What is this all about?
'Personal data' means any information relating to an identified or identifiable natural person ('data subject'), i.e. data that can be related to you personally, such as name, address, e-mail address, user behaviour, etc. 'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The following chapters
I. Name and address of the controller
II. Contact details of the Data Protection Officer
III. General information on data processing
IV. Provision of the website and creation of log files
V. Use of "own" cookies
VI. Website analysis tools
VIII. Contact form and e-mail contact
X. Embedding of YouTube videos
XI. Embedding of Google Maps
XII. Embedding of Google Fonts
XIII. Online presence in social media
XIV. Rights of the data subject
and the associated sub-items provide you with information in greater detail as to the processing of your personal data and your rights as a data subject:
The controller within the meaning of the General Data Protection Regulation (hereinafter: "GDPR") and other national data protection laws of the EU Member States, as well as other data protection regulations, is
CWS International GmbH
Telephone number: +49 6103 309-0
The controller's Data Protection Officer can be contacted as follows:
Datenschutzbeauftragter/Data Protection Officer
1. Scope of personal data processing
We collect and process our users' personal data only insofar as necessary in the interests of providing a fully functional website and our content and services. The processing of our users' personal data on a regular basis only takes place with their consent. An exception applies in those cases in which circumstances prevent us from obtaining the user's prior consent and the processing of the data is permitted by law.
2. The legal basis for the processing of the personal data
a) Insofar as we obtain the data subject's consent for the processing of his/her personal data for one or more specific purposes, Art. 6(1)(a) GDPR serves as legal basis in this context.
b) As regards the processing of data that is necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR serves as legal basis. This also applies to any processing that may be necessary in order to take steps at the request of the data subject prior to entering into a contract.
c) Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as legal basis.
d) In the event that processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 6(1)(d) GDPR serves as legal basis.
e) If processing is necessary towards safeguarding a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6(1)(f) GDPR serves as the legal basis for the processing in such case.
3. Erasure and storage period
The personal data of the data subject will be erased or blocked for processing as soon as the purpose for its storage is no given. Furthermore, data may be stored if this is required by Union or Member State regulations, law or other provisions to which the controller is subject. Deletion or blocking for processing of data will also be carried out if a storage period prescribed by the referenced standards expires, unless further storage of the data is necessary for the conclusion or performance of a contract.
1. Description and scope of data processing
Every time a user accesses our website, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:
·Information about the browser type and the version used
·The user's operating system
·The user's internet service provider
·The user's IP address
·Date and time of access
·Websites from which the user's system accesses our website
·Websites accessed by the user's system via our website
The data are likewise stored in the log files of our system. These data are not stored together with any other of the user’s personal data.
2. Legal basis for data processing
The legal basis for temporary storage of the data and log files is Art. 6(1)(f) GDPR.
3. Purpose of data processing
Temporary storage of the IP address by the system is necessary to facilitate delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.
The data are stored in log files to ensure the website's functionality. In addition, we use the data to optimise the website and to ensure the security of our IT systems. We do not evaluate these data for any marketing purposes in this context.
These purposes also encompass our legitimate interest in the processing of the data as per Art. 6(1)(f) GDPR.
4. Duration of storage
The data are deleted as soon as they are no longer required for the purpose for which they were collected; As regards the collection of data for provision of the website, this is the case once the respective session has ended.
Data stored in log files are deleted within seven days at the latest. Extended storage is possible. In this case, the user's IP address will be deleted or modified in such a way that we can no longer identify the accessing client.
5. Opt-out and data removal options
The collection of data for provision of the website and the storage of data in log files is absolutely essential to the website's operation. The user therefore has no possibility to object to their collection and retention.
1. Description and scope of data processing
We use the following types of cookies, the scope and function of which are explained in the following:
·Cookies that are technically necessary
·Cookies that are not technically necessary (analysis cookies)
a) Cookies that are technically necessary
We use these cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can still be identified when the user switches to another page of the website.
These cookies store and forward the following data:
·Display of cookie notification text (cookie_consent, cookie_notification_reload_count)
·Caching, e.g. of product reminder lists (Drupal.session_cache.sid)
·Bookmarked product list (Drupal.visitor.result, product_overview_href)
b) Cookies that are not technically necessary (analysis cookies)
The following data can be forwarded in this way:
·Search terms entered
·Frequency of page viewings
·Use of website functions
The user data collected in this way are pseudonymised by technical means. It is therefore no longer possible to associate the data to the accessing user. The data are not stored together with other personal data relating to the user.
