Legal Data privacy

Information about data protection and security

​

Introduction

BOMAG GmbH (subsequently referred to as BOMAG) appreciates your interest in our products and your visit to this website. Data protection and data security for customers and users have always had a high priority for BOMAG. This is why protecting your personal data throughout the entire business process is very important to us.

BOMAG Americas, Inc.
125 Blue Granite Parkway
Ridgeway, SC 29130​

The party responsible within the definition of the General Data Protection Regulation and other data protection regulations is:

BOMAG GmbH
Hellerwald, 56154 Boppard, Germany
Phone: +49 6742 100-0
Fax: +49 6742 100 3090
E-mail: info@bomag.com
Website: www.bomag.com

Legal representatives: Ralf Junker, Dirk Woll, and Robert Laux

Contact details: see above

2. Name and contact details of the Data Protection Officer

Data Protection Officer of the responsible processor is

Andreas Mallmann,
c/o BOMAG GmbH, Hellerwald, 56154 Boppard, Germany
Phone: +49 6742 100-0
Fax: +49 6742 3090
E-mail: datenschutz.de@bomag.com

3. Scope of processing of personal data; purpose of processing

3.1. Accessing our website and creating log files

3.1.1 Description of data processing and storage
Every time our website is accessed, our system automatically collects data and information from the computer system of the requesting user.

The following data is collected in the process:

• User’s IP address

• Notification as to whether retrieval was successful

The country from which the user accesses our website is determined on the basis of the IP address recorded. This serves to display the corresponding country and language version of the website (German/English). For this purpose, the IP address is truncated to the first 6 digits and analysed using a Geo IP database; the country through which the user accesses the website is thus determined. A country code is assigned to this country, which is then stored in the log files instead of the IP address.

The other data listed above is deleted from the log files of the system after 7 days, unless further processing is necessary to protect our legitimate interests in exceptional cases (e.g. to arrange for the blocking of IT addresses, filing of a criminal complaint). The data is then deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.

Storage and/or compilation of this data with other personal data of the user does not take place.

3.1.2 Purpose and legal basis of data processing

The data specified in a) is collected

• to enable the website to be delivered to the user’s computer. The legal basis for this is set out in Article 6(1)(f) of EU General Data Protection Regulation (GDPR). The temporary registration of the IP address to display the pages accessed by the user is technically necessary for this and represents a legitimate interest on the provider´s part in terms of Article 6(1)(1)(f) of GDPR, which is not opposed by any overriding interests of the user.

• to ensure the security of our web server and trouble-free operation of our website including the Webshop system, e.g. recording failed login attempts, monitoring to avoid or detect hacker attacks; these purposes represent a legitimate interest on the provider´s part in terms of Article 6(1)(1)(f) of GDPR, which is not opposed by any overriding interests of the user.

3.1.3 Disclosure/recipient of the data

The collected data is stored on our server.

The data collected in accordance with a) is not passed on to third parties unless this is necessary in the case of attacks on our IT (see b) above), for example, in the context of reporting a criminal offence to the prosecuting authorities.

3.1.4 Right of objection

The temporary acquisition of the user’s IP address is essential for the provision of the website and the storage of data in log files for the operation of the website. Consequently, the user does not have the right to object. In all other respects, the user has the right to object to the processing at any time for reasons arising from his/her particular situation; see further information in section D.

3.2 Contact by e-mail by the user

3.2.1 Description of data processing and storage

You can write to us at the e-mail address provided in the “Contact us” section. In this case, the personal data transmitted by e-mail is processed by us. The data is used to answer your request. If you provide us with your name and postal address, we process this data in accordance with section C 3 (postal advertising).

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. If the request relates to a contract that has been concluded or is under negotiation, the contents and times of communication are stored until any claims arising from these have lapsed.

In other cases, the personal data from your e-mail request is restricted for further processing and only used to defend against any legal claims that may arise once the respective conversation with you has ended. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been clarified in full. After the expiry of the limitation period, the data is deleted.

