ALLDATA Privacy Policy 

Last update 24/04/2024

Controller

The following entity is responsible for the collection and processing of personal data within the meaning of the General Data Protection Regulation:

ALLDATA Europe GmbH

Barcelona-Allee 1
51103 Cologne
Germany
Phone: +49 (0) 221 534 107 00
Internet: https://www.alldata.com
E-mail: info@alldataeurope.com

Contact details of our privacy officer

Preston Pham: preston.pham@alldata.com 

Introduction and general information on data processing

The protection of your personal data is of utmost importance to us. Therefore, we treat your personal data with strict confidentiality and adhere to legal regulations governing data protection, notably the European Data Protection Regulation (GDPR) and the German Federal Data Protection Act. 

This privacy policy aims to provide you with comprehensive information regarding the collection and utilization of your personal data by us, acting as the data controller. In the following, you will first find definitions of the terms used (A.) and general information on the processing of your personal data (B.). Subsequently, we specifically address data processing when using our website (C.) and our OEM Repair Portal (hereinafter: "Customer Portal") (D.) as well as further data processing (E.). Finally, we inform you about your rights as a data subject (F.).

A. Definitions

Following the examples of Art. 4 GDPR, this privacy policy is based on the following definitions:

1. Personal data

According to Art. 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person (data subject). An individual is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics.

Identifiability may also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is not important (photos, video- or audio recordings can also contain personal data).

2. Processing

According to Art. 4(2) GDPR, processing is any operation which involves the handling of personal data, whether or not by automated (i.e. technology-based) means. This includes, in particular, the collection (i.e., acquisition), recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as the change of a purpose or intended purpose on which a data processing was originally based.

3. Controller

Pursuant to Art. 4(7) GDPR, the controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

4. Joint Controllers

Pursuant to Art. 26 GDPR, where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.

5. Third Party

According to Art. 4(10) GDPR, a third party is any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who are authorized to process the personal data under the direct responsibility of the controller or processor; this also includes other group-affiliated legal entities.

6. Processor

Pursuant to Art. 4(8) GDPR, a processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is not a third party.

7. Consent

Consent means, according to Art. 4(11) GDPR, any expression of will in the form of a declaration or other unambiguous affirmative action, given voluntarily for the specific case, in an informed manner and unambiguously, by which the data subject indicates that he or she consents to the processing of his or her personal data.

B. General information on data processing

1. Scope of the processing of personal data

As a guiding principle, we only collect data whose processing is either required by law, contractually agreed upon, essential for contract initiation and execution, or voluntarily provided to us on the basis of consent.

When you visit our website, we collect, store and use your personal data solely to the extent necessary to deliver a functional website and showcase our content and services. Any further collection and use of your personal data typically occurs only with your consent. However, exceptions arise in cases where obtaining prior consent is impractical due to factual constraints, and data processing is authorized by legal regulations.

2. Legal bases for the processing of personal data

a. Data processing for the performance of a contract

When processing personal data that is necessary for the performance of a contract to which you are a party, Art. 6(1)(b) GDPR provides the legal foundation. This also encompasses processing activities necessary for carrying out pre-contractual measures. 

b. Data processing based on consent

When we seek your consent for processing personal data, Art. 6(1)(a) GDPR acts as the legal basis for such data processing. We only rely on consent for processing your personal data if there are no other legal grounds permitting the processing. 

Furthermore, we seek consent when we intend to furnish information about our own products, services, and events, and that the legal ground of protecting legitimate interest is not available for the corresponding data processing, or when soliciting your participation in a survey.

c. Data processing for the pursuit or protection of legitimate interests

We only process your personal data in accordance with Art. 6(1)(f) GDPR in pursue or safeguarding our legitimate business and legal interests, provided that the additional requirements of Art. 6(1)(f) GDPR are satisfied. This means that we consider our interests in processing the data, or the interest of a third party, as outweighing your interests or fundamental rights and freedoms in the given circumstances.

We may process your personal data with the aim of developing and refining our products to offer an improved customer experience. 

Additionally, we use your personal data as needed to safeguard our legitimate interests, such as combating fraud, and defending and asserting legal claims. In these instances, the data processing is based on Art. 6(1)(f) GDPR.

d. Data processing for compliance with legal obligations

When necessary, we process your personal data to fulfill statutory documentation obligations, such as those required by tax offices and supervisory authorities. In such instances, the data processing is based on Art. 6(1)(c) GDPR. A legal obligation arises from Section 147 of the German Fiscal Code (“AO”).

