hartmann consultants: Personalberatung in München

Data Privacy Policy

We take the protection and privacy of your personal data very seriously in all of our business processes. We process any personal data which you share with us in due compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the statutory data protection provisions of the German Data Protection Act (BDGS).

This Data Privacy Policy explains how we treat your personal data. It is designed to provide you with detailed information on the type, extent and purpose of our collection of personal data. It also informs you of your rights in connection with processing of your personal data.

1. Contact information for data controller and data protection officer

1.1 Responsibility (Controller)

Responsibility as data controller within the meaning of Art. 4 VII GDPR and other data protection laws is held by:

hartmann consultants GmbH & Co. KG
Maffeistrasse 3
80333 Munich, Germany

Telephone: +49 89 540 45 48 00
Fax: +49 89 540 45 48 19

E-mail: info@hartmann-consultants.com

1.2 Data protection officer

We have appointed a data protection officer, who can be contacted as follows:

hartmann consultants GmbH & Co. hartmann consultants GmbH & Co. KG
Data Protection Officer
Maffeistrasse 3
80333 Munich, Germany

Telefon: +49 89 540 45 48 00
Fax: +49 89 540 45 48 19
E-Mail: datenschutz@hartmann-consultants.com

2. Scope of this Data Privacy Policy

2.1 Terms and definitions, individuals covered by the Policy

The following terms and definitions apply for the purposes of this Data Privacy Policy. Where masculine forms are used for the purposes of improved readability, the content of the text where they are used applies to all genders.

Candidate: We process personal data of individuals who send us job applications either proactively and independently (unsolicited applications) or upon being invited by us to do so, or who are concrete candidates for a position.

Client: We also process data of companies, organizations, official authorities, etc., which commission us to provide services.

We offer all our clients our Executive Search, Potential Analysis, and Digital Leadership Audit services (“our services”). This Data Privacy Policy applies to you irrespective of whether you are a candidate for one of our clients, an individual undergoing evaluation as an employee of one of our clients, or an employee/contact liaison for a client.

Vendors/Other contractual partners: We also process personal data of vendors or other contractual partners which we commission to perform tasks such as provision of services or works.

Visitors to our website: Finally, we collect a limited amount of data when you visit our website, i.e. access the site. For more information about our processing of data during your visit to our website, see Section 7 of this Data Privacy Policy.

2.2 Content-related application of this Policy

This Data Privacy Policy applies when you contact us, attend one of our events, or visit our website.

3. General data processing principles

3.1 General principles

We follow the principles of data privacy laws limiting collection and processing of personal data (abbreviated to “data”) to a minimum. We therefore only process personal data where necessary for clearly defined purposes as described in the following (principles of data avoidance and data minimization). Under these principles data processing is only permissible where based on a sufficient legal position or where your consent has been given (principle of lawfulness).

3.2 Description and scope of data processing

3.2.1 Data of candidates

3.2.1.1 Data collection from publicly available sources and/or from recommendations

We are a provider of specialist recruitment services for expert professionals and executives at top and middle management levels. We operate in the field of specialist executive search in the lifestyle market sectors of fashion, luxury, footwear, sports, and living. Our clients expect us to find the best possible employees to fill specific vacancies in their companies. Given this, we perform proactive searches in publicly available sources to identify potential candidates. In our research we focus particularly on professional networks such as LinkedIn, Xing, and similar sources, where we find information about candidates. In addition, we receive information about potential candidates from recommendations, often supplied by (former) candidates and/or clients in the capacity of referees.

In these cases, we initially store personal data we have received from public sources or from the recommendation giver. These personal data generally comprise:

First name, last name
Telephone number and email address
Address
Main area of professional qualifications
Training / academic qualifications / professional experience
Skills / social skills
Content and scope of professional experience

After saving your data we contact you promptly (within one month at the latest) and notify you of the processing of your data.