3.2.2 Purpose & legal basis of data processing

Your e-mail address and any other data you provide is stored to respond to your enquiry.  The legal basis for this is set out in Article 6(1)(f) of GDPR. If the aim of contact is to conclude a contract, the additional legal basis for processing is Article 6(1)(b) of GDPR.

3.2.3 Disclosure

In this context, the data is not passed onto third parties but used exclusively for processing and answering the contact request. We use our own web server and IT system to transmit the contact request and its processing.

3.2.4 Right of objection and deletion

You may object to the use of your personal data at any time. In this case, the conversation cannot be continued. Section D then also applies.

3.3 Postal advertising

3.3.1 Description of data processing, storage, purpose and disclosure

If you provide us with your name and postal address, we store them for possible future postal advertising (letters) of our products. If necessary, the data may be made available to an external service provider during franking and dispatch. This provider acts in accordance with our instructions and on our behalf and is based in the European Union. Data is not otherwise disclosed to a third party. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected or if you have objected to its processing.

3.3.2 Legal basis of data processing; right of objection

The legal basis for the data processing defined in a) is Article 6(1)(f) of GDPR. Sending you product information by post is a legitimate interest of our company. You may object to this use of your personal data at any time. In this case, we will cease to send you postal advertising. Section D then also applies.

3.4 Registration for the BOMAG Parts Webshop

3.4.1 Description of data processing and storage

The BOMAG Parts Webshop is aimed solely at business clients and legal entities. Before using the service, it is necessary to register electronically for a customer account via the registration page provided. The fields marked as mandatory must be completed so that we can check registration requests, including whether the applicant is actually a company or a legal entity.

Mandatory information includes:

• Company name/name of the legal entities

• Contact and phone number

• A valid e-mail address

• Billing address and delivery address, if different

• VAT ID

• Password for the customer account

To verify your e-mail address and registration request, we automatically send an e-mail to the address provided before checking the information. You are then asked you to confirm your registration request and verify the accuracy of data provided. If this registration request is not confirmed within 7 days, your login data is deleted.

If you confirm your registration request, we record and save the date and time of the confirmation.

Upon receipt of confirmation, we check whether the applicant really is a company or a legal entity. Since parts are subsequently supplied from our Webshop before payment, a credit check is conducted for companies. For this purpose, information is obtained from Creditreform Koblenz Dr. Rödl & Brodmerkel KG, Rizzastr. 49, 56068 Koblenz. This requires us to provide your company name and registered business address. We then view and assess the information. A decision is not made automatically.

You subsequently receive the result of the registration verification by e-mail. We also process your company name/the name of your legal entity and your postal address in accordance with item C 3 (postal advertising). If we reject your registration request, the data collected is deleted immediately.

In the event of successful registration, we process the data collected during registration in accordance with C 6 (customer account).

3.4.2 Purpose and legal basis of data processing

The mandatory data supplied in the registration process and any other data you may have provided is stored to check the requirements for registration, conduct the credit check, see a) above, inform you of the decision, and to create the customer account. The legal basis for this is set out in Articles 6(1)(b) and (1)(f) of GDPR.

The truncated IP address and the time the registration confirmation is sent is stored for the purpose of verifaying your registration and, if necessary, clarifying any possible misuse of your data. The legal basis for the processing of this data is Article 6(1)(f) of GDPR.

3.4.3 Disclosure/recipient of the data

For the execution of the credit check, we disclose your company name and address to the credit agency named under a). The information on data processing pursuant to Article 14 of GDPR, which is provided by the credit agency, can be found at www.creditreform-koblenz.de. The data is not disclosed in any other respect. We use our own web server IT system to transmit of the registration request and its processing.

3.4.4 Right of objection

Please notify BOMAG Americas via email at marketing.ba@bomag.com to stop receiving emails. It may take up to 30 days to be removed from the email list. 

3.5.1 Description of data processing

To place an order via our Webshop, you must first log into your customer account. The data you provided when registering and creating the account is then used automatically to complete the order details. You can enter a new delivery address and select the preferred shipping method (standard/express shipping). The new delivery address is then saved to your customer account. You then have the option to confirm you would like to order the items or make any necessary changes. These procedures are free of obligation. By clicking on the “pay order” button, the order is sent to BOMAG and concludes a binding purchase contract. We immediately confirm receipt of your order electronically and store the order in your customer account. We also record and store the date and time your order is received.

