NovaSOL® ADEK VITAMINS

REGISTERED OFFICE

Register court: Darmstadt
Register number: HRB 85335

VAT-NO.

Value added tax identification number according to §27 a VAT law:
DE 173034404

Responsible for the content according to § 55 Abs. 2 RStV:
Dipl.-Kfm. Frank Behnam
Birkenweg 8-10
64295 Darmstadt/Germany

Webdesign & Coding: KraenkVisuell

DATA PROTECTION DECLARATION

Data Protection is very important for AQUANOVA AG. We handle your personal data confidentially and corresponding to the legal data protection regulations.With the following information, we are giving you a simple overview of what happens with your personal data when you visit our website.

1. GENERAL INFORMATION

Personal data is all data which refers to an identified or identifiable natural person.Processing is every process or every operation sequence in connection with personal data, mainly data recording, data organisation, storage and the destruction of data.You can derive details from Art. 4 No. 1 and 2 GDPR.

With this data protection declaration, we fulfil our obligations towards you as per Art. 12 - Art. 14 GDPR.The text of GDPR is accessible at the following web address: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML...

2. ENCODING OF OUR WEBSITE

This page uses a SSL coding for protection of transferred contents such as e.g. questions in the contact form.But we would like to point out that the data transfer in the internet is always associated with security risks.An absolute protection of your data from access by a third party is not possible.

3. CONTROLLER

The so-called “controller” fulfils several data protection obligations. A natural or legal person is meant here, who decides alone or together with others the purposes and means of processing of personal data (e.g. names, E-mail addresses without change). The responsible authority for data processing on this website is:

AQUANOVA AG
Represented by the Board, Mr Frank Behnam
Birkenweg 8-10
64295 Darmstadt/Germany
Fon: +49 6151 6 69 69-0
Fax: +49 6151 6 69 69-29
E-mail: ­info@aquanova.de
Internet: www.aquanova.de

4. WEB HOSTING

Our page is hosted by the company Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen.All data which is recorded during the visit to our website and which we have stored is available therefore on the servers of Hetzner Online GmbH or on the servers of their contractually bound partner enterprises.The servers of the Hetzner Online GmbH are in Germany. Hetzner Online GmbH, as controllers, proceed with the user data collected there strictly as per the instruction of AQUANOVA AG.We specify the purpose and means of processing in terms of Art. 28 GDPR.

5. PROCESSING FOR TRANSMISSION OF THE WEBSITE

5.1 RRECORDING OF DATA IN THE SYSTEM

When accessing our website, our system automatically records the information over the computer system, which is transmitted by your browser and stores it temporarily.These include:

• Name of the website retrieved
• Path
• Date and time of retrieval
• Data volume transmitted, notification on successful retrieval
• Browser type and version
• The operating system of the user, reference URL (the previously visited page),
• IP-address and (it is anonymised after 7 days)
• the requesting provider

This data is only used to transmit the content to your browser. This data is not merged with other data sources. The data is also not stored in log files.

5.2 LEGAL BASIS FOR THE PROCESSING

Art. 6 Para. 1 S. 1 letter f) GDPR is the legal basis for the recording of the data.

5.3 PURPOSE OF THE PROCESSING

The recording of the mentioned information by the system is necessary to enable a delivery of website to the user’s computer.For this purpose, the IP address of the user must remain saved for the duration of the session.Our justified interest in the data processing as per Art. 6 Para 1 S. 1 letter f) GDPR also lies in these purposes.

5.4 THE STORAGE DURATION OF THE DATA IN THE SYSTEM AND THE LOG-FILES

Data is not stored. The recording ends as soon as the respective session is ended.

5.5 OPTION OF OBJECTION AND ELIMINATION

The recording of data for the provision of the website and storage of the data in log files is mandatory for the operation of the website.Therefore, the user has no option of objection.

6. COOKIES

6.1 DESCRIPTION AND SCOPE OF DATA PROCESSING

We use cookies on our websites. Cookies are small text files that are assigned to and stored on the computer of the user by means of a characteristic string of characters and through which certain information flows to the entity that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer as a whole more user-friendly and effective, and therefore more convenient for the user.

