Data Privacy Statement

of the Compass Group

I. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation, other national data protection laws of the Member States and other data protection provisions is:

Compass-Verlag GmbH

Schönbrunner Strasse 231

1120 Vienna

Austria

Phone: +43 / 1 / 981 16-0

Email: office[at]compass.at

Website: www.compass.at

II. Name and Address of the Data Protection Officer

The Controller's Data Protection Officer is:

Dr. Georg Hittmair

Schönbrunner Strasse 231

1120 Vienna

Austria

Email: datenschutz[at]compass.at

III. General information on Data Processing

1. Extent of the Processing of Personal Data

As a matter of principle, we collect and use our users' personal data only to the extent that this is necessary for providing an operable website and our contents and services. As a rule, the personal data of our users is collected and used only upon the user’s prior consent. A derogation applies to cases where prior obtaining of consent is not possible for factual reasons and the processing of the data is permitted by statutory provisions.

2. Legal Basis for the Processing of Personal Data

Insofar as we obtain the data subject’s consent to the processing of their personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) constitutes the legal basis.

For the processing of personal data that is necessary for performing a contract to which the data subject is a party, Article 6(1)(b) GDPR constitutes the legal basis. This also applies to processing activities which are necessary to implement pre-contractual measures.

Insofar as processing of personal data is necessary to fulfil a legal obligation to which this company is subject, Article 6(1)(c) GDPR constitutes the legal basis.

In the event that processing of personal data is necessary in order to protect vital interests of the data subject or another natural person, Article 6(1)(d) GDPR constitutes the legal basis.

Article 6(1)(f) GDPR constitutes the legal basis for data processing which is necessary to safeguard the legitimate interests of this company or those of a third party and where the interests, fundamental rights or fundamental freedoms of the data subject do not prevail over such interests.

3. Erasure of Data; Storage Period

The data subject's personal data will be erased or access to such data will be blocked as soon as the purpose of storing ceases to exist. Data may continue to be stored if this has been provided for by the EU or the national legislator in EU regulations, legislation or other provisions to which the controller is subject. Access to data will be blocked or data will be erased upon expiry of a storage period prescribed by such legislation, unless continued storage of the data is required for conclusion or performance of a contract.

IV. Collection of Data for Compass Products (Information as defined in Article 14 GDPR)

1. Extent of the Processing of Personal Data

Compass-Verlag GmbH has been working as a directory publishing company for 150 years. In its business databases it publishes data of Austrian business enterprises and, in addition to the (Austrian) Business Register, we also use other registers and editorial research as a source. In the interest of our customers we aim to ensure completeness and accuracy. Link to a presentation of our company: https://compass.at/en/about-compass. When processing data of natural persons our activities are subject to the General Data Protection Regulation and the Austrian Data Protection Act [DSG].

Our core business is

to collect and structure
data that is publicly available or has been researched by us
regarding Austrian business entities
from different sources
and to import it into our own databases and
to pass it on as a convenient information product in different technical formats

for a fee. Our customers may use such information to continuously monitor their own customer relations and to combat fraud.

2. Legal Basis for the Processing of Personal Data

The activities of Compass-Verlag GmbH are primarily governed by Article 6(1)(f) GDPR; processing is required to safeguard the Controller’s or a third party’s legitimate interests. We may refer you to Recital 47, which defines the prevention of fraud as a legitimate interest and states that the processing of personal data for the purpose of direct marketing can be regarded as processing that serves a legitimate interest.

Where data subjects provide us with data we are pleased to receive their consent as defined in Article (6)(1)(a) GDPR.

3. Purpose of Data Processing

Compass-Verlag GmbH possesses several trade licences to provide its services:

directory publishing company and direct marketing company as defined in Section 151 of the Austrian Trade Code [Gewerbeordnung/GewO]
credit agency as defined in Section 152 GewO
book publishing house as defined in Section 103(1)(b) No. 7 GewO 1973
bookseller as defined in Section 103(1)(b) No. 6 GewO 1973, limited to the sale of the publisher’s own reference books / directories and the purchase and sale of reference books / directories and address books and academic works on economics and business of other publishers
services in automated data processing and information technology
advertising agency as defined in Section 103(1)(b) No. 55 GewO 1973, limited to reference books / directories, address books and academic works on economics and business

The purpose of data processing as defined in Article 5(1)(b) GDPR therefore is to support the provision of services expressly permitted by the Trade Code.