3.2.1.2 Further collection of data from you directly

If you are interested in being added to our database as part of an unsolicited application or after being contacted by us, or if you seek to apply directly for an advertised vacancy at one of our clients, we collect further personal data from you directly. The data collected in these cases may generally comprise the following categories:

Further master and contact data: specifically, titles and honorifics, names, addresses, telephone numbers, email addresses, dates of birth, family statuses, nationalities
Photos, particularly job application photos or photos taken during video interviews, e.g. on Skype
Further data concerning your qualifications, knowledge, and skills, particularly school education and professional training and/or academic qualifications, further advanced training, professional and/or industry experience, project experience, references; language skills, other qualifications (e.g. driver’s license) and social skills, publications
Details of availability and work locations
Salary expectations
Tax details, particularly VAT ID and/or tax ID
Bank account details
Extracts from Commercial Register entries and/or police good conduct records
Copies of personal identity documents (identity card and/or passport)
Insurance details, particularly occupational liability insurance
Any other data relating to establishment and execution of contractual relations, e.g. travel activity / percentage of travel activity

3.2.2 Client data

If you are our client, it is necessary for us to collect and use information about you or individuals within your company or organization in order to provide you with services. For this purpose, we collect the following personal data from you directly:

Contact details and/or contact details of individual liaisons within your organization, e.g. names, telephone numbers, email addresses
Information about your use of profiles of previous candidates
Current addresses, previous addresses, other mailing addresses
Contractual data, e.g. start and end of contract
Bank account data, e.g. your account IBAN, BIC, details of your bank
Tax-relevant data, particularly tax ID, tax number
Where applicable, other data related to fulfillment of the business relationship
Data from mail, electronic, and telephone communication between you and us

3.2.3 Data of vendors and other contractual partners

If you are a vendor or other contractual partner of us, we require some types of data in order to fulfill the contract we have concluded with you. For this purpose we initially collect, process and use the data you provide to us within the scope of establishing or pursuing business relations. These data comprise in particular:

Master data and contact data, particularly current address, other mailing addresses, telephone numbers, email addresses
Contract-related data, e.g. start and end of the contract,payment plans, payment terms
Data given in personal identity documents or other identity papers submitted to us
Bank account data, e.g. your account IBAN, BIC, details of your bank
Tax-relevant data, particularly tax ID, tax number
Data from mail, electronic, and telephone communication between you and us
Where applicable, other data related to fulfillment of the business relationship

3.3 Purposes of data processing

3.3.1 In processing candidates’ data

As part of adding you to our database or processing a concrete or general application for potential vacancies, we use your personal data to create a profile excluding names, master data, images, mail address, email address, or further personal contact details, but including information on availability, willingness to relocate, salary, project-based experience, and other information where appropriate.

We send this profile proactively to our clients in cases where we expect that you could be of interest to them based on your profile. If the client expresses interest in your candidacy, we share your name and, where applicable, further project-relevant personal data with clients only after prior consultation with you and with your consent. Ensuring confidential treatment of your personal data––specifically, your personal contact details––by potential clients for the purpose specified and in accordance with data protection law is beyond the scope of our responsibility. Please consider this, particularly with respect to the data you supply in your resume and when sharing further data and files.

In addition, we may compare individual data of yours––particularly concerning references, qualifications, or criminal record––with information or data concerning third parties which are already in our possession.

If the client believes you may be suitable, we will discuss your candidacy with you in detail. If you are still interested in the position, you may be interviewed by one of our consultants and be entered on a shortlist for a presentation to our client. At this stage, after consulting with you we provide further details to the client, who may then contact you directly in exceptional cases. In general, processing of your data has the purposes of verifying your suitability for current or future vacancies for which you may apply or for which we may consider you, and to enable you to be matched to interesting positions with prestigious contractual partners (clients). Processing of your data further has the purpose of enabling you to be contacted to inform you about the progress of your application or about different or further positions which may be of interest to you. Communication between you and us is documented by us in a candidate database and may also be stored in a CRM (customer relationship management) system. In addition to these direct contacts, inhouse references or comments of relevance to the current or future recruitment process are also stored on these systems. This processing of your data has the purpose of completing processes rapidly and without errors or loss of information, in order to provide you with a service optimized to your wishes and requirements. Further, processing of your data is part of our general performance of the contractual relationship with you and is necessary for the provision of this performance.