Cookies can contain data that make it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that cannot be related to a specific person. However, cookies cannot directly identify a user. A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:

• Technical cookies: these are mandatory to use basic functions of the visited website and to ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store which websites you have visited;
• Performance cookies: these collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect information that could identify you
• all information collected is anonymous and is only used to improve our website and find out what interests our users;
• Marketing cookies: these are used to provide the website user with tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers;
• Sharing cookies: these are used to improve the interactivity of our website with other services (e.g. social networks).

6.2 LEGAL BASIS FOR PROCESSING

Any use of cookies that is not strictly technically necessary constitutes data processing that only takes place with your explicit and active consent pursuant to Art. 6 (1) p. 1 lit. a) DSGVO. This applies in particular to the use of marketing or sharing cookies. In addition, we will only share your personal data processed through cookies with third parties if you have given your express consent to do so pursuant to Art. 6 (1) p. 1 lit. a) DSGVO.

6.3 OBJECTION AND ELIMINATION OPTIONS

Cookies are stored only on the computer of the user. Therefore, you, as a user, have the full control on the use of cookies. Storage of cookies can be deactivated or restricted in your browser. In case of deactivation of cookies, the functionality of this website can be restricted. You can manually delete the stored cookies at any time and even activate the automatic deletion of cookies at the time of closing the browser.

6.4 FURTHER INFORMATION ON THE USE OF COOKIES

For more information about which cookies we use and how you can manage your cookie settings and disable certain types of tracking, please see the following paragraphs of this data protection declaration.

7. GOOGLE TAG MANAGER

We use Google Tag Manager on this website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to embed tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create user profiles, does not set cookies, does not store any personal data and does not perform any independent analyses. It only serves to manage and play out the tools integrated throuth it.

8. GOOGLE ANALYTICS

If you have given your consent, this website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

8.1 SCOPE OF DATA PROCESSING

We primarily record the interactions between you as a user of the website and our website using cookies, device/browser data and IP addresses. Google Analytics also collects your IP addresses to ensure the security of the service and to provide us, as the website operator, with information about the country, region or location from which the respective user originates (so-called "IP location determination"). The information generated by cookies and the (usually shortened) IP addresses about your use of this website are usually transmitted to a Google server in the USA and processed there.

This website uses the demographic characteristics function of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google as well as visitor data from third-party providers. This data cannot be assigned to a specific person. You can revoke this function at any time in your Google account via the advertisement settings or generally prohibit the collection of your data by Google Analytics as described in section 8.7 "Revocation of consent to data processing".

We use the User ID function. With the help of the User ID, we can assign a unique, permanent ID to one or more sessions (and the activities within these sessions) and analyze user behavior across devices. For more information, please visit the following link: https://support.google.com/analytics/answer/3123662/. Your revocation of permission to use this feature is available in our Consent Manager.

We have activated the IP anonymization function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

8.2 PURPOSE OF DATA PROCESSING

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. By means of the reports provided by Google Analytics, we can analyze and improve the performance of our website and the success of our marketing campaigns and thus make them more interesting for you as a user.

8.3 RECIPIENTS OF THE DATA

Recipients of the data collected by Google Analytics are or may be.

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Art. 28 DSGVO).
• Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
• Alphabet Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

Due to current legislation in the USA, it cannot be ruled out that US authorities will access the data stored by Google.

8.4 TRANSFER OF DATA TO THIRD COUNTRIES (ESPECIALLY USA)

Insofar as personal data is processed outside the EU or the European Economic Area (EEA) and there is no level of data protection equivalent to the European standard, the data transfer is carried out under agreement of the EU standard contractual clauses, the purpose of which is to ensure compliance with an adequate level of data protection in the third country. The parent company of Google Ireland Limited, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not have any legal remedies against data access by the authorities there.

8.5 STORAGE PERIOD

The personal data collected by Google Analytics is automatically deleted after 26 months. Data whose retention period has been reached is automatically deleted once a month.

8.6 LEGAL BASIS FOR DATA PROCESSING

The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a) DSGVO.

8.7 REVOCATION OF CONSENT TO DATA PROCESSING

You can revoke your consent at any time with effect for the future. The easiest way to do this is via our Consent Manager. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.

