Privacy policy                                                                       Date: 24.05.2018

Version 1.18.21

Scope: This privacy policy applies to the following websites:

  • hughes-and-kettner.com
  • blog.hughes-and-kettner.com
  • musicandsales.com
  • mindprint.de
  • stamer-musikanlagen.com

 

I. Name and address of the data controller
II. Name and address of the data protection officer
III. General information about data processing
IV. Use of cookies
V. Newsletter
VI. Contact form and email address
VII. Website analysis using Google Analytics
VIII. Warranty registration
IX. Comment function in the blog
X. Google Fonts
XI. Cashback
XII. MIDI Board Campaign
XIII. Rights of the data subject

 

I. Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States of the EU as well as other data protection provisions is:

Music & Sales Professional Equipment GmbH

Tritschlerstrasse 3

66606 St. Wendel, Germany

Tel: +49 6851 905 0

Email: info@musicandsales.com

 

II. Name and address of the data protection officer

The data protection officer of the data controller is:

Thomas Schön

Email: datenschutz@musicandsales.com

 

III. General information about data processing

1. Scope of personal data processing

In principle, we only process personal data of our users to the extent necessary to offer a working website and our content and services. We only routinely process personal data of our users with the user's consent. This does not apply to cases where prior consent cannot be obtained for factual reasons and the processing of data is permitted by law.

2. Legal basis for the processing of personal data

The legal basis for data processing where we have obtained consent from the user is Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR).

Where the processing of personal data is necessary for the performance of a contract to which the user is a party, the legal basis will be Article 6 (1) (b) GDPR. This also applies to processing necessary to implement pre-contractual measures.

Where processing personal data is necessary for compliance with a legal obligation to which our company is subject, the legal basis for processing will be Article 6 (1) (c) GDPR.

Where processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis for processing will be Article 6 (1) (f) GDPR.

3. Data erasure and length of storage

The personal data of the user will be deleted or blocked as soon as the data is no longer required for the purpose for which it was originally stored. In addition, such storage may be provided for by Union or national laws, regulations or other provisions to which the controller is subject. The data will also be blocked or erased upon expiry of the storage period prescribed by the laws and regulations specified above, unless there is a need to continue storing the data for purposes of contract conclusion or performance.

 

IV. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the browser or by the browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened.

Here, we first use technically necessary cookies to make the website more user-friendly and more appealing to users. We use cookies to store and transmit the following data:

- Language settings

- Products in a shopping cart or on a wish list

- Login details

In addition, we use technically unnecessary cookies, which allow us to analyse the browsing behaviour of the user. These are limited to the cookies of the website analysis tool Google Analytics. For more information about technically unnecessary cookies from Google Analytics, please refer to the chapter on "Website analysis using Google Analytics" in this privacy policy.

2. Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Article 6 (1) (f) GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to facilitate the use of the website for the user. We would not be able to offer some functions and features of our website without the use of cookies. Cookies also help to recognise your browser again after you visited a different website.

4. Duration of storage, available remedies

Technically necessary cookies may be set from the beginning, i.e. also without the prior consent of the user. In this context, the user does not have the option to object.

 

V. Newsletter

1. Description and scope of data processing

On our website, we offer users the option to subscribe to a free newsletter, which contains promotional information, for example, about our company, products and brands. When users subscribe to our newsletter, the data is entered into an input mask and transmitted to us. We send this newsletter only after the users have subscribed by filling in the relevant form. Once the user has been added to the newsletter list, they will have to click on a link sent to them by email to reconfirm their email address ("double opt-in"). To demonstrate that we have followed this subscription process in accordance with legal requirements, we will collect the following data:

  • Email address
  • IP address
  • Date and time of subscription
  • Date of confirmation of the confirmation email

We use so-called newsletter tracking to determine how often a newsletter has been opened, and what links are clicked on and how frequently. We receive the following data:

  • Browser type and version used
  • Operating system
  • IP address
  • Information as to whether you opened the newsletter
  • Date and time when you opened the newsletter
  • Information about the links you clicked on

We use the provider MailChimp, Rocket Science Group, LLC, 675 Ponce De Leon Ave NE # 5000, Atlanta, GA 30308 USA, to send the newsletter and for newsletter tracking described below. For this purpose, all the user data specified under this point are stored by MailChimp on their servers in the US.

2. Legal basis for data processing

The legal basis for the use of your subscription data and the sending of the newsletter is Article 6 (1) (a) GDPR.