The legal basis for the processing of personal data using cookies is Art. 6(1)(f) GDPR.
a) For technically necessary cookies
These cookies are required for the following applications:
·Applying language settings
·Bookmarking of search terms
·Recognition of users
b) For cookies that are not technically necessary
The analysis cookies are used to improve the quality of our website and its content. The analysis cookies enable us to find out how the website is used and thus allows us to continuously optimise it.
·Google Analytics (_ga, _gid, _gat)
In this purpose, we also have a legitimate interest in the processing of personal data in accordance with Art. 6(1)(f) GDPR.
4. Duration of storage and options for objection and removal
The following analysis tools are used on our website:
1. Google Analytics
a) Description and scope of data processing
This information is as follows:
·Origin (country and city)
·Device (PC, tablet PC or smartphone)
·Browser and add-ons used
·Click areas (heat map)
If IP anonymisation is activated on this website, however, Google Inc. will first truncate your IP address within the member states of the European Union or other parties to the Agreement on the European Economic Area. This means that IP addresses are only processed in truncated form, so personal identifiability can be ruled out. This means that if the data collected about you are identifiable to you personally, they will be blocked immediately and the personal data thus erased immediately.
Only in exceptional cases will the full IP address be transferred to a Google server in the United States and truncated there. Where such exceptional cases in which personal data are transferred to the USA are concerned, Google has signed up to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is sentence 1 of Art. 6(1)(f) GDPR.
On behalf of this website's operator, Google will use this information to evaluate your use of the website, to compile reports on website activities and to provide the website operator with other services relating to website and internet use.
The IP address sent by your browser for Google Analytics purposes will not be combined with other data stored by Google Inc.
b) Legal basis for the processing of the personal data
The legal basis for processing the personal data is Art. 6(1)(f) GDPR.
c) Purpose of data processing
We use Google Analytics to analyse and continuously improve the use of our website. With the statistics thus gained, we can improve our offering and make it more interesting for you as a user. Given these purposes, our legitimate interest lies in the processing of personal data pursuant to Art. 6(1)(f) GDPR. The anonymisation of the IP address means that adequate consideration is given to the interests of the user in the protection of their personal data.
d) Duration of storage
Data stored at Google on the user and event level which are linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) are anonymised after 14 months or erased. For details in this context, please refer to the following link:
e) Opt-out and data removal options
2. etracker (CWS customer portal)
We use etracker, a web analysis service provided by etracker GmbH, Erste Brunnenstrasse 1, D-20459 Hamburg, Germany. The general terms and conditions can be viewed at https://www.etracker.com/agb, the agreement for the processing of personal data can be viewed at https://www.etracker.com/av-vertrag.
You can find more detailed information on etracker cookies at https://www.etracker.com/support/etracker-cookies-2/. The customer portal only uses the following cookies: BT_ctst, BT_pdc, BT_sdc, _et_coid, noWS_mjV509.
If IP anonymisation is activated on this website, however, etracker will first truncate your IP address within the member states of the European Union or other parties to the Agreement on the European Economic Area. As a result, IP addresses are only processed in truncated form in order to prevent direct identifiability. This means that if data collected about you are identifiable to you personally, they will be blocked straight away and the personal data thus erased immediately.
The legal basis for the use of etracker is sentence 1 of Art. 6(1)(f) GDPR.
On behalf of the operator of the customer portal, etracker GmbH will use this information to analyse your use of the website, to compile reports on website activities and to provide the website operator with other services relating to website and internet use.
The IP address sent by your browser for etracker purposes will not be merged with other data stored by etracker nor passed on to third parties.
b) The legal basis for the processing of the personal data
We use etracker Analytics to analyse the usage of our customer portal and to be able to continuously improve it. With the statistics thus gained, we can improve our internet offering and make it more interesting for you as user.
Insofar as the data collected is personal, it will be deleted immediately as part of the anonymisation.
We would like to use the processing of the data in order to be able to suggest our best possible products and services for your business, to inform you about new products, product innovations, product possibilities, new developments, related current topics, special offers, newsletters about our own products and services including related current topics, events and to contact you for survey purposes from companies in the CWS Group.