You may also refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

You can also prevent the collection and transfer of the data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by

• not giving your consent to the setting of the cookie
• downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

8.8 ORDER PROCESSING AND FURTHER INFORMATION

We have concluded an order data processing agreement with Google.

For more information on terms of use of Google Analytics, please visit: https://marketingplatform.google.com/about/analyti...

Information on data processing when using Google Analytics is provided by Google at: https:support.google.com/analytics/answer/6004245?hl=en/

General information on data protection, which according to Google should also apply to Google Analytics, can be found in Google's data protection declaration at: https://policies.google.com/?hl=de.

9 FACEBOOK PIXEL, CONVERSION TRACKING AND CUSTOM AUDIENCES

Provided you have given your consent, this website uses the so-called "Facebook pixel" of the social network Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. ("Meta").

9.1 PURPOSES OF DATA PROCESSING

By integrating the so-called "Facebook pixel" on our website, we can display our advertising measures to users of our website and the social network Facebook and measure and evaluate the success of these advertising measures ("conversion tracking").

We also use the remarketing function "Custom Audiences" which also uses the Facebook pixel to display interest-based advertisements when you visit our website or other websites that have also integrated the Facebook pixel. This allows us to show you advertisements that are of interest to you in order to make our website more interesting for you and to market our offer.

9.2 SCOPE OF DATA PROCESSING

Due to the marketing tools used, your browser automatically establishes a direct connection with Meta's servers when you visit our website. Through the integration of the Facebook pixel, Meta receives the information that you have called up the corresponding web page of our website or clicked on an advertisement from us. If you are registered with a Meta service (e.g. Facebook), Meta can assign the visit to your account. Even if you are not registered with a Meta service or have not logged in, it is possible that Meta will learn your IP address and other identifying features and use them for its own purposes, such as profiling or advertising. This use of data cannot be influenced by us as the site operator.

For us as the operator of this website, the collected data is anonymous, we cannot draw any conclusions about the identity of the users.

9.3 RECIPIENTS OF THE DATA

Recipients of the collected data are or may be

• Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
• Meta Platforms Inc. 1 Hacker Way, Menlo Park, CA 94025, USA

Due to current legislation in the USA, it cannot be ruled out that US authorities will access the data stored by Meta.

9.4 TRANSFER OF DATA TO THIRD COUNTRIES (ESPECIALLY USA)

To the extent that personal data is processed outside the EU or the European Economic Area (EEA) and there is no level of data protection equivalent to the European standard, the transfer of data is carried out under agreement of the EU standard contractual clauses, the purpose of which is to ensure compliance with an adequate level of data protection in the third country. The parent company of Meta Platforms Ireland Limited, Meta Platforms Inc. is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Meta cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. If applicable, you may not have any legal remedies against data access by authorities there.

9.5 LEGAL BASIS FOR DATA PROCESSING

The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a) DSGVO.

9.6 REVOCATION OF CONSENT TO DATA PROCESSING

The revocation of your consent is possible at any time without affecting the permissibility of the processing until the revocation. The easiest way to revoke is via our Consent Manager. In addition, (only users logged in to the Facebook meta service) can object via the provider's function at the following link: https://www.facebook.com/settings/?tab=ads#

9.7 JOINT RESPONSIBILITY AND FURTHER INFORMATION

When transferring the data collected by Facebook Pixel, we act with Meta as so-called "joint controllers" according to Art. 26 DSGVO. For this purpose, we have concluded a separate agreement (see here: https://www.facebook.com/legal/controller_addendum). Meta is solely responsible for the further processing. If you exercise your rights of access, erasure, etc. (see below under "What rights do you have regarding your data?"), Meta Platforms Ireland Limited is responsible for implementing your rights under the joint responsibility.

For more information about how Meta processes personal data, including the legal basis on which Meta does so and how you can exercise your rights against Meta Platforms Ireland Limited, please see Meta's Data Policy at: https://www.facebook.com/about/privacy

10 LINKEDIN INSIGHT TAG AND RETARGETING

If you have given your consent, this website uses the so-called LinkedIn Insight tag (or LinkedIn Pixel) of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. ("LinkedIn").