We inform you electronically with regard to the acceptance or rejection of the order.You have the option to track the dispatch status and progress of your items via your customer account.

3.5.2 Storage

For commercial and tax regulation related reasons, we are obliged to store your address, payment, and order data for a period of 10 years. After the regular limitation period following the conclusion of the sales contract expires, your data will be restricted for further processing and only used to defend against any legal claims that may arise, and for compliance with legal obligations. This does not apply to data collected in accordance with C 3 (postal advertising) and data stored in the customer account. You may delete this in the customer area; see the following information on the customer account in C 6.

If we do not accept your order, the data is deleted within 3 months.

3.5.3 Purpose and legal basis of data processing

The purpose of storing the dispatch time is to verify your order and, if necessary, to clarify any possible misuse of your personal data. The legal basis for the processing of this data is Article 6(1)(f) of GDPR. Personal data is processed during the verification and execution of the order for the following reasons:

• To be able to identify you as the ordering party

• To be able to check acceptance of the order

• If necessary, to clarify any existing queries relating to the ordered products

• To be able to deliver the purchased goods

• For invoicing

• To process any warranty and other legal claims you may assert against us

• To assert any claims against you

• The legal basis for data processing is Article 6(1)(b) of GDPR.

3.5.4 Disclosure; recipient

We use our own web server and IT system to process your order. We notify our shipping provider / forwarding company of the specified delivery address for the purpose of delivering the order. No personal data is otherwise disclosed to a third party.

3.5.5 Right of objection and deletion

You may object to the storage of the time of order dispatch at any time; see section D.

3.6 Customer account

3.6.1 Description of data processing and storage

With a customer account, it is possible to store the data of your company / legal entity for future orders via our Webshop, enabling them to be handled quickly. The data provided when requesting registration, new delivery addresses and all orders, the last login time and the BOMAG machines you select are all stored in this account.

This data is deleted if more than 2 years elapse since the last login. In all other respects, the data can be removed by deleting the customer account. Logging into the customer account is required for this. Deleting the account does not delete the data stored in our application system for concluded purchase contracts. In this respect, C 5 shall apply.

3.6.2 Purpose and legal basis of data processing

Creating and saving a customer account allows orders to be placed quickly and simply, as the ordering party’s data does not need to be re-entered. This also enables BOMAG to ensure effectively that the order originates from a company or legal entity under public law, as we only operate a B2B shop. The legal basis for the processing of this data is Article 6(1)(f) of GDPR.

3.6.3 Disclosure/recipient of the data

The data is not passed onto third parties. We use our own web server and IT system to store customer accounts and related processing.

3.6.4 Right of objection and deletion

You may object to the storage and processing of the data in your customer account at any time and/or request its deletion or delete it yourself by logging into the customer account. Subsequent orders of spare parts via our Webshop will then no longer be possible.

3.7 Cookies

3.7.1 Anonymous data collection

When you visit our websites, our web server records the domain name or IP address of the computer accessing the site as well as the access date, file query of the client (file name and URL), the HTTP answer code, and the website from which you are visiting us as well as the number of bytes transferred during the connection. We save information in the form of cookies so that we can optimize our website according to your preferences.

A “cookie” is a small data file, which is transferred to your computer when you browse our website. A cookie can only contain information which we ourselves send to your computer – it cannot read your private data. Accepting cookies used on our site does not give us access to your private information, but we may use the cookies to identify your computer. We use cookies for the following purposes:

• To ensure you can manage the orders in your shopping basket during the session

• To enable us to recognize you the next time you visit our site, so that we can restore the default settings in your shopping basket

• To enable us to tailor our site to your needs more closely.

• To display information (payment method and supplier, delivery country).