The legal basis for the use of MailChimp as a service provider for the dispatch of the newsletter as well as the use of newsletter tracking is Article 6 (1) (f) GDPR, as both are based on our legitimate interests. Our interest is to provide the user with a newsletter system that is secure, simple, and reflects the users' interests and can be further optimised on this basis. In this way, we can meet the information needs of the user and serve our own interests at the same time.

We contract out the newsletter sending and tracking under a data processing agreement within the meaning of GDPR, and we, therefore, remain responsible for user data. MailChimp is certified under the Privacy Shield between the EU and the US, thus guaranteeing compliance with EU data protection standards. MailChimp may use the data to improve its own service, for example, to optimise the technical delivery or to improve the presentation of newsletters. MailChimp will not use user data for contact purposes or disclose the data to third parties.

3. Purpose of data processing

The email addresses of users are used to deliver a newsletter.

We record login data to demonstrate that we have followed the subscription process in accordance with legal requirements

The purpose of statistical analysis and newsletter tracking analysis is to adapt the content of a newsletter to the reading habits of users and to make it more interesting for them.

4. Duration of storage

The data will be erased as soon as it is no longer required for the purpose for which it was originally collected. Accordingly, the email address of the user will only be stored as long as the subscription to the newsletter is active.

The other personal data collected will typically be erased after a period of seven days.

5. Available remedies

The user has the right to unsubscribe from the newsletter at any time by clicking on the unsubscribe link provided in every newsletter. This also has the effect of withdrawing the consent to the storage and use of other personal data collected.

It is not possible to cancel the newsletter subscription separately from the statistical analysis.

 

VI. Contact form and email address

1. Description and scope of data processing

We provide contact forms on our website, which can be used to contact us online. Where users take advantage of this option, the data they enter into the form will be transmitted to us and stored. These data include:

Mandatory:          

  • Department of the recipient
  • Subject
  • Email address
  • Country of origin
  • Message

Optional:                

  • Surname, first name
  • Telephone number
  • Street, postcode, place of residence

At the time of sending the message, the following data is also stored:

  • IP address of the user
  • Date and time of contact

To process the data, we obtain the consent from the user as part of the sending process and we refer the user to this privacy policy.

Alternatively, you can use the email address provided to contact us. In this case, the user's personal data transmitted by email will be stored.

The contact request will either be handled by us, as the data controller, or where it may serve the interests of the user better, by the international sales office for our brand, which is responsible for the domicile of the user. In this case, we will forward the inquiry to the relevant international sales office. The international sales offices are legally independent of us. International sales offices will only use the data of the user to process the contact request and not for advertising purposes or pass it on to third parties without the consent of the user.

2. Legal basis for data processing

The legal basis for the processing of data where the user has given consent to the processing is Article 6 (1) (a) GDPR.

The legal basis for the processing of data transmitted when an email is sent is Article 6 (1) (f) GDPR.

If we forward data as described in point 1 to international distributors outside the EU for processing, we will conclude contracts to ensure that your data is processed in accordance with the EU data protection legislation.

3. Purpose of data processing

We process the data entered into the contact form solely to process the communication. In the event of contact by email, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data will be erased as soon as it is no longer required for the purpose for which it was originally collected. For personal data from the input mask of the contact form and those sent by email, this is the case when the respective conversation with the user has ended. The conversation ends when the circumstances indicate that the matter in question has been definitely resolved.

The additional personal data collected during the sending process will be deleted at the latest after seven days.

5. Available remedies

Users are entitled to withdraw their consent to the processing of personal data at any time. Users can use email to contact us and object to the storage of their personal data. In this case, the parties will no longer be able to engage in further communications. In both cases, an informal notice of withdrawal via the respective contact path will suffice. All personal data stored when communicating with us will be erased as a result.

 

VII. Website analysis using Google Analytics

1. Description and scope of data processing

This website uses Google Analytics, a website analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. This facilitates the assignment of data, sessions and interactions across several devices to a pseudonymous user ID and thus the analysis of a user's activities across devices.

To do this, Google Analytics uses cookies, which are small text files stored on your computer that facilitate the analysis of the way users use the website. The information generated by the cookie about the use of the website will typically be transmitted to and stored by Google on servers in the US.

By using IP anonymisation on this website, the IP address of the user will be truncated and, therefore, anonymised within Member States of the European Union or other parties to the Agreement over the European Economic Area. Only in exceptional cases will the full IP address be transmitted to Google servers in the United States and truncated there.