10.1 PURPOSES OF DATA PROCESSING

The integration of this JavaScript tag allows us to present you, as a user of our website, with interest-based advertisements ("Ads") relevant to you when you visit the LinkedIn social network or other websites that also use the method, and we obtain statistics about website visitors and demographics. Furthermore, we can evaluate your use of our LinkedIn Ads and interest in our offers, by means of a conversion tracking function and display LinkedIn Ads to you on other websites via retargeting. We thereby pursue the interest of improving the effectiveness of LinkedIn ads and making our website more interesting for you.

10.2 SCOPE OF DATA PROCESSING

By integrating the LinkedIn Insight tag, your browser automatically establishes a direct connection with the server of LinkedIn, both when visiting the LinkedIn website and websites that have the LinkedIn Insight tag built in. We have no influence on the extent and nature of the use of the data by LinkedIn, we therefore inform you according to our state of knowledge: By integrating the LinkedIn Insight tag, LinkedIn receives the information that you have called up the corresponding web page of our website, or clicked on an advertisement from us. If you are registered with a LinkedIn service, LinkedIn can assign the visit to your account. Even if you are not registered with LinkedIn or have not logged in, there is a possibility that the provider will learn your IP address, time slot and other identifying characteristics and link them to the actions assigned to you.

10.3 RECIPIENTS OF THE DATA

Recipients of the data collected are or may be.

• LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland
• LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA

Due to current legislation in the USA, it cannot be ruled out that US authorities will access the data stored by LinkedIn.

10.4 TRANSFER OF DATA TO THIRD COUNTRIES (ESPECIALLY USA)

Insofar as personal data is processed outside the EU or the European Economic Area (EEA) and there is no level of data protection that corresponds to the European standard, the data transfer is carried out under agreement of the EU standard contractual clauses, the purpose of which is to ensure compliance with an adequate level of data protection in the third country. The parent company of LinkedIn Ireland Unlimited Company, LinkedIn Corporation, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by LinkedIn cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not have any legal remedies against data access by authorities there.

10.5 LEGAL BASIS FOR DATA PROCESSING

The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a) DSGVO.

10.6 REVOCATION OF CONSENT TO DATA PROCESSING

The revocation of your consent is possible at any time without affecting the permissibility of the processing until the revocation. The easiest way to revoke is via our Consent Manager. In addition, (only users logged in to LinkedIn) can object via the provider's function under the following links:

https://www.linkedin.com/help/linkedin/answer/6293...

https://www.linkedin.com/psettings/guest-controls/...

10.7 JOINT RESPONSIBILITY AND FURTHER INFORMATION

For the collection of your usage data when visiting our website and the transmission to LinkedIn, we and LinkedIn are so-called joint responsible parties. However, LinkedIn is solely responsible for the relevant processing to carry out the described objectives after transmission of the data.

For more information on data protection at LinkedIn, please visit:

https://business.linkedin.com/de-de/marketing-solu...

https://www.linkedin.com/legal/privacy-policy?trk=...

11 USE OF SOCIAL MEDIA PLUG-INS

We currently use the following social media plug-ins:

• LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland).
• Facebook (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

These are only loaded if you have previously activated the function by giving your consent.

11.1 PURPOSES AND SCOPE OF DATA PROCESSING

Through the plug-ins, we offer you the opportunity to interact with social networks and other users. In doing so, the plug-in provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research, and/or needs-based design of its website. Such an evaluation is carried out in particular (also for users not logged in to the provider's service) for the display of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. The data transfer takes place regardless of whether you have an account with the service of the plug-in provider and are logged in there. If you are logged in to the service of the plug-in provider, your data collected from us will be directly assigned to your account with the plug-in provider. If you click the activated button and, for example, link to the page, the plug-in provider also saves this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this allows you to avoid an assignment to your profile with the plug-in provider.

11.2 RECIPIENTS OF THE DATA

Recipients of the collected data are or may be.

• LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland
• LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA
• Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
• Meta Platforms Inc. 1 Hacker Way, Menlo Park, CA 94025, USA

Due to current legislation in the USA, it cannot be ruled out that US authorities will access data stored by LinkedIn or Meta.