We use “session oriented” cookies: They do not remain on your computer. When you leave our sites, the temporary cookie is deleted. The information collected enables us to analyse usage patterns and the structure of our website. As a result, we can continuously optimise our website by improving contents or personalisation as well as simplify its usage.

Most browsers accept cookies by default. The security settings allow you to individually allow or block temporary and permanent cookies. If you disable cookies, certain features on our site may not be available, and some websites may not display correctly.

Temporary cookies must be enabled to use our shopping basket! If you cannot or are unwilling to accept cookies, you may also place your order by phone or fax.

The data saved in our cookies is not linked to your personal details (name, address, etc.) without your express consent.

3.7.2 Usage of third party software

Embedded YouTube videos

We embed YouTube videos on some of our pages. The operator of the relevant plug-in is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. If you visit a page containing the YouTube plug-in, a connection with YouTube servers will be established. This notifies YouTube which pages you are visiting. If you are logged into your YouTube account, YouTube will be able to match your surfing behaviour to you personally. You can prevent this by logging out of your YouTube account beforehand. When a YouTube video starts, the provider deploys cookies to collect indications of user behaviour. If you have deactivated cookies for the Google Ad Programme, no such cookies will be created when you watch YouTube videos. However, YouTube also stores non-personal user information in other cookies. If you wish to prevent this, you will need to deactivate the storage of cookies in your browser.

Additional information Google’s privacy policy can be found at: https://policies.google.com/privacy.

3.7.3 Description of data processing, purpose, recipient, and disclosure

Our website uses cookies to enable the use of the Webshop (e.g. assignment of selected articles to a specific user using a session ID assigned by cookie) and to optimise the use of the Webshop using settings selected by the user (e.g. storage of the language selection / display options by cookie). Further details on cookies can be found in the table below. Some functions of our website only work with cookies.

We use the following cookies:

• Http only secure cookie

  • Function: Assigns a session ID to the user on calling up the site

  • Technically required: Yes

  • Validity: End of the session

  • Saved data: Session ID

• IPP_User_Settings

  • Function: Saves selected user settings in the Spare Parts Catalogue

  • Technically required: No

  • Validity: 365 days

  • Saved data: Layout settings in the Spare Parts Catalogue

• JSESSIONID

  • Function: Webshop: Assignment of activities (item selection to a user)

  • Technically required: Yes

  • Validity: End of the session

  • Saved data: Items selected in the Spare Parts Catalogue that have been placed in the shopping basket

• Layout cookie

  • Function: Saves user layout settings

  • Technically required: No

  • Validity: 365 days

  • Saved data: GUID the layout as a value

• PHPSESSID

  • Function: Session saved to use PHP elements

  • Technically required: Yes

  • Validity: End of the session

  • Saved Data: SessionID
    For example: “647n9e75mvd2mnjjes89oo614qjnhj63”

• KX_CMS

  • Function: Saves the country code and language

  • Technically required: No

  • Validity: 1 day

  • Saved data: Selected setting
    For example: “647n9e75mvd2mnjjes89oo614qjnhj63”

• NOTRACKING

  • Function: Stores whether tracking is required or not

  • Technically required: No

  • Validity: 365 days

  • Saved data: Option field set in the data protection section
    For example: “TRUE”

• DNTSHOWN

  • Function: Saves information on whether the cookie information layer has already been displayed

  • Technically required: No

  • Validity: End of the session

  • Saved data: Display of the cookie layer

A list of all the cookies used by the tracking tool “eTracker” can be found here.
More information on the subject of tracking can be found in section 8.

Cookies are text files that are stored in or by the internet browser on your computer system when you visit our website. The cookie contains a characteristic string of characters that enables a unique identification of the browser when the website is revisited or after a page change (call up of different sub-pages).

The user data collected by cookies is not used to create user profiles. No information from the cookies is passed onto third parties.

3.7.4 Legal basis of data processing

The legal basis for processing personal data using the above mentioned cookies is Article 6(1)(f) of GDPR, supplemented by Article 6(1)(b) of GDPR, insofar as an order is placed via our Webshop.