Google will not associate the IP address of the user transmitted by Google Analytics with any other data held by Google.

Google will use this information on behalf of the data controller of this website for the purpose of evaluating the use of the website, compiling reports on website activity for website operators and providing them other services relating to website activity and internet use.

2. Legal basis for data processing

The legal basis for the use of Google Analytics is Art. 6 (1) (f) of the General Data Protection Regulation (GDPR). The purposes of data processing under point 3 also reflect the legitimate interest of the data controller for the data processing.

3. Purpose of data processing

The technically unnecessary analysis cookies are used to improve the quality of our website and its content. The analysis cookies tell us how the website is used and enable us to constantly improve the content of our website. For this purpose, we analyse the use of the website and compile reports on website activities.

4. Duration of storage

The data linked to cookies, user identification (e.g. user IDs) or advertising IDs sent by the data controller will be automatically erased after 14 months. When data reaches the end of the retention period, it is deleted automatically on a monthly basis. For more information about terms of use and data protection, please visit https://support.google.com/analytics/answer/6004245?hl=en

5. Available remedies

Users can refuse the use of cookies by selecting the appropriate settings in their browsers. However, please note that if you do this you may not be able to use the full functionality of this website. Furthermore, users can prevent the collection of data generated by the cookie about the use of the website (including your IP address) and its processing by Google by downloading and installing the Google Analytics Opt-out Browser Add-on.

The opt-out cookies prevent future collection of user data when visiting this website. To prevent the collection of data across multiple devices, users have to opt-out on all the systems they use. Click here to install the opt-out cookie.

 

VIII. Warranty registration

1. Description and scope of data processing

We offer our customers a free manufacturer's warranty on many of our products. To qualify, customers/users have to register the product on our website.

The collection of the following data is mandatory:

  • Purchase date
  • Product name and serial number
  • The name of the dealer from which the product was purchased, including location and country details
  • Surname, first name, street, postcode, place of residence, country of the customer
  • Email of the customer

In addition, the user can opt to provide the following information:

  • Purchase price
  • Contact details of the dealer (seller, telephone number, street, postcode)
  • Company/ organisation of the customer

At the time of sending the message, the following data is also stored:

  • IP address of the user
  • Date and time of registration

To process the data, we obtain the consent from the user as part of the sending process and we refer the user to this privacy policy.

2. Legal basis for data processing

The legal basis for the processing of data transmitted by users when they enter into a guarantee agreement is Article 6 (1) (f) GDPR.

3. Purpose of data processing

The data transmitted by the user will be used by the data controller to meet its obligations under the guarantee agreement. This includes information to identify the product, information about the warrantee (i.e. the user), the dealer and about the date of registration.

4. Duration of storage

The data will be erased as soon as it is no longer required for the purpose for which it was originally collected. This is the case when the warranty agreement with the user has ended, i.e. after the end of the warranty period.

5. Available remedies

Users are entitled to withdraw their consent to the processing of personal data at any time. Users object to the storage of their personal data informally by sending an email (datenschutz@musicandsales.com) or in writing to the data controller. In such a case, the data controller can no longer be bound by the guarantee agreement as it no longer has any information about the registered product or the warrantee. All personal data stored in connection with the guarantee agreement will be erased in this case.

 

IX. Comment function in the blog

1. Description and scope of data processing

The user can comment on a blog post on our website or publicly respond to other users' comments.

The collection of the following data is mandatory:

  • Name or nickname of your choice as author of the comment
  • Email address
  • Content of the comment

At the time of sending the message, the following data is also stored:

  • IP address of the user
  • Date and time of registration

To process the data, we obtain the consent from the user as part of the sending process and we refer the user to this privacy policy.

When other users respond to the comment, the user will be notified using the specified email address. Where the user wishes to contact the data controller using the comment function, the data controller may use the email specified by the user to contact him or her.

2. Legal basis for data processing

The legal basis for data processing where we have obtained consent from the user is Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR).

3. Purpose of data processing

The name or nickname is collected to identify the comment. The collection of the email address serves to obtain information about responses to the user's comment and for communication purposes by the data controller.

4. Duration of storage

The data will be erased as soon as it is no longer required for the purpose for which it was originally collected. This is the case when the commented blog post is deleted by the data controller of the website.