11.3 TRANSFER OF DATA TO THIRD COUNTRIES (ESPECIALLY USA)

Insofar as personal data is processed outside the EU or the European Economic Area (EEA) and there is no level of data protection corresponding to the European standard, the data transfer is carried out under agreement of the EU standard contractual clauses, the purpose of which is to ensure compliance with an adequate level of data protection in the third country. The parent companies of the plug-in providers are based in the USA. A transfer of data to the USA and access by US authorities to the data stored by the plug-in providers cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. If applicable, you have no legal remedies against data access by authorities there.

11.4 LEGAL BASIS FOR DATA PROCESSING

The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a) DSGVO.

11.5 REVOCATION OF CONSENT TO DATA PROCESSING

The revocation of your consent is possible at any time without affecting the permissibility of the processing until the revocation. The easiest way to revoke is via our Consent Manager or via the functions of the social media providers.

11.6 JOINT RESPONSIBILITY AND FURTHER INFORMATION

For the collection of your usage data when visiting our website and the transmission to the plug-in providers, we and the respective plug-in provider are considered joint responsible parties. However, the plug-in provider is solely responsible for further processing after transmission of the data. Further information on the purpose and scope of the data collection and its processing by the plug-in provider can be found in the data protection declarations of these providers communicated below. There you will also receive further information about your rights in this regard and setting options for protecting your privacy. Addresses of the respective plug-in providers and URL of the respective privacy notices:

LinkedIn:

https://business.linkedin.com/de-de/marketing-solu...

https://www.linkedin.com/legal/privacy-policy?trk=...

https://www.linkedin.com/help/linkedin/answer/6293...

https://www.linkedin.com/psettings/guest-controls/...

Facebook/Meta:

https://www.facebook.com/settings/?tab=ads#

https://www.facebook.com/about/privacy

12. ESTABLISHMENT OF CONTACT VIA CONTACT FORM OR E-MAIL

12.1 SCOPE OF DATA RECORDING

You can contact us using the contact form on the website or the e-mail address provided. In this case, the personal data transmitted with your inquiry as well as the contact data provided by you (your e-mail address, your name, and, if applicable, the company for which you work, as well as your telephone number), is stored. It goes, at first, on the server located in Germany of our mail hoster Webmakers UG, Furthmühlgasse 2, 99084 Erfurt, Germany and are then transferred to the exchange server of AQUANOVA AG or the server of our web hoster (refer section 4), which are also located in Germany.

12.2 LEGAL BASIS OF THE DATA PROCESSING

Art. 6 Para. 1 letter f GDPR is the legal basis for the processing of data, which is communicated in the course of contact via contact form or sending an E-mail. If the contact aims at the conclusion of a contract, then Art. 6 Para 1 letter b GDPR is additionally also a legal basis for the processing.

12.3 PURPOSE OF THE DATA PROCESSING

The personal data transmitted in the course of contacting us will be processed by us solely for the purpose of processing your inquiry. The necessary justified interest in the processing of data which you have sent by e-mail also lies herein.

12.4 STORAGE PERIOD

The data sent by you via e-mail is deleted as soon as we have taken note of your comment or when we have answered your query finally and the conversation is ended. The conversation ends if it can be derived from the circumstances that the concerned issue is conclusively clarified. The data can, however, be stored temporarily as long as it is required for the assertion, exercise and defense of claims or if legal retention requirements exist.

12.5 OPTION OF OBJECTION AND ELIMINATION

You can contradict the storage of the data transmitted by you in the context of an establishment of contact at any time. In such a case, the conversation cannot, however, be continued and your inquiry may not be processed conclusively. Please contact us via e-mail or via the contact form on our website for such an objection. All personal data which was stored in the course of the establishment of contact is deleted in this case. The data can be temporarily stored as long as it is required for the assertion, exercise and defense of legal claims or if legal retention requirements exist.