Furthermore, we process your personal data in accordance with Art. 6(1)(c) GDPR for the purpose of a detailed examination of whether an order may be accepted. The same applies to the obligation imposed on us by law to identify our business partners and the further obligations under the regulations of the Money Laundering Act.

e. Potential consequences of not providing your data 

If your personal data is required by law or contract, you are obligated to provide that information. Failure to comply may result in legal consequences such as a fine, legal action, or termination of services. However, if the collection of your data is based on your consent, you have the freedom to withhold this information. Nonetheless, if your personal data is collected to provide specific services or online content to you, not providing the information might restrict your access to certain services or content that would otherwise be available to you. For instance, if your personal data is collected to provide personalized browsing experience, you would not be able to enjoy this feature if you do not provide the necessary information. Similarly, your personal data is collected for communicating purpose, not providing that information may result in your not receiving these communications. 

f. Profiling and automated decision-making 

We do not engage in automated decision making or profiling with your personal data. 

3. Data deletion and storage period

We do not retain your personal data longer than necessary. When the applicable retention period expires, your personal data will be deleted, anonymized or aggregated unless there is a need for further retention required by law, such as in the case of a legal dispute. In addition, storage may be necessary if mandated by European or national legislator in Union regulations, laws or other provisions to which we are subject. It’s important to note that once your data is anonymized or aggregated with others’, they can no longer be used to identify you.

4. Security by using TLS/SSL

If you transmit your personal data to us via our website or Customer Portal, we use current secure technologies, in particular the "Transport Layer Security" (TLS) transmission (formerly known as "Secure Socket Layer" transmission (SSL)) protocol. All information and data transmitted through these secure methods are encrypted before being sent to us. This encryption applies specifically to all personal data of our customers. In addition, to protect both you and us from misuse, the IP address of your computer is transmitted to us. It’s important to note that encryption using these technical methods is effective only if the corresponding technical settings have also been configured on your end.

5. Data recipients

As a global company and a member of the AutoZone group with affiliated entities worldwide, ALLDATA Europe may share your personal data with other affiliated ALLDATA companies and third parties (collectively, “third parties”). ALLDATA has a centralized marketing team supported by IT units located in countries outside of the European Union. These ALLDATA companies act as co-controllers in processing your data. It’s important to note that access to your data from these countries is restricted to authorized personnel with a legitimate need to know. Proper technical and organizational measures (TOMs) are implemented to safeguard your data, as outlined in Annex II. 

We will only transfer your personal data to third parties if we are authorized to do so under data protection law. Such transfers are based on legal obligations, legitimate interests, the necessity to perform a contract, or your consent. When external service providers act as processors, data transfer occurs within the framework of a data processing agreement. If a data transfer to processors in countries outside the European Economic Area is necessary, it is conducted either based on approved EU standard contractual clauses or an adequacy decision issued by the EU Commission.

C. Data processing when using the website

1. Storage of cookies

In order to make the visit to our website attractive and to enable the use of certain functions, we use cookies on various pages. Cookies are small text files that are automatically stored on your terminal device. Some of the cookies we use are deleted at the end of the browser session, i.e. after closing the browser (session cookies). Other cookies remain on your end device and allow us to recognize your browser on your next visit (persistent cookies). The duration of storage can be found in the overview in the Cookie Settings of the web browser.

Furthermore, we distinguish between cookies that are technically necessary for the operation of the website, those that serve analysis purposes and those that serve advertising purposes. When you visit our website for the first time, a GDPR-compliant notice appears ("Consent Banner") and you can select which cookies are stored. There you can also see which cookies are stored in detail for which processing purposes.

You can also set your browser to inform you when cookies are stored and decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general. Each browser differs in the way it manages cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings.

We expressly point out that the functionality of our website may be limited if cookies are not accepted.

Insofar as personal data is also processed through implemented cookies, which are technically necessary for the operation of our website, the processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR to protect our legitimate interests in the best possible functionality of the website as well as a customer-friendly and effective design of the page visit.