4. Source of Personal Data

The sources of the personal data used by Compass-Verlag GmbH include but are not limited to: the Austrian Business Register [Firmenbuch], the Austrian Trade Register [Gewerberegister], the Austrian Trademark Register [Markenregister], the Austrian Patent Register [Patentregister], supplementary registers of other data subjects, the Austrian Medical Chamber [Ärztekammer], telephone directories of information agencies, the Austrian Register of Associations [Vereinsregister], the Austrian Chamber of Notaries [Notariatskammer], dentists, veterinarians, the Austrian Federal Ministry of Health [Bundesministerium für Gesundheit], the Chamber of Public Accountants and Tax Advisors [Kammer der Wirtschaftstreuhänder], the Austrian Federal Economic Chamber [Wirtschaftskammer Österreich], the Financial Market Authority [Finanzmarktaufsicht].

5. Categories of Personal Data

All data categories from the underlying public registers will be stored.

The following data may be contained: internal ID, name, title, sex, date of birth, contact details, official ID (e.g. ZVR [Central Register of Associations] number).

6. Categories of Recipients

The recipients of the data are users of Compass services.

7. Storage Period

We store data permanently because also historical data is of great value to us and our customers. For example, Compass books from the interwar period were used as a key source for handling restitution issues. We have digitised all data gathered in 150 years of publishing and offer this historical data in a separate product.

8. Right to Object and Right to Erasure

Article 14 GDPR provides for obligations to provide information where personal data has not been obtained from the data subject; paragraph 5 of that Article, however, provides for exemptions from those information obligations. Two of the exemptions apply to us:

Paragraphs 1 to 4 (= obligation to provide information) do not apply where and insofar as

(b) the provision of such information proves impossible or would involve a disproportionate effort;

(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the Controller is subject and which provides appropriate measures to protect the data subject's legitimate interests.

Almost all data of Compass products originate from freely accessible public databases. Re-use of such data is regulated in Directive 2013/37/EU and by the Austrian Act on Re-use of Public Sector Information. All of the said legislation contains a reference to data protection provisions and therefore falls under letter (c). Moreover, informing millions of data subjects would involve a disproportionate effort. That is why we make such information available to the public, as is also provided for in the last sentence of Article 14(5)(b) GDPR.

V. Provision of the Website and Creation of Log Files

1. Description and Extent of Data Processing

Each time our website is visited, our system will automatically collect data and information from the computer system of the retrieving computer.

When this happens the following data will be collected:

(1) information on the browser type and the version used;

(2) the user’s operating system;

(3) the user's IP address;

(4) date and time of access;

(5) websites from which the user's system is referred to our website;

(6) websites accessed by the user's system via our website;

(7) the user’s request.

Such data will be stored in the log files of our system as well. Such data will not be stored together with other personal data of the user.

2. Legal Basis for Data Processing

The legal basis for temporary storage of data and log files is Article 6(1)(f) GDPR.

3. Purpose of Data Processing

Temporary storage of the IP address by the system is necessary for delivery of the website to the user's computer. For that purpose the user’s IP address must be stored for the duration of the session.

Log files are stored to ensure the website’s functionality. In addition, such data helps us to optimise the website and ensure security of our IT systems. In this connection the data will not be analysed for marketing purposes.

The said purposes also constitute our legitimate interest in data processing as defined in Article 6(1)(f) GDPR.

4. Storage Period

The data will be erased once it is no longer needed for achieving the purpose for which it was collected. Where data is collected for provision of the website, this will be done when the relevant session has ended.

Where data is stored in log files, this will be done after a maximum of three (3) months. Storage beyond that period is possible. In that case the IP addresses of the users will be deleted or masked so that the retrieving client can no longer be identified.

5. Right to Object and Right to Erasure

Collection of data for provision of the website and storage of data in log files is mandatory for operation of the website. Consequently, users have no right to object.

VI. Use of Cookies

1. Description and Extent of Data Processing

Our website uses cookies. Cookies are text files which are stored in the user's computer system in or by the internet browser. When a user accesses a website, a cookie may be stored in the user's operating system. That cookie contains a characteristic string of characters which allows unambiguous identification of the browser when the website is accessed again.

We use cookies to make the website more user-friendly. Some elements of our website require the retrieving browser to be identified even after changing to another website.

The following data will be stored and transmitted in the cookies:

(1) log-in data

(2) whether or not the cookie notification was viewed

(3) billing address, if requested

Our website uses cookies which allow an analysis of the users' browsing behaviour.

The following data may be transmitted in this way:

(1) frequency of site visits

(2) Survey of the Austrian Web Analysis Association [Österreichische Webanalyse/ÖWA]

The user data which is collected in this way is pseudonymised through technical measures. Consequently, the data can no longer be associated with the retrieving user. The data will not be stored together with other personal data of the users.