Since we cannot offer all products ourselves in Germany, we also use affiliated companies as subcontractors. For the purposes of being able to make appropriate suggestions, we also pass on your data to the affiliated companies of the CWS Group (see www.cws.com/Locations for a list of these) within the scope of what is permitted under data protection law. We naturally conclude agreements with these companies on the processing of orders using personal data.
You can sign up to our free-of-charge newsletter by the following means:
You can sign up to the free-of-charge newsletter on our website. We use what is known as the "double opt-in" procedure for your signup to our newsletter. This means that after you sign up, we will send you an e-mail to the e-mail address indicated by you, in which we ask you to confirm that you wish to have the newsletter mailed to you. If you do not confirm your signup within 24 hours, your information will be blocked and, after one month, automatically erased.
b) e-mail invitation:
It is possible to sign up to our free-of-charge newsletter via an e-mail invitation. To sign up to our newsletter, confirm the activation link in the e-mail you receive. We will then send you a second e-mail in which we ask to confirm that you would like to have the newsletter mailed to you. If you do not confirm your registration within 24 hours, your information will be blocked and, after one month, automatically erased.
c) Written consent:
Written consent: If you send us your written consent, we will store it as a scan or in its original form, likewise for documentation purposes. When you sign up to the newsletter the data from the input mask will be sent to us. The personal data in question are as follows:
·e-mail address (mandatory)
·First name (optional)
·Date of birth (optional)
The following personal data will also be collected when you sign up:
·IP address of the accessing computer
·Date and time of signup/mailing of the first opt-in e-mail
·Storage of the texts used for signup and confirmation (as content of the declaration of consent)
In connection with the data processing for the mailing of newsletters, the data are passed on to member companies of the CWS Group (see www.cws.com/Locations for a list of these) and to other service providers if this is necessary for the mailing of the newsletter.
The other service providers are currently:
i. Salesforce Pardot
We use the Pardot services for the mailing of our newsletters. The provider is Salesforce.com, inc. The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA.
We use Salesforce Pardot to organise and analyse the mailing of newsletters. When you enter data (e.g. your e-mail address) for signing up to our newsletter, these will be stored on Pardot servers in the USA. When you open an e-mail sent by Pardot, a file contained in the e-mail (so-called web beacon) connects to Pardot's servers in the USA. It can thus be established whether a newsletter message has been opened and which links, if any, are clicked on. Technical information is also collected:
·Time of access
This information cannot be associated to the respective newsletter recipient. It is used exclusively for statistical analysis of newsletter campaigns. The results of these analyses can be used to ensure that the content of future newsletters better matches the interests of recipients.
The legal basis for using Pardot Salesforce is sentence 1 of Art. 6(1)(a) and (f) GDPR.
If you do not wish your use of the newsletter to be analysed by Pardot, you will have to unsubscribe from the newsletter. We provide a link for this purpose in each newsletter message that we send.
Conclusion of a data processing agreement: We have concluded a data processing agreement with Pardot in which we obligate Pardot to protect the data of our customers and not to disclose said data to third parties, besides which Pardot has signed up to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
2. Legal basis for the data processing
The legal basis for processing the data after the user's registration for the newsletter is, given the user's prior consent, Article 6(1)(a) GDPR.
The user's e-mail address is collected to facilitate delivery of the newsletter. If you voluntarily provide your title, surname, first name and date of birth as well when signing up, these data will solely be used for the purposes of personalising the newsletter.
The collection of other personal data as part of the signup process ensures the prevention of misuse of the services or of the e-mail address used.
Technical information is also collected when the newsletter is opened. It is used solely for statistical analysis of newsletter campaigns. The results of these analyses can be used to ensure that the content of future newsletters better matches the interests of recipients.
The data are deleted as soon as they are no longer required for the purpose for which they were collected; your e-mail address will therefore be stored for as long as your subscription to the newsletter is active.
The other personal data collected during the registration process will generally be deleted after a period of seven days.
You can opt out of having the newsletter mailed to you at any time and unsubscribe from the newsletter. You can notify your opt-out by clicking on the link provided in each newsletter e-mail, by e-mail to the e-mail address specified in the newsletter e-mail or by sending a message to the contact given in the imprint.
This likewise facilitates withdrawal of consent to the storage of personal data collected during the registration process.