3.7.5 Duration of storage, right of objection and deletion

Cookies are saved on the user’s computer. The cookies we use have the “lifetime” (period of validity) stated in the table. After this period, they cease to work. Since the cookies are stored on your terminal device, you as a user have the option of restricting the use of cookies or deleting them. You can deactivate or restrict the transmission of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website in full. It is not possible for us to delete cookies that have been set from your terminal device, or to automatically save the information that you do not wish to receive cookies in future when you visit our site.

3.8 Tracking tools

Data for marketing and optimisation purposes is collected and saved on this website using technologies from etracker GmbH (www.etracker.com). This data can be used to create user profiles under a pseudonym.

etracker
The provider of this website uses services from etracker GmbH from Hamburg, Germany www.etracker.com to analyse usage data. When visitors provide their explicit consent, cookies are used, which enable a statistical analysis of the use of this website by visitors as well as the display of use-related content or advertising. Cookies are small text files that are stored on the user’s terminal device by the internet browser. etracker cookies contain no information that enables user identification.

Data generated by etracker is processed and saved by etracker exclusively in Germany on behalf of this website´s provider; consequently, this data is subject to strict German and European data protection laws and standards. In this respect, etracker has been checked independently, certified and awarded the data protection seal of quality ePrivacyseal.

Data processing is conducted on the legal basis of Article 6(1)(a) (consent) of the EU General Data Protection Regulation (GDPR) to optimise our online offer and website. Since our visitors´ privacy is particularly important to us, the IP address is anonymised at etracker as soon as possible, and login or device IDs are also converted by etracker into a unique key that is not assigned to a person. etracker neither uses the data, collates it with other data, nor discloses it to any third parties.

The data collected with etracker technology is not used to identify a visitor of the website or aggregated with personal data without the visitors´ explicit consent. The collection and storage of data may be refused by at any time, at which point no further data is collected.

Your consent may be revoked at any time. This has no adverse consequences for you.

Further information on data protection at etracker can be found here.

3.9 External links

Some links on our site refer to websites hosted by third parties. Unless readily apparent, BOMAG indicates that such links are external. BOMAG has no influence on the contents or design of websites offered by external suppliers. For this reason, the data protection declaration does not apply in such cases.

4. Rights of the data subject

As the data subject, you have a right to free information about the data stored by us about your person and, if applicable, a right to correction, restriction of processing, deletion, information of third parties, data transferability, objection, revocation of a data protection consent granted, non-execution of automatic decisions and/or complaint to the responsible data protection supervisory authority. You can find more details on this in the following information.

If you have any questions regarding data processing or the exercise of your rights, you can contact us, the controller, or our Data Protection Officer; see the contact information under A. and B. of this text.

4.1 Right to information

If we process your personal data, you have the right to request information from us, the controller, free of charge as to whether we process your personal data. If this is the case, you, the data subject, have a right to obtain information about this personal data and the following information:

• The purposes for which the personal data is processed

• The categories of personal data processed

• The recipients or categories of recipients to whom the personal data concerning you has been or is still being disclosed

• The planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period

• The existence of a right to have your personal data concerning you corrected or deleted; a right to have processing restricted by the controller or a right to object to such processing

• The existence of a right of appeal to a supervisory authority

• Any available information about the origin of the data if the personal data is not collected from you, the data subject

• The existence of automatic decision-making, including profiling in accordance with Article 22(1) and (4) of GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing for you, the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Article 46 of GDPR, in connection with the transmission.

4.2 Right to correction

You have the right to correct and/or complete any personal data processed concerning you that is incorrect or incomplete.

4.3 Right to restriction of processing

You may request that the processing of personal data concerning you be restricted if one of the following conditions is met:

• If you dispute the accuracy of the personal data concerning you, the processing of the data will be restricted for the duration that enables us, the controller, to check the accuracy of the personal data

• The processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted

• We, the controller, no longer require personal data for the purposes of processing, but you do need them to assert, exercise or defend legal claims, or

• If you have filed an objection against the processing pursuant to Article 21 of GDPR and we, the controller, examine the legality of the request. As long as it is not yet clear whether the legitimate reasons of the party responsible outweigh your reasons, processing of the data will be restricted.