Insofar as personal data is also processed through implemented cookies that serve analysis purposes, the processing is carried out in accordance with Art. 6 para. 1 lit. a GDPR on the basis of your consent, which you give us through your corresponding selection decision in the Consent Banner. The same applies with regard to your selection decision on cookies that are stored for advertising purposes. Your consent can be revoked at any time. You can call up our Consent Banner in the footer again at any time and adjust your settings.

2. Provision of the website and creation of log files

Each time you visit our website, our system automatically collects data of your browsing activities from the system of the calling device.

The following browsing data is collected:

  • IP address
  • Browser type and version
  • Operating system
  • Date and time of the visit to the website
  • Access status / Http status code
  • GMT time zone difference
  • Amount of data transferred
  • Internet page/source/reference from which the visit to the website is made

This data is not stored together with your other personal data.

The temporary storage of the IP address is necessary to enable delivery of the website to your device. For this purpose, your IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for other purposes does not take place in this context.

This is also our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR, which serves as the legal basis for the processing of your personal data in the context of log file collection.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In case of the collection of data for the provision of the website, the data is deleted when the respective session has ended. In the case of storage of data in log files, the deletion takes place after 14 days at the latest. Storage beyond this period is possible for the purpose of website safety and security, if we are obliged to retain the data for longer time periods or if we need the data for the defense or assertion of legal claims.

The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. Consequently, there is no possibility to object.

3. Use of OneTrust

We use the cookie consent technology of OneTrust on our website. OneTrust is provided by OneTrust Technology Limited, 82 St. John Street, London, EC 1M 4JN, United Kingdom, or OneTrust LLC, 1200 Abernathy Rd NE, Sandy Springs, GA 303328, USA ("OneTrust").

By integrating a corresponding JavaScript code, a Consent Banner is displayed when you call up the page, in which you can grant consent for certain cookies and/or cookie-based applications by setting a check mark. In this case, the tool blocks the setting of all cookies requiring consent until you grant the corresponding consent by setting a check mark. This ensures that such cookies are only set on your device if you have given your consent.

In order for the Consent Banner to be able to clearly assign page views to individual users and to individually record, log and store the consent settings made by the user, certain user information (including the IP address) is collected when our website is called up by the Consent Banner, transmitted to OneTrust servers and stored there.

Further information on cookies and OneTrust can be found at Privacy Overview One Trust

The legal basis for the processing of your personal data is Art. 6 para. 1 lit. f GDPR. We need OneTrust to provide you with a privacy-compliant consent banner on our website, which allows you to opt-out of cookies. Consequently, there is no possibility to object.

If the use of OneTrust results in a transfer of your personal data to the USA, this will take place in accordance with Art. 45 GDPR on the basis of the adequacy decision issued for the USA, with which the EU Commission has determined a level of data protection in the USA comparable to that in the EU. OneTrust has certified itself for the EU-US Data Privacy Framework on which the adequacy decision is based. You may search the Data Privacy Framework List. 

The retention period of your data is 12 months, starting from your consent within the Consent Banner. After that, your data will be deleted automatically. 

4. Use of Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google. Google is a group of companies and consists of Google Ireland Ltd. (provider of the service), Gordon House, Barrow Street, Dublin 4, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, as well as other affiliated companies of Google LLC ("Google").

Google Analytics uses cookies that allow an analysis of the use of the website. The information generated by the cookies about your use of our website is transmitted to a Google server in the USA and stored there.

Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google may associate your IP address with other data held by Google.

You can prevent the installation of cookies by setting your browser software accordingly. You can prevent tracking by Google Analytics by using the deactivation tools that Google offers for some Internet browsers. You can also prevent the collection of data generated by Google Analytics and related to your use of the website (including IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available here. However, we would like to point out that you may not be able to use all the functions of our website to their full extent if you implement these preventive measures.

The processing of your personal data is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you grant us by your selection decision in the Consent Banner. The transfer of your personal data to the USA is carried out in accordance with Art. 45 GDPR on the basis of the adequacy decision issued for the USA, with which the EU Commission has determined a level of data protection in the USA comparable to that in the EU. Google has joined the underlying EU-US Data Privacy Framework. You may visit the Data Privacy Framework List to verify. 

Your consent can be revoked at any time with effect for the future. You can call up our Consent Banner in the footer again at any time and adjust your settings.