The processing of your name and contact information for the purposes of providing you with information about our products, managing your registration, registering and participating in our events, webinars, for managing your registration for competitions or promotions, providing customer support or if we communicate with you by any other means.
There is a contact form on our website which can be used for making contact by electronic means. If users choose to use this possibility, the data entered in the input screen will be sent to us and stored. These data are:
·First name (mandatory)
The following data are additionally stored at the time the message is sent:
1. IP address of the accessing computer
2. Date and time of messaging
Alternatively, you can contact us via the e-mail address accordingly provided. In this case, the user's personal data transmitted with the e-mail will be stored.
Such data will not be disclosed to third parties in this context. These data will be used exclusively for processing the conversation.
2. Legal basis of the processing
The legal basis for data processing, given the user's consent, is Art. 6(1)(a) GDPR.
The legal basis for processing the data transferred in the course of sending an e-mail is Art. 6(1)(f) GDPR.
If the ultimate purpose of the e-mail contact is the conclusion of a contract, the supplementary legal basis for the data processing is Art. 6(1)(b) GDPR.
We process the personal data from the input mask solely for the purpose of facilitating communication with the user. If contact is made via e-mail, this also provides the required legitimate interest in processing the data.
The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT systems.
The data are deleted as soon as they are no longer required for the purpose for which they were collected; as regards the personal data from the input mask and those sent per e-mail, this is then the case when the respective conversation with the user has ended. The conversation is deemed ended when the circumstances indicate that the matter in question has been definitively resolved.
The personal data additionally collected during the sending process are deleted after a period of 7 days at the latest.
At any time, the user has the option of opting out of the processing of his/her personal data. Users making contact with us by e-mail can at any time object to the storage of his/her personal data. In such case the conversation cannot be continued. To revoke your consent and object to the storage, you can use the e-mail address used to contact us or the e-mail address given in the imprint.
In such case, all personal data that was stored when you made contact with us will be erased.
CWS customer portal
Our CWS customer portal enables you to manage your contracts with CWS as well as view invoices and delivery notes.
On the portal homepage we offer you the option to sign up or log in by providing personal data. The data are entered in an input screen, transmitted to us and stored. The data will not be passed on to third parties.
We use what is known as the "double opt-in" procedure for your signup to our newsletter. This means that after you have signed up, we will send you an e-mail to the e-mail address indicated by you, in which we ask you to confirm that you wish to sign up to the portal. If you do not confirm your signup within 48 hours, your information will be blocked and, after one month, automatically erased.
The following data is collected during the signup process:
·Surname, first name
The following other data is also stored at the time of your signup:
·Date and time of signup
The legal basis for processing the data after your signup to the customer portal is Art. 6(1)(a) GDPR.
Your signup does not take place for the conclusion of a contract: Your signup is necessary for the provision of certain content and services on our website.
The collection of data in the course of the signup process serves to associate the person signing in to the correct contracts so that the user can manage his/her contracts only and view the invoices and delivery notes for them.
The purpose of collecting any other data as part of the process of signing up is to prevent misuse of the services or of the e-mail address used.
The data are erased as soon as you terminate your access permanently and your data are no longer necessary for contract performance. Furthermore, we will store the optional data provided by you for the duration of your use of the of portal, unless you erase them prior to this.
You can permanently terminate your access to the customer portal at any time by following the steps explained in the customer portal. However, this does not remove your existing contract; this remains unaffected hereby.
X. Embedding of YouTube videos
We have embedded YouTube videos in our online offering. These videos are stored on http://www.youtube.com and are directly playable from our website. These are all embedded via the URL https://www.youtube-nocookie.com, which means that no data on you as user is sent to YouTube unless you play the videos. Only after you play the videos will your data be sent. We have no control over this data transmission.
YouTube is operated by Google Inc.
The legal basis for the integration of YouTube is Art. 6(1)(f) GDPR.
The embedding gives you the option to interact with YouTube and other users so that we can improve our offering and make it more interesting for you as user. Given this purpose, we have a legitimate interest in embedding YouTube videos.
Such evaluation by YouTube takes place in particular (even for users who are not logged in) to provide targeted advertising and to inform other users on the social network about your activities on our website.
We have no information on the storage periods and erasure of the data collected by YouTube.
You have a right to opt out of the creation of these user profiles, but to exercise this right you must contact Google.