As a matter of general principle, your profile stored in our database is only provided to potential clients in anonymized form. This excludes identification by the client as far as possible. The profile serves as the basis for an initial presentation, evaluation, and selection by the client with the objective of recruitment.

In addition, we may use your data for advertising purposes; in this case, under certain circumstances we may, at regular intervals, send you information we believe will be of interest to you. Our advertising activities involve offers of recruitment services, invitations to networking and client events, and general information about industries, specific price reductions, etc.

In addition, we occasionally conduct satisfaction surveys aimed at improving our service quality. For this reason, we may occasionally call on the services of market research institutes.

Finally, under certain circumstances we may also use your data to establish or exercise our legal rights or defend ourselves against legal claims.

3.3.2 In processing candidates’ data

During collaboration with you, we collect personal data with the purpose of duly implementing contractual agreements with you and ensuring smooth professional relations. This may include identification of candidates who are a good fit for you or your organization in our view.

If you are interested in a candidate after receiving the candidate’s anonymized profile, we first draw up a job description for the potential candidate, including information about the vacancy, the company and the corporate culture. Once expressly approved by you, this job description is sent to the potential candidate.

We use the information about our clients to fulfill our contractual obligations and pursue recruitment activities. For this purpose, we store and update your data in our database, record conversations, discussions, and meetings to ensure we can provide you with targeted services, conduct customer satisfaction surveys, and process your data for the purpose of contacting you with suitable advertising campaigns. In addition, we may use your personal data to establish or exercise our legal rights or defend ourselves against legal claims.

3.3.3 In processing data of vendors and other contractual partners

We collect and process your personal data for the purposes of contacting you and of fulfilling our contractual obligations towards you. For example, we may process your contact details for the purpose of contacting you, concluding service or works agreements or similar with you, duly fulfilling our contractual obligations, monitoring payment transactions, etc.

For this purpose, we store and update your data in our database. We may use your data, particularly your contact data, for direct mail advertising of our services and, in individual cases, of special events. In addition, we may use your personal data to establish or exercise our legal rights or defend ourselves against legal claims.

4. Lawful basis of data processing

4.1 Data of candidates

4.1.1 Processing based on your consent

The lawful basis for our processing of your data is Art. 6 I 1 a GDPR in cases where you have given consent. In cases where specific categories of personal data are processed, Art. 9 II a GDPR also applies. You consent to our processing of your personal data within the scope of this data privacy statement for the purposes described. We may share your personal data with potential clients to the extent necessary for the purpose of arranging recruitment. Your personal data will not be shared with third parties without your express consent unless necessary for provision of the service or execution of contractual performance. Specifically, if an application on your part or an attempted recruitment on our part with respect to a specific vacancy are unsuccessful, you may consent to our storing your personal data in a database beyond the end of the concrete recruitment process. We may then use your data to contact you at a later stage, specifically with the purpose of continuing the recruitment process or beginning a new recruitment assignment.

Where we do not already use your data for advertising purposes and customer satisfaction surveys based on our legitimate interests (see section 4.1.4 below), we will obtain your express consent to using your data for further advertising purposes.

4.1.2 Processing based on execution or arrangement of a contract

Art. 6 I 1 b GDPR applies as additional lawful basis for processing of your data in cases where processing of your data already has the purposes of fulfillment of a contract to which you are a party, or performance of precontractual measures.

4.1.3 Processing based on statutory provisions

We are subject to statutory and regulatory provisions. Under Art. 6 I 1 c GDPR, collection and processing of your personal data are necessary for our fulfillment of statutory requirements based thereon.