When accessing our website an information banner will inform users about the use of cookies for analysing purposes and will refer to this Privacy Statement.

2. Legal Basis for Data Processing

The legal basis for processing personal data by using cookies is Article 6(1)(f) GDPR.

3. Purpose of Data Processing

The purpose of using technically necessary cookies is to make the use of websites easier for users. Some features of our website cannot be provided without the use of cookies. For those it is necessary for the browser to be recognised even after changing to another website.

We need cookies for the following applications:

(1) log-in data

(2) memorising the billing address

(3) non-display of the cookie notification

The user data collected by technically necessary cookies will not be used to create user profiles.

Analytical cookies are used for the purpose of enhancing the quality and contents of our website. By means of analytical cookies we learn how the website is used and are thus able to constantly optimise our offer.

Analytical cookies count the number of visitors to the websites and record their behaviour on our websites. This allows us to optimise our websites so that users find the most frequently used functions more quickly.

The said purposes also constitute our legitimate interest in the processing of personal data as defined in Article 6(1)(f) GDPR.

4. Storage Period, Right to Object and Right to Erasure

Cookies are stored on the user's computer and transmitted from there to our website. Therefore, you as the user have full control over the use of cookies. By adjusting the settings in your internet browser you can disable or restrict transmission of cookies. Cookies which have been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, you may no longer be able to use of all of the website's functions in full.

VII. Newsletter

1. Description and Extent of Data Processing

On our website you may subscribe to a free newsletter. When registering for the newsletter the data from the entry mask will be transmitted to us.

The following data will be collected during the registration process:

(1) email address

(2) name

(3) IP address of the calling computer

(4) date and time of registration

In connection with the registration process your consent to data processing will be obtained with reference to this Privacy Statement.

In connection with data processing for the mailing of newsletters no data will be passed on to third parties. Data will exclusively be used for mailing the newsletter.

2. Legal Basis for Data Processing

The legal basis for data processing after the user's registration for the newsletter is Article 6(1)(a) GDPR, provided that the user has given their consent thereto.

In addition, preparing and using interest profiles and consumer behaviour profiles for target group segmentation constitutes legitimate processing of data for direct advertising purposes which is therefore permissible without the consent of the data subject. In cases where no consent was given or where the consent is not correct, we consider Article 6(1)(f) GDPR to be an effective legal basis.

3. Purpose of Data Processing

The collection of the user’s email address serves the purpose of delivering the newsletter.

Collection of other personal data in the course of the registration process serves the purpose of preventing misuse of the services or the email address used.

4. Storage Period

Data will be erased once it is no longer necessary to achieve the purpose for which it was collected. Thus, the user’s email address will be stored for as long as the subscription to the newsletter is active.

5. Right to Object and Right to Erasure

Users may cancel their subscription to the newsletter at any time. A relevant link is contained in every newsletter.

This also allows withdrawal of consent to storing of personal data collected during the registration process.

VIII. Contact Form and Email Contact

1. Description and Extent of Data Processing

Our website provides a contact form, which may be used to contact us electronically. If a user makes use of that option, the data entered into the input mask will be transmitted to us and stored. This data includes:

first name
surname
title
business name
email address
subject
message

In addition, the following data is stored at the time the message is sent:

the user's IP address;
date and time of registration

When you contact us your details will be used for processing and handling the contact request, in particular in the context of exercising or fulfilling pre-contractual rights and obligations under Article 6(1)(b) GDPR. In other cases processing of your data is necessary for the legitimate interests as defined in Article 6(1)(f) GDPR in replying to your request and any further correspondence.

Alternatively, you may contact us via the email address provided. In that case the user's personal data transmitted by email will be stored.

In this context no data will be passed on to third parties. Data will be used exclusively for processing the conversation.

2. Legal Basis for Data Processing

The legal basis for data processing is Article 6(1)(a) GDPR, provided that the user has given their consent.

The legal basis for processing data transmitted in the course of sending an email is Article 6(1)(f) GDPR. If the purpose of the email contact is to conclude a contract, Article 6(1)(b) GDPR is an additional legal basis for processing.

3. Purpose of Data Processing

Personal data from the input mask will be processed by us only to process your contact request. If you contact us by email, this also constitutes the necessary legitimate interest in data processing.