13. WHICH RIGHTS DO YOU HAVE REGARDING YOUR DATA?

You are entitled to obtain information about the source, recipient and purpose of your stored personal data free of cost at any time. Moreover, you particularly have a right to demand correction, blocking or deletion and the restriction of this data. You can contact us at any time at the address mentioned in the masthead for further questions on the topic of data protection. Apart from this, you are entitled to a right of appeal to the relevant supervisory authority. In detail, you are entitled to the following rights:

13.1 RIGHT TO INFORMATION

You can demand a confirmation from the controller as to whether we have processed the personal data concerning you. If this is the case, then you can demand the following information from the controller:

(1) The purpose of processing;

(2) the categories of personal data which are processed;

(3) information about the recipients or the categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;

(4) the planned storage period of the personal data concerning you or if concrete information for this is not possible, then criteria for determining the storage period;

(5) the existence of a right to correction or deletion of the personal data concerning you, of a right to restricting the processing by the controller or of a right to objection against this processing;

(6) the existence of a right to appeal to a supervisory authority;

(7) all available information about the source of data, if the personal data is not collected from the data subject;

(8) existence of an automated decision-making including profiling as per Art. 22 Para 1 and 4 GDPR and – at least in these cases – convincing information about the involved logic and the scope and intended effects of similar processing for the data subject.

You have the right to demand information as to whether the personal data concerning you is conveyed to a third country or an international organisation. In this context, you can demand information about the appropriate guarantees as per Art. 46 GDPR in connection with the communication.

13.2 RIGHT TO CORRECTION

You have a right to correction against the controller, insofar as the processed personal data concerning you is incorrect. If the data is incomplete, then you have the right to completion. The controller must make the correction immediately.

13.3 RIGHT TO RESTRICTION OF PROCESSING

GDPR provides a right to restriction of personal data. If the processing of the personal data concerning you is restricted, then this data – irrespective of its storage – may be processed only with your consent or for the assertion, exercise or defence of legal claims or for the protection of rights of another natural or legal person or due to reasons of an important public interest of the Union or of a member state.

If the restriction of the processing is limited by the above-mentioned pre-requisites, then the controller informs you before the restriction is cancelled.

You can demand the restriction of processing under the following pre-requisites:

(1) If you dispute the correctness of the personal data concerning you for a period, which enables us as controller to check the correctness of the personal data;

(2) if the processing is illegal and if you refuse the deletion of personal data and instead of this, demand from us the restriction of the use of personal data;

(3) if we, as controller, no longer require the personal data for processing, however, you require it for the assertion, exercise or defence of legal claims or

(4) if you have raised an objection against the processing as per Art. 21 Para 1 GDPR but it is not yet determined whether the justifiable reasons of the controller outweigh your reasons.

13.4 RIGHT TO DELETION

Deletion obligation

You can demand from us, as controller, that the personal data concerning you should be immediately deleted and we are obliged to delete this data immediately, insofar as one of the following reasons apply:

(1) The personal data concerning you is no longer required for the purposes for which it was recorded or processed in another way.

(2) You revoke your consent on which the processing as per Art. 6 Para. 1 lit. a or Art. 9 Para 2 letter a GDPR was based and another legal basis for the processing is missing.

(3) You file an objection as per Art. 21 Para 1 GDPR against the processing and no overriding legitimate reasons are given for the processing, or you file an objection as per Art. 21 Para 2 GDPR against the processing.

(4) The personal data concerning you was illegally processed.

(5) The deletion of the personal data concerning you is required for fulfilling the legal obligation as per the Union law or as per the law of the member state to which the controller is subject.

(6) The personal data concerning you was collected with reference to the offered services of the information company as per Art. 8 Para 1 GDPR.

Information to a third party

If the controller discloses the personal data concerning you publicly and if he is obliged to its deletion as per Art. 17 Para 1 GDPR, then he takes appropriate measures under consideration of the available technology and implementation costs, even of a technical nature, to inform the controller for the data processing who processes personal data that you, as data subject, have demanded a deletion of all links to this personal data or of copies and replications of these personal data.

Exceptions

The right to deletion does not exist insofar as the processing is required

(1) for exercising the right for free expression of opinion and information;

(2) for fulfilling a legal obligation, which requires the processing as per the law of the Union or of the member states to which the controller is subject, or for performing a task which lies in the public interest or is carried out in the exercise of official authority, which was transferred to the controller;

(3) due to reasons of public interest in the field of local health as per Art. 9 Para. 2 lit. h and i and also Art. 9 Para 3 GDPR;

(4) for archiving purposes that lie in the public interest, scientific or historical research purposes, or for statistical purposes as per Art. 89 Para 1 GDPR, insofar as the law mentioned under Para a) probably makes the implementation of goals of this processing impossible or seriously hampers them or

(5) for the assertion, exercise or defence of legal claims.