5. Available remedies

Users are entitled to withdraw their consent to the processing of personal data at any time. Users object to the storage of their personal data informally by sending an email (datenschutz@musicandsales.com) or in writing to the data controller. In such a case, the user's comments and all submitted data will be erased.

 

X. Google Fonts

This website uses external fonts, so-called Google Fonts, a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When a website containing text formatted with Google Fonts is opened, a connection is established to a server, typically a Google server in the US. As a result, the information about the websites the user visits, the IP address of the browser of the device of the visitor of these websites is transmitted to the server and stored by Google. If the browser does not support or prevents access to Google Fonts, the text will be displayed in a default font.

No cookies are sent by website visitors when the page is accessed. Data transmitted in connection with a page request are sent to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com. They are kept separate from data collected or used in connection with the parallel use of other Google services that are authenticated, such as Gmail.

2. Legal basis for data processing

The legal basis for the use of Google Fonts is Article 6 (1) (f) GDPR. The legitimate interest is based on the purpose of data processing set out in point 3.

3. Purpose of data processing

We use Google Fonts for aesthetic reasons to improve and unify the overall look of the website, making it more sophisticated and to enhance its appeal.

4. Available remedies

You can set your browser to prevent the loading of fonts from Google servers (for example, by using add-ons such as NoScript or Ghostery). If your browser does not support Google Fonts or you block access to Google servers, the text will be displayed in the system's default font.

For information about the privacy policy of Google Fonts, please visit: https://developers.google.com/fonts/faq#Privacy

For general privacy information, please visit the Google Privacy Centre at: http://www.google.com/intl/de-DE/privacy/

 

XI. Cashback

1. Description and scope of data processing

As part of separate cashback campaigns, we offer customers a refund equal to an amount advertised by us if they provide us with information about the purchase of the qualifying product under the terms of participation. We as the data controller request the following data for this purpose:

  • Name of the qualifying product
  • Purchase date
  • Serial number
  • Scan of the receipt
  • The name of the dealer from which the product was purchased, including country details
  • Surname, first name, street, postcode, place of residence, country of the customer
  • Email of the customer
  • Bank details (IBAN, BIC)

In addition, the user can opt to provide the following information:

  • Use of the qualifying product

At the time of sending the message, the following data is also stored:

  • IP address of the user
  • Date and time of registration

2. Legal basis for data processing

The legal basis for the processing of data transmitted by the user when entering in a contract for the repayment of the cashback amount is Article 6 (1) (b) GDPR.

3. Purpose of data processing

The data provided by the user is used by the data controller to fulfil its obligations under the contract for the cashback payment. This includes information to identify the product, information about the cashback recipient (i.e. the user) and his or her bank details for payment of the cashback amount, information about the dealer and about the date when the user took part in the promotion.

4. Duration of storage

The data will be erased as soon as it is no longer required for the purpose for which it was originally collected to the extent that this does not conflict with statutory retention requirements. Where the data is subject to the statuary retention periods, it will be deleted after the end of the retention period.

5. Available remedies

Users are entitled to withdraw their consent to the processing of personal data at any time. Users may object to the storage of their personal data informally by sending an email (datenschutz@musicandsales.com) or in writing to the data controller. Depending on the timing in such a case, the data controller can no longer be bound by the cashback agreement as it no longer has any information about the registered product or the cashback recipient. All personal data stored in connection with the guarantee agreement will be erased in this case. If the cashback has already been paid out, the user can only object to the processing of personal data if this does not conflict with a statutory retention period (see point 4).

 

XII. MIDI Board Campaign

1. Description and scope of data processing


We are affording customers the opportunity to purchase a certain product and receive a matching MIDI Board free of charge as part of a limited-time promotional offer. As the controller, we are asking for the following mandatory data:

• Date of purchase
• The model of promoted product
• The serial number
• A photograph of the proof of purchase
• The name and country of the dealer from which the product was purchased
• The customer’s last name, first name, street address, postal code, city, and country of residence
• The customer’s email address
The customer has the option of providing information in response to the following question:
• "How did you learn about the campaign?"
The following data will also be stored when the message is sent:
• The IP address
• The date and time of registration


2. Legal basis for data processing

The legal basis for processing data transmitted by the user in the course of concluding a contract for a MIDI Board give-away is set out in Art. 6 Para. 1 lit. b GDPR.
The legal basis for processing responses to the optional statement "How did you learn about the campaign" is set out in Art. 6 Para. 1 lit. f GDPR.


