art. 9(3) GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5) for the establishment, exercise or defense of legal claims.

5. Right to Notification

If you have asserted the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed about these recipients by the controller.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. Furthermore, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

(1) the processing is based on consent pursuant to Art. 6(1) lit. a GDPR or Art. 9(2) lit. a GDPR or on a contract pursuant to Art. 6(1) lit. b GDPR and

(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.

The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1) lit. e or f GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to Withdraw the Declaration of Consent under Data Protection Law

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

(1) is necessary for entering into, or performance of, a contract between you and the controller,

(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or

(3) is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2) lit. a or g GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

With regard to the cases mentioned in (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

A list of supervisory authorities (for the non-public sector) with addresses can be found at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html