If the processing of personal data concerning you has been restricted, such data may only be processed, apart from being stored, with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us, the controller, before the restriction is lifted.

4.4 Right of deletion

4.4.1 Obligation to delete

You may request that the personal data concerning you be deleted immediately by us, the controller; in this capacity, we will be obliged to delete such data immediately if one of the following reasons applies:

The personal data concerning you is no longer necessary for the purposes for which they were collected or otherwise processed.

• You revoke your consent upon which processing is based pursuant to the Article 6(1)(a) or (9)(2)(a) of GDPR, and no other legal basis exists for processing.

• You file an objection against processing pursuant to Article 21(1) of GDPR and there are no overriding legitimate reasons for processing, or you file an objection to processing pursuant to Article 21(2) of GDPR.

• The personal data concerning you has been unlawfully processed.

• The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.

• The personal data concerning you has been collected in relation to information society services offered pursuant to the Article 8(1) of GDPR.

4.4.2 Information to a third party

If we, the controller, have made the personal data concerning you public and we are obliged to delete it pursuant to Article 17(1) of GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for processing the personal data that you, as the data subject, have requested the deletion of all links to this personal data or of copies or replications of this personal data.

4.4.3 Exceptions

The right to deletion and informing of third parties does not apply insofar as the processing is necessary

• to exercise freedom of expression and information;

• to fulfil a legal obligation required for processing under the law of the Union or of the Member States to which we are subject, the controller, or to perform a task in the public interest or in the exercise of official authority conferred upon us, the controller.

• for reasons of public interest in the field of public health pursuant to the GDPR, Article 9(2)(h) and Article 9(3) of GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to the Article 89(1) of GDPR, insofar as the law referred to under a) is likely to render impossible or seriously impair the attainment of the objectives of such processing, or

• to assert, exercise or defend legal claims.

Right to information
We shall notify all recipients to whom personal data relating to you has been disclosed of any correction, deletion or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients by us, the controller.

Right to data transferability
You have the right to receive the personal data concerning you that you have provided to us, the controller, in a structured, conventional and machine-readable format. Furthermore, you have the right to transmit this data to another person in charge without hindrance by us, the party responsible to whom the personal data was given, provided that

• processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or a contract pursuant to Article 6(1)(b) of GDPR, and

• processing takes place by means of an automatic procedure.

In exercising this right, you also have the right to request that the personal data concerning you be transferred directly by us, the controller, to another responsible party, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to transferability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on us, the controller.

Right of objection
You have the right to object at any time for reasons arising from your particular situation to the processing of personal data concerning you, which is carried out on the basis of Article 6(1)(e) or (f) of GDPR; this also applies to profiling based on these provisions. As the controller, we will cease to process the personal data concerning you, unless we can provide compelling reasons for its processing worthy of protection, which outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims. If the personal data concerning you is processed for direct advertising purposes, you have the right to object at any time to the processing of such data for the purpose of advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object to processing for direct advertising purposes, personal data concerning you will cease to be processed for these purposes. You may exercise your right of objection in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. This does not affect the legality of the processing carried out on the basis of consent until revocation.

Automatic decision in individual cases, including profiling.
You have the right not to be subject to a decision based exclusively on automatic processing, including profiling, which legally affects you or significantly affects you in a similar manner.

This does not apply if the decision is

• necessary for the conclusion or performance of a contract between you and us, the controller;

• admissible under Union or Member State law to which we, the controller, are accountable and which contains appropriate measures to safeguard your rights, freedoms and legitimate interests, or

• made with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of GDPR, unless Article 9(2)(a) or (g) shall apply and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

If a case under a) or c) exists, we, the controller, shall take appropriate measures to safeguard your rights, freedoms, and legitimate interests, including at least the right to obtain the intervention of a person on our behalf as the controller, to state our own position and challenge the decision.

Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right of appeal to a supervisory authority, in particular, in the Member State where you are staying, working or where infringement is suspected, if you are of the opinion that the processing of personal data concerning you breaches the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under GDPR, art. 78.