D. Data processing when using the Customer Portal

1. Scope, purpose and legal basis of data processing

To access our OEM (original equipment manufacturer) repair information, you can create a free test account in our Customer Portal. This requires registration in advance, during which the following personal data will be requested:

  • First name
  • Last name
  • Job title
  • E-mail address
  • Telephone or mobile phone number
  • Language

The personal data marked with an asterisk (first name, last name, e-mail address and telephone or mobile phone number) is mandatory information, without which registration is not possible. The provision of further personal data, on the other hand, is voluntary.

We need your first and last name as well as your e-mail address in order to create an individualized account for you in the Customer Portal and your telephone or mobile phone number in order to contact you in case of queries. In addition, we use this data to check whether you have already had a test account in the past. After the end of the test period, your data will be transferred to the existing customer contract with us and is required for billing purposes, among other things.

The processing of the mandatory data is carried out for the initiation of a customer contract between you and us based on Art. 6 para. 1 lit. b GDPR. After the conclusion of the contract, this data is used for the performance of the contract and will be processed by us for this purpose according to Art. 6 para. 1 lit. b, para. 2 GDPR. 

The processing of personal data voluntarily provided by you is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. Your consent can be revoked at any time with effect for the future. To do so, follow the link to the Data Subject Access Request (DSAR).

Your personal data will be deleted as soon as they are no longer required to achieve the purposes for which they were collected. If a customer contract is concluded between you and us, the data will be stored for the duration of the contractual relationship and deleted upon termination of the contract after expiry of the statutory retention obligations. Enrollment of a free trial or other program creates a contractual relationship between you and us. 

2. Newsletter

When you register an account with us, you are provided the opportunity to subscribe to our promotional and marketing newsletters. For Germany, Austria and Switzerland, we use a Double-Opt-In mechanism to confirm your subscription. Once you are registered with our website, we will send you an e-mail to the e-mail address you provided, asking you to confirm that you would like us to send you newsletters in the future. Only when you reconfirm your subscription will we add you to our newsletter distribution list. For other countries, the subscription process may vary and may not require a double opt-in confirmation. In addition to the data provided by you during registration, we collect the time of these activities. 

The processing of your personal data when registering for our newsletter is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent to receiving the newsletters at any time by clicking on the “Unsubscribe” link contained in each newsletter email.

To process your personal data and send the newsletters, we use the marketing tool provided by a carefully selected service provider, Act-On Software, Inc., Located at 121 SW Morrison St., Suite 1600, Portland, OR 97204, USA. Act-On processes your personal data exclusively under our instructions for the purpose specified by us within the framework of a data processing agreement pursuant to Art. 28 GDPR and is obligated to comply with the applicable data protection provisions consistent with the GDPR. Your personal data disclosed in connection with this processing may only be stored for the purpose of sending the newsletters. Act-On is not permitted to use your personal data for any other purpose.Your email address and necessary data will be retained until you opt-out of receiving the newsletters, unless there is another reason for data retention (e.g. performance of a contract between you and us). 

E. Other data processing operations

1. Contact by e-mail

If you contact us by e-mail, your e-mail address will be stored so that we can reply. The personal data that comes with your e-mail (e.g. title, first name, last name, telephone number) will also be captured.

The processing of your personal data is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you give us by contacting us by e-mail. If your e-mail is in connection with the initiation, performance or termination of a contract with us, the processing of your personal data is based on Art. 6 para. 1 lit. b GDPR.

Your consent can be revoked at any time with effect in the future. To do so, follow the link to the Data Subject Access Request (DSAR).

Subject to legal retention periods, your personal data will be deleted as soon as we have conclusively processed your request and unless it is stored for other legitimate purposes (e.g. for contract performance).

F. Your rights as a data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you are entitled to the following rights against us as the controller:

1. Right to information

You can request confirmation from us as to whether your personal data is being processed by us. If such processing is taking place, you can request information about the following from us in accordance with Art. 15 GDPR:

  • Purposes for which the personal data are processed
  • Categories of personal data that are processed
  • Recipients or categories of recipients to whom your personal data have been or will be disclosed
  • Planned duration of the storage of your personal data or, if concrete information on this is not possible, criteria for determining the storage duration
  • Existence of a right to rectification or erasure of your personal data, a right to restriction of processing by us or a right to object to such processing
  • Existence of a right of appeal to a supervisory authority
  • All available information about the origin of the data, if the personal data is not collected from you
  • Existence of automated decision-making including profiling pursuant to Art. 22 para. 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved as well as the scope and the intended effects of such processing on you

Furthermore, you have the right to request information about whether your personal data is transferred to a third country or to an international organization. In this context, you may request to be informed about the safeguards we implement to protect your personal data pursuant to Art. 46 GDPR in connection with the transfer.