4.1.4 Processing based on legitimate interests

We may occasionally request you to take part in a customer satisfaction survey. Further, we may use your data, particularly your contact data, in direct mail advertising of our services and, in individual cases, of special events. Further, in cases where we have received your email address in connection with a service, we use these data for email advertising of similar services. This applies until such time as you withdraw consent. At all times when we collect your data, we clearly and explicitly refer you to your right to object to processing of your data.

We use these data to the extent described above under the assumption that we have legitimate interests in processing your data, and that such interests override your interests or fundamental rights and freedoms concerning protection of your data. We would like to contact you at regular intervals to survey your satisfaction and send you information about our services which we believe will be of interest to you.

As part of our candidate satisfaction surveys, we occasionally commission market research institutes to optimize our services in the interests of our clients. In this context, too, we assume that your interests or fundamental rights and freedoms concerning protection of your data will not be unreasonably impaired.

4.2 Client data

4.2.1 Processing based on your consent

We collect and process your personal data based on consent in cases where you have previously given your express consent to data processing in accordance with Art. 6 I 1 a GDPR.

Where we do not already use your data for advertising purposes or customer satisfaction surveys based on our legitimate interests (see section 4.2.4 below), we will obtain your express consent to using your data for further advertising purposes.

4.2.2 Processing based on execution or arrangement of a contract

We collect and process your personal and corporate data for the purposes of contacting you and fulfilling our contractual obligations towards you. We process these data on the basis of Art. 6 I 1 b GDPR for the purposes of performance of precontractual measures and fulfillment of contractual performance. For example, we may process your contact details for the purpose of contacting you, concluding agreements with you, duly fulfilling our contractual obligations, and monitoring payment transactions.

4.2.3 Processing based on statutory provisions

We are subject to extensive statutory and regulatory provisions, including under fiscal law. Under Art. 6 I 1 c GDPR, collection and processing of your personal data are necessary for our fulfillment of statutory requirements based thereon. In addition, we store your personal and corporate data and/or the personal data of individual contacts within your organization and record conversations, discussions, meetings, reports of any vacancies, and the recruitment process.

4.2.4 Processing based on legitimate interests

We may occasionally request you to take part in a client satisfaction survey. Further, we may use your data, particularly your contact data, in direct mail advertising of our services and, in individual cases, of special events. Further, in cases where we have received your email address in connection with a service, we use these data for email advertising of similar services. This applies until such time as you withdraw consent. At all times when we collect your data, we clearly and explicitly refer you to your right to object to processing of your data.

As part of our client satisfaction surveys, we occasionally commission market research institutes to optimize our services in the interests of our clients. In this context, too, we assume that your interests or fundamental rights and freedoms concerning protection of your data will not be unreasonably impaired.

4.3 Data of vendors and other contractual partners

4.3.1 Processing based on your consent

We collect and process your personal data based on consent in cases where you have previously given your express consent to data processing in accordance with Art. 6 I 1 a GDPR.

Where we do not already use your data for advertising purposes based on our legitimate interests (see section 4.3.4 below), we will obtain your express consent to using your data for further advertising purposes.

4.3.2 Processing based on execution or arrangement of a contract

We collect and process your personal data for the purposes of contact and of fulfilling our contractual obligations towards you. We process these data on the basis of Art. 6 I 1 b GDPR for the purposes of performance of precontractual measures and fulfillment of contractual performance. For example, we may process your contact details for the purpose of contacting you, concluding agreements with you, duly fulfilling our contractual obligations, and monitoring payment transactions.

4.3.3 Processing based on statutory provisions

We are subject to extensive statutory and regulatory provisions, including under fiscal law. Under Art. 6 I 1 c GDPR, collection and processing of your personal data are necessary for our fulfillment of statutory requirements based thereon. In addition, we store your personal data and/or the personal data of individual contacts within your organization and record conversations and meetings.