3. Purpose of data processing

Data transmitted by the user allows the controller to conclude a contract for a MIDI Board give-away. It serves to identify the contracting party, the name and postal address to which the MIDI board is to be sent, the product and its eligibility for the give-away, the dealer, and the date of participation in this promotion. The email address serves to confirm the user’s registration and, if need be, ask follow-up questions.
The optional information provided in response to the question "How did you learn about the campaign?" serves to analyze communication channels and monitor the campaign.


4. Recipients or categories of recipients of the personal data

The first name, last name and postal address will be forward to the given delivery service.


5. Duration of storage

Data will be deleted as soon as it is no longer necessary for the purposes for which it was collected and no statutory retention periods preclude its erasure. Should such statutory retention periods apply, data will be deleted upon their expiration.


6. Possibility of objection and erasure

The user has the possibility of objecting to the processing of personal data at any time. The user may contact the controller by email (datenschutz@musicandsales.com) or by conventional mail to object to the storage of his or her personal data at any time. In this case and depending on the date of objection, the contract for the MIDI Board give-away will be discontinued, as the controller will no longer be privy to knowledge about the registered product and the individual taking advantage of this promotional offer. All personal data stored in the course of the contract will be deleted. Once the MIDI Board is sent, the contracting party may only object to the processing of personal data in the absence of a statutory retention period (see 5).

 

XIII. Rights of the data subject

1. Right to information

The user has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.

Where that is the case, the user may request the following information from the data controller:

  1. the purposes of the processing of personal data;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
  4. the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the user or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The user has the right to request information as to whether the personal data concerning him/her are transferred to a third country or to an international organisation. In this regard, the user has the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification

The user has the right to have inaccurate and or incomplete personal data rectified and/or completed by the controller without undue delay.

3. Right to restriction of processing

The user has the right to obtain from the controller restriction of processing of personal data where one of the following applies:

  1. the accuracy of the personal data is contested by the user, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the user opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the user for the establishment, exercise or defence of legal claims, or
  4. the user has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the user.

Where processing of the user's personal data has been restricted, such personal data shall, with the exception of storage, only be processed with the user's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the processing has been restricted under the above conditions, the user shall be notified by the controller before the restriction is lifted.

4. Right to erasure

a) Erasure obligations

The user has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase this data without undue delay where one of the following grounds applies:

  1. The personal data concerning the user are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. The user withdraws consent on which the processing is based according to Article 6 (1) (a), or Article 9 (2) (a) GDPR, and where there is no other legal ground for the processing.
  3. The user objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the user objects to the processing pursuant to Article 21 (2) GDPR.
  4. The personal data concerning the user have been unlawfully processed.
  5. The personal data concerning the user have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  6. The personal data concerning the user have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

b) Third-party notification obligation

Where the controller has made the personal data public and is obliged pursuant to Article 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the user has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exemptions

The right to erasure does not apply to the extent that processing is necessary

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in paragraph (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defence of legal claims.

5. Right to receive notifications

If the user has exercised his or her rights with respect to rectification or erasure of personal data or restriction of processing, the controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

The user is entitled to receive information about those recipients from the controller.

6. Right to data portability

The user has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. the processing is based on consent pursuant to Article 6 (1) (a), or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR, and
  2. the processing is carried out by automated means.

In exercising this right, the user also has the right to have the personal data transmitted directly from one controller to another, where technically feasible. These rights shall not adversely affect the rights and freedoms of others. The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

The user has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1) (e) or (f) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data of the user unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the user or for the establishment, exercise or defence of legal claims.

Where personal data concerning the user are processed for direct marketing purposes, the user will have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the user objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the user may exercise his or her right to object by automated means using technical specifications.

8. Right to withdraw consent to data processing

The user has right to withdraw his or her consent to data processing at any time. The withdrawal of consent will not affect the lawfulness of the processing based on consent before the withdrawal.

9. Automated individual decision-making, including profiling

The user has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This does not apply if the decision

  1. is necessary for entering into, or performance of, a contract between the user and the data controller,
  2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the user's rights and freedoms and legitimate interests, or
  3. is based on the user's explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Article 9 (1) GDPR, unless point (a) or (g) of Article 9 (2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, the user has the right to lodge a complaint with a supervisory authority, in particular, in the Member State of the user's habitual residence, place of work or place of the alleged infringement if the user considers that the processing of personal data relating to him or her infringes GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.