2. Right to rectification

According to Art. 16 GDPR, you have a right of rectification and/or completion against us if your personal data is incorrect and/or incomplete. We must carry out the correction without delay.

3. Right to restriction of processing

Under the following conditions, you can request the restriction of the processing of your personal data in accordance with Art. 18 GDPR:

  • If you dispute the accuracy of your personal data, during the period when we verify the accuracy of your personal data, you may request the processing of this data be restricted
  • Processing is unlawful and you object to the deletion of the personal data and request the restriction of the use of the personal data instead
  • We no longer need the personal data for the purposes of processing, but you need them for the assertion, exercise or defense of legal claims, or
  • If you have objected to the processing of your personal data pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether our legitimate grounds to process your data override your interest in the data

If the processing of your personal data has been restricted, this data - apart from its storage - may only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State. You will be informed by us before the restriction is lifted.

4. Right to erasure

a. Obligation to delete

Pursuant to Art. 17 GDPR, you may request us to delete your personal data without undue delay. We are obliged to delete this data immediately if one of the following reasons applies:

  • Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed
  • Your consent, on which the processing was based according to Art. 6 para. 1 lit. a GDPR, is revoked by you and there is no other legal basis for the processing
  • You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing
  • You object to the processing pursuant to Art. 21 para. 2 GDPR
  • Your personal data have been processed unlawfully
  • Deletion of your personal data is necessary for compliance with a legal obligation under Union or Member State law to which we are subject
  • Your personal data was collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR

b. Information to third parties

If we have made your personal data public and we are obliged to delete it pursuant to Article 17 para. 1 GDPR, we shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform controllers who process your personal data that you have requested them to delete all links to or copies or replications of such personal data.

c. Exceptions to the right to erasure

The right to erasure does not exist insofar as the processing is necessary:

  • On the exercise of the right to freedom of expression and information
  • For compliance with a legal obligation which requires processing under Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
  • For reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i GDPR and Art. 9 para. 3 GDPR
  • For archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the right referred to in Section 1 is likely to render impossible or seriously prejudice the achievement of the purposes of such processing
  • For the assertion, exercise or defense of legal claims.

d. Right to notification

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged pursuant to Art. 19 GDPR to notify all recipients to whom your personal data have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.

e. Right to data portability

According to Art. 20 GDPR, you have the right to receive your personal data, which you have provided to us, in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another controller to whom the personal data has been provided without hindrance from us, provided that

  • The processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and

  • The processing is carried out with the aid of automated procedures

In exercising this right, you also have the right to have your personal data transferred directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

f. Right of objection

According to Art. 21 GDPR, you have the right to object at any time to the processing of your personal data based on Art. 6 para. 1 lit. e or f GDPR for reasons arising from your particular situation; this also applies to profiling based on these provisions. The objection must be substantiated.

Upon receipt of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling, insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services - notwithstanding Directive 2002/58/EC - to exercise your right to object by means of automated procedures using technical specifications.

g. Right to revoke the declaration of consent under data protection law

Pursuant to Art. 7 para. 3 GDPR, you have the right to revoke your declaration of consent granted under data protection law at any time - even before the GDPR came into force (05/25/2018). The revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Furthermore, you can revoke the consent given in our Consent Banner at any time. To do so, call up our consent banner again. You will find the link button to the Consent Banner in the footer of our website. Please note that the revocation does not affect the lawfulness of the processing until the revocation.

h. Automated individual decision-making including profiling

Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision.

  • is necessary for the conclusion or performance of a contract between you and us, or

  • is permitted by legislation of the Union or the Member States to which we are subject, and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or

  • is done with your express consent

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies, and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

We take reasonable steps to protect your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on our side, to express your point of view and to contest the decision.

i. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78  GDPR.

The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationssicherheit Nordrhein-Westfalen
Kavalleriestr. 2-4
40213 Düsseldorf
Tel.: +49 (0) 211 38424-0
Telefax: +49 (0) 211 38424-999
E-Mail: poststelle@ldi.nrw.de