13.5 RIGHT TO INFORMATION

If you have asserted the right to correction, deletion or restriction of processing against the controller, then he is obliged to communicate to all the recipients to whom your personal data was disclosed this correction or deletion of data or restriction of processing, unless it proves to be impossible or associated with disproportionate expense. You are also entitled to obtain information about the recipients from the controller.

13.6 RIGHT TO DATA TRANSFERABILITY

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, conventional and machine-readable format. Apart from this, you have the right to transfer this data to another controller without any obstacle from the controller to whom you had provided the personal data, insofar as

(1) the processing is based on a consent as per Art. 6 Para 1 letter a GDPR or Art. 9 Para 2 letter a GDPR or based on a contract as per Art. 6 Para 1 letter b GDPR and

(2) the processing takes place with the help of an automated process.

While exercising this right, you also have the right to effect that the personal data concerning you is transferred directly from one controller to another controller, insofar as it is technically feasible. Freedoms and rights of other persons should not be impaired by this.

The right to data transferability is not applicable for a processing of personal data which is required for performing a task that lies in the public interest or which takes place in exercise of public authority, which was transferred to the controller.

13.7 RIGHT TO OBJECT

You have the right to file an objection for reasons which result from your particular situation, against the processing of personal data concerning you at any time, which takes place based on Art. 6 Para. 1 letter e or f GDPR; this is also applicable for a profiling based on these regulations. The controller no longer processes the personal data concerning you, unless he can establish the compelling legitimate grounds for the processing, which outweigh your interests, rights and freedom or the processing is used for the assertion, exercise and defence of legal claims.

If the personal data concerning you is processed to carry out direct advertising, then you are entitled to file an objection anytime against the processing of the personal data concerning you for such advertisement; this is also applicable for profiling insofar as it is connected with such direct advertisement.

If you revoke the processing for direct advertising, then the personal data concerning you will no longer be processed for this purpose.

You have the option of exercising the right to objection with the help of an automated process, in which the technical specifications are used, in connection with the use of services of the information company – irrespective of guideline 2002/58/EG.

13.8 RIGHT TO REVOKE THE DATA PROTECTION CONSENT DECLARATION

You are entitled to revoke the data protection consent declaration at any time. By revoking the consent, the legality of the processing that took place on the basis of the consent till the revocation is not affected. You can revoke your consents at any time via our Consent Manager.

13.9 AUTOMATED DECISION IN AN INDIVIDUAL CASE INCLUDING PROFILING

You have the right not to be subject to a decision based exclusively on an automated processing – including profiling – which has a legal effect on you or hampers you considerably in a similar way. This is not applicable, if the decision

(1) is required for conclusion or fulfilment of a contract between you and the controller

(2) based on legal regulations of the Union or of the member states, to which controller is subject, is permissible and these legal regulations include appropriate measures for safeguarding your rights and freedoms and your legitimate interests or

(3) takes place with your explicit consent.

However, these decisions should not be based on special categories of personal data as per Art. 9 Para 1 GDPR, insofar Art. 9 Para. 2 letter a or g is not applicable and appropriate measures were undertaken for the protection of rights and freedoms and also your legitimate interests.

Regarding the cases mentioned in (1) and (3), the controller takes appropriate measures to safeguard the rights and freedoms and also your legitimate interests, which include the right to obtain human intervention on the part of the controller, the right to present one’s own point of view and the right to challenge the decision.

13.10 RIGHT TO APPEAL TO A SUPERVISORY AUTHORITY

Irrespective of other administrative or judicial legal remedies, you have the right to appeal to a supervisory authority particularly in the member state of your residence, your work place or at the location of the supposed breach, if you believe the processing of the personal data concerning you has breached the GDPR.

The supervisory authority to which the appeal was submitted informs the plaintiff about the status and the results of the appeal including the option of legal remedy as per Art. 78 GDPR.

The responsible supervisory authority in data protection matters is the data protection officer of the Federal State in which our enterprise is located. A list of data protection officers and their contact data is available at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_L....