4.3.4 Processing based on legitimate interests

Further, we may use your data, particularly your contact data, for direct mail advertising of our services and, in individual cases, of special events.

We would like to contact you at regular intervals to send you information about our services which we believe will be of interest to you.

5. Duration of saving, options for objection and removal

We will erase your personal data from our system after 5 years without relevant contact with you or with the company, organization, or authority which commissioned the recruitment. After this period has elapsed the data are assumed to be no longer relevant to the purpose for which they were collected. In exceptional cases, we erase personal data after a longer period where we believe in good faith that we are under an obligation to store your data for legal reasons or under other regulations. In this context “relevant contact” denotes (verbal or written) communication between us and you, or situations in which you actively contact us or communicate with us with respect to potential job searches, using methods including verbal or written communication or clicking one of our advertisements.

In all other cases your personal data are erased as soon as they are no longer required for the purpose for which they were collected. Even after expiry of a contractual relationship, the requirement to store personal data may continue to apply in order to fulfill contractual or statutory obligations––particularly retention obligations under commercial or fiscal law––or to protect our legitimate interests.

Saving data in compliance with retention obligations under commercial and/or fiscal law as applicable and to the required extent. Time limits for compliance with retention obligations under commercial and/or fiscal law are: ten years in accordance with statutory regulations governing all documents required for determination of profits; and six years for business correspondence (including emails). The lawful basis in this case is Art. 6 I 1 c GDPR.
Under the provisions of the German Civil Code (BGB), statutes of limitation may cover up to 30 years; the regular statute of limitations is three years. In accordance with these limitation provisions, we therefore retain contractual and contract-related documents for use in disputes or litigation where necessary. The lawful basis in this case is Art. 6 I 1 f GDPR.

Where processing of your data is based on your consent, you may withdraw this consent at any time in future in whole or in part by sending a corresponding request to datenschutz@hartmann-consultants.com Please note that withdrawal of your consent may affect your ability to be recruited for potential jobs if withdrawal restricts the customary informative value of your general or specific application, preventing a potential client from gaining an impression of your person. If you withdraw your consent we will erase your personal data. If your data are necessary for fulfillment of a contract or performance of precontractual measures, premature erasure of your data is only possible where unobstructed by contractual or statutory obligations.

6. Further transfer of your personal data

6.1 Transfer of personal data to processors

We may use contracted processors, e.g. IT service providers, software providers, storage service providers, market research and other research companies etc., in providing our services. Transfer of your data to these processors takes place under strict compliance with non-disclosure obligations and data protection laws. The processors commissioned by us undertake to comply with our confidentiality standards.

6.2 Other external service providers

In addition, we may transfer your data to external service providers which provide services on our behalf, e.g. external consultants (e.g. tax accountants, attorneys, etc.).

6.3 Transfer of data to third countries

We do not transfer data to countries outside the EU or EEA (i.e. third countries) unless compelled to do so by official or judicial order.

7. Information concerning processing of your personal data collected from use of our website

7.1. General

The following information provides details of the type, scope, and purposes of our processing of your personal data collected when you use our website. If you are directed to our website from other websites or move to other websites from our website, please ensure you read the data privacy policy in Section 5 of this document.

When you use our website purely for information purposes, i.e. if you do not register or supply us with information by other means, we only collect the personal data sent to our server by your browser. If you would like to view our website, we collect the following data which are technically necessary for us to display our website correctly to you and ensure its stability and security:

Your IP address and duration of your visit to our website
Date and time of access
Time difference to Greenwich Mean Time (GMT)
Content of request (concrete page)
Access status / HTTP status code
Data volume transferred
Website from which the request is made
Browser
Operating system and user interface
Language and version of browser software

7.2. The data specified are processed by us for the following purposes:

Ensuring smooth connection setup of our website
Ensuring a pleasant user experience for visitors to the website
Evaluation of system security and stability, and
Other administrative purposes

The lawful basis for data processing is Art. 6 (1) 1 f GDPR. The above listed purposes of data collection constitute our legitimate interest. We never use the data thus collected to draw conclusions about your individual identity-

In addition, during your visit to our website we use cookies and analysis services. For more information and explanations, see particularly the “Cookies” section of this Data Privacy Policy below.