X1. Embedding of Google Maps
We use the Google Maps tool on this website.
The legal basis for the embedding of Google Maps is Art. 6(1)(f) GDPR.
The use of Google Maps gives you easy access to the interactive map displayed on our website, and convenient use of the map function. Given this purpose, we have a legitimate interest in embedding Google Maps
We have no information on the storage periods and erasure of the data collected by Google Maps.
XII. Embedding of Google Fonts
On our website we embed the fonts ("Google Fonts") provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The legal basis for the embedding of Google Fonts is Art. 6(1)(f) GDPR.
The embedding is done based on our legitimate interests in a technically secure maintenance-free and efficient use of fonts, their uniform representation as well as consideration of possible licensing restrictions om their embedding.
We have no information on the storage periods and erasure of the data collected by Google.
You have the right to object to the creation of these user profiles, but you must contact Google to exercise this right.
XIII. Online presence in social media
We maintain online presence on various social networks and platforms ("social media") in order to communicate with our customers, interested parties and other users and inform them about our services. When accessing such networks and platforms the terms and conditions as well as privacy policies of these networks and platforms apply.
XIV. Rights of the data subject
If your personal data is processed, you then are a data subject within the meaning of the GDPR and you have the following rights in respect of the controller (see section I. of this declaration):
Right to access of information
You have the right to obtain from the controller confirmation as to whether we process your personal data.
Where that is the case, you have the right to obtain from the controller access to the following information:
a) the purposes for which the personal data are processed;
b) the categories of personal data that are processed;
c) the recipients or the categories of recipients to whom the personal data relating to you have been or will be disclosed;
d) the envisaged period of storage for which your personal data will be stored or, if specific information cannot be provided, the criteria used to determine the storage period;
e) the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the controller or a right to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information on their source;
h) the existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR and– at least in those cases – meaningful information about the logic involved, as well as the scale and the envisaged consequences of such processing for the data subject.
You have the right to access information as to whether your personal data are transmitted to a third country or to an international organisation. Where that is the case, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in relation to the transmission.
Right to rectification
You have the right to obtain from the controller the rectification of inaccurate personal data on you and/or completion of incomplete personal data on you processed by the controller. The controller is to carry out such rectification without delay.
Right to restriction of processing
a) if you dispute the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or
d) you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours.
If the processing of personal data concerning you has been restricted, then – apart from its storage – this data may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person, or for reasons of an important public interest on the part of the Union or a Member State.
If you have obtained restriction of processing under the above criteria, you shall be informed by the controller before the restriction of processing is lifted.
Right to erasure of data
a) Obligation to erase data
You have the right to obtain from the controller the erasure of your personal data without delay and the controller has the obligation to erase such data without delay where one of the following grounds applies:
·Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
·You withdraw your consent on which the processing is based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR and there is no other legal basis for the processing.
·You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
·Your personal data have been unlawfully processed.
Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
Your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
b) Notification of third parties
Where the controller has made your personal data public and is obliged pursuant to Art. 17(1) GDPR to erase the data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure does not apply to the extent that processing is necessary
·for exercising the right of freedom of expression and information;
·for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject,
·or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
·for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i), as well as Art. 9(3) GDPR;
·for archiving purposes in the interest of public, scientific or historical research purposes or for statistical purposes as per Art. 89(1) GDPR, to the extent that the right referred to in section a) is likely to render impossible or seriously inhibit the achievement of the purposes of such processing; or
·for the assertion, exercise or defence of legal claims.
Right to notification
If you have exercised the right to obtain from the controller the rectification, erasure or restriction of processing, the controller is obliged to communicate such rectification or erasure of data or restriction of processing to each recipient to whom your personal data have been disclosed, unless this proves impossible or involves a disproportionate outlay.
You have the right to be informed by the controller about such recipients.
Right to data portability
You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
a) the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or a contract pursuant to Art. 6(1)(b) GDPR and
b) the processing is carried out by automated means.
In exercising that right, you have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6(1)(e) GDPR, including profiling based on those provisions.
The controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which gives rise to legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
a) is necessary for entering into, or performance of, a contract between the you and a controller,
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
c) is based on your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9(1), unless Art. 9(2)(a) or (g) GDPR apply and appropriate measures to protect your rights and freedom as well as your legitimate interests are in place.
In the cases referred to in points a) and c), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.