7.3 Cookies

Our website uses cookies to enable visitors to make use of specific functions of the website and for us to analyze the behaviour of visitors to the site.

Cookies are small text files that are saved on your computer. Most of the cookies we use are session cookies, which are erased from your hard drive at the end of your browser session. Other cookies (known as persistent cookies) are stored on your computer and enable us to recognize your computer on your next visit.

If you wish to prevent cookies from being stored on your computer, change your browser settings to deactivate cookies for our website or prevent cookies from being stored on your computer in general You can also erase any cookies stored on your computer by changing your browser settings.

Deactivation of the use of cookies may require a persistent cookie to be stored on your computer. If you erase this cookie, you will have to repeat the deactivation procedure.

We use the following types of cookies on our website:

Transient cookies, i.e. cookies that are automatically erased when you close your browser. These particularly include session cookies, which save a session ID allowing various requests by your browser to be assigned to the session. This enables us to recognize your computer the next time you visit our website. Session cookies are deleted when you log out or close your browser.
Persistent cookies are cookies which allow you to configure your browser settings in accordance with your wishes. For example, they permit refusal of third-party cookies or all cookies. However, please note that if you do this, you may not be able to use all the functions of this website.

7.4 Transfer of information to third parties

7.4.1 General

In order to operate this website and offer Executive Search, Potential Analysis, or Assessment services, we work closely with trusted partners with which we need to exchange personal data. These partners include:

Our clients to which we provide Executive Search services. We consult with you before transferring your data.
Prospective clients to which we may need to provide evidence of our understanding of a specific market and the people working in it. In this case your data are anonymized.

We will only transfer information as described in this Data Privacy Policy and will, wherever possible, limit disclosure to aggregated data to prevent, or avoid as far as possible, any possibility of your personal identification.

7.4.2 Third parties

We may also transfer information to third parties which process information on our behalf.

This is designed to support us in operating some internal business processes including email distribution, IT services, and client services. Under our agreements with these third parties, they undertake to process the data securely in compliance with our instructions.

Transfer of personal data to contracted processors only takes place where the processors can offer sufficient guarantee of orderly and secure use of the data and contractually agree to comply with the principles set forth in this Data Privacy Policy and with statutory regulations. We will not inform third parties about your personal data or otherwise transfer the data to them unless such data transfer is required in order for us to provide the contracted performance or unless you have granted your consent for us to do so.

Your data may also be transferred to organizations in other parts of the world. As the data privacy laws in other regions may not match the standards of your home country, we will only transfer data where adequate data privacy is in place to protect the data stored in this country and where the local service provider complies with applicable data protection law at all times. Where specified by law, we will take action to ensure that personal data processed in other countries is subject to the same level of protection as in your home country as a minimum requirement.

We may be obliged by a statutory requirement or court order to provide law enforcement authorities, official authorities, or third parties with information about you. In such cases we will act responsibly and take your interests into account wherever possible in responding to such enquiries. If you have concerns about these agreements to transfer personal data to third parties, please contact us and request us to refrain from processing your personal data.

7.5. Google Analytics

We use Google Analytics, a web analysis service operated by Google Inc. (“Google”). Google Analytics uses “cookies,” text files that are saved on users’ computers and allow their use of the website to be analyzed.

The information about users’ visits collected by the cookie is generally transferred to a Google server in the USA and saved there. While the USA does not have the same level of data protection as the EU, Google is a member of EU-U.S. Privacy Shield (see here for more information) and, in this capacity, undertakes to comply with European data privacy law.

This website has activated IP anonymization, so that Google first abbreviates users’ IP addresses within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. The full IP address will only be transferred to a Google server in the USA and abbreviated there in exceptional cases. We commission Google to use this information to evaluate the behaviour of visitors to this website, to compile reports on website activity, and to provide us with further services related to website use and Internet use. These activities supply us with information about user behavior that enable us to optimize our website, products, and services to reflect user needs.

Google will under no circumstances associate the IP address transmitted by your browser within the operations of Google Analytics with other Google data.

You can prevent cookies from being stored by changing your browser settings accordingly. However, please note that in this case you may not be able to use the complete range of functions of this website to their full extent. Users can also prevent Google from recording and processing the data related to their website visit (including their IP address) generated by the cookies by downloading and installing the browser plugin for Google Analytics deactivation (available here). You can deactivate Google Analytics here: tools.google.com/dlpage/gaoptout

For more information on how Google Analytics collects and processes your personal data, see : www.google.com/policies/privacy/partners.

8. Your rights

8.1 Overview of your rights

You are under no obligation to provide us with your personal data. However, please note that if you do not, we may not be able to consider you in our services.

With respect to when and to what extent we use your personal data, you have the following rights in particular:

8.1.1 Right of access

You have the right to obtain information about the data stored by the controller, specifically concerning the purposes of the processing and the duration of storage (Art. 15 GDPR).

8.1.2 Right to rectification

You have the right to require the controller to rectify and/or complete any inaccurate or incomplete personal data concerning you in the data undergoing processing. Such rectification shall be performed by the controller without undue delay.

8.1.3 Right to restriction of processing

You have the right to require the controller to restrict processing of your data. This right particularly applies throughout the duration of processing in cases where you have contested the accuracy of the personal data and where you have the right to erasure of the personal data, but request restriction of processing instead. Further, restriction of processing applies in cases where we no longer need the data for the purposes of the processing but you require the data for the establishment, exercise or defense of legal claims, and where the exercise of an objection is a matter of dispute between you and the controller (Art. 18 GDPR).

8.1.4 Right to erasure

You have the right to require the controller to erase your personal data. Under this provision you may request erasure of your data in cases where the controller no longer needs the personal data for the purposes for which they were collected or otherwise processed; where the controller has unlawfully processed the personal data; where you have submitted a justifiable objection to the processing; where you have withdrawn your consent; or where a legal obligation to erase the data applies (Art. 17 GDPR).

8.1.5 Right to data portability

You have the right to receive the personal data concerning you and which you have provided to the controller––unless already erased ––in a structured, commonly used and machine-readable format (Art. 20 GDPR).

8.1.6 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 5 I 1 e or f (Art. 21 GDPR). The controller will no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or where the processing serves for the establishment, exercise or defense of legal claims. In cases where you object to use of your data for advertising purposes, the controller will desist from using your data for such purposes.

8.1.7 Right of withdrawal of data privacy consent statement

You have the right to withdraw your data privacy consent statement at any time. Withdrawal of consent does not affect the lawfulness of processing completed on the basis of consent which was granted prior to its subsequent withdrawal.

8.1.8 8.1.8. Right not to be subject to a decision based solely on automated processing, including profiling

You have the right not to be subject to a decision based solely on automated processing––including profiling––which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

is necessary for entering into, or performance of, a contract between you and the data controller;
is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests;
is based on your express consent.

However, such decisions shall not be based on special categories of personal data referred to in Article 9 I GDPR, unless Art.9 II a or g GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. With respect to the cases referred to in (1) and (3), the data controller will implement suitable measures to safeguard your rights and freedoms and legitimate interests, and at minimum the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

8.1.9 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your current domicile, your place of work, or the location of the imputed infringement, if you consider that the processing of personal data relating to you constitutes an infringement of the GDPR. The authority with which the complaint is lodged informs the complainant of the progress and outcome of the complaint, including any available judicial remedy, in accordance with Art. 78 GDPR.

As at: December 2018