Other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Storage Period

The data will be erased once it is no longer needed for achieving the purpose for which it was collected. For personal data from the input mask of the contact form and for personal data sent by email this is the case once the relevant conversation with the user ends. A conversation ends if and when the circumstances suggest that the matter concerned has been clarified exhaustively.

Any additional personal data collected during the sending process will be erased after a maximum period of seven days.

5. Right to Object and Right to Erasure

The user may withdraw their consent to the processing of their personal data at any time. If the user contacts us by email, they may object to storage of their personal data at any time. In that case the conversation cannot be continued.

You may withdraw your consent and object to storage at any time by sending an email to datenschutz@compass.at.

In that case all personal data stored during our contact will be erased.

IX. Web Analysis by Matomo (formerly: PIWIK)

1. Extent of the Processing of Personal Data

Our website uses the open-source software tool Matomo (formerly: PIWIK) to analyse the browsing behaviour of our users. The software places a cookie on the user’s computer (for information on cookies see above). If specific pages of our website are accessed, the following data will be stored:

two bytes of the IP address of the user’s calling system;
the accessed website;
the website from which the user was referred to the accessed website (referrer);
the sub-pages accessed from the accessed website
the time spent on the website;
the frequency at which the website is accessed.

The software runs exclusively on the servers of our website. Personal data of users is only stored there. The data is not passed on to third parties.

The software is set in such a way that the IP addresses are not stored completely, but two (2) bytes of the IP address are masked (e.g. 192.168.xxx.xxx). In this way it is no longer possible to associate the shortened IP address with the retrieving computer.

2. Legal Basis for the Processing of Personal Data

The legal basis for processing personal data of users is Article 6(1)(f) GDPR.

3. Purpose of Data Processing

Processing personal data of users allows us to analyse the browsing behaviour of our users. By analysing the data collected we are able to compile information on the use of specific components of our website. This helps us to constantly improve our website and its user-friendliness. For the said purposes we have a legitimate interest in data processing as defined in Article 6(1)(f) GDPR. By anonymising the IP address the users’ interest in protecting their personal data is sufficiently taken account of.

4. Storage Period

The data will be erased once it is no longer required for our recording purposes.

5. Right to Object and Right to Erasure

Cookies are stored on the user's computer and transmitted from there to our website. Therefore, you as the user have full control over the use of cookies. By adjusting the settings in your internet browser you can disable or restrict the transmission of cookies. Cookies which have been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, you may no longer be able to use of all of the website's functions in full.

Our website offers our users the possibility to opt out from the analysis procedure. To opt out use the following link: (https://analytics.compass.at/index.php?module=CoreAdminHome&action=optOut&language=de-%20&backgroundColor=&fontColor=&fontSize=&fontFamily). In this way another cookie will be placed on their system that signals to our system not to store user data. If a user deletes the relevant cookie from their own system in the meantime, they must set the opt-out cookie again.

For more detailed information on privacy settings of Matomo software please visit: https://matomo.org/docs/privacy/.

X. E-Commerce

1. Extent of the Processing of Personal Data

We offer a platform for concluding purchase or service contracts.

In order to provide the same, the following personal data is processed:

email address
first name and surname
business name
address
products
IP address for VAT calculation

2. Legal Basis for the Processing of Personal Data

The legal basis for processing personal data is Article 6(1)(b) GDPR.

3. Purpose of Data Processing

Storage of the data is necessary for you to be able to buy our products and for us to issue a bill.

4. Storage Period

Data will generally be erased once the purpose for which it was collected has been achieved.

We are under a statutory obligation to retain bills for seven (7) years.

5. Right to Object and Right to Erasure

Collection and storage of data is absolutely necessary when users purchase our products. Consequently, users have no right to object.

XI. Google Tag Manager

Our website uses the Google Tag Manager services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Within the scope of this service, data is transferred to the USA or such transfer cannot be ruled out. We would like to point out that there is an adequate level of data protection in the case of data transfer to the USA, as Google is listed in the EU-US Data Privacy Framework https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.

When you start Google Tag Manager your browser establishes a connection to the servers of Google. Most of them are located in the United States of America. This way, Google learns that our website was accessed via your IP address. For information on the exact location of Google data centres please visit: https://www.google.com/about/datacenters/inside/locations/.

Google Tag Manager is a service by means of which website tags can be managed via an interface. This way, we can integrate code snippets such as tracking codes or conversion pixels into websites without interfering with the source code. Google Tag Manager activates other tags which may, in turn, collect data. However, Google Tag Manager does not access such data. In the case of deactivation at domain level or cookie level the deactivation continues to be effective for all tracking tags which are implemented by means of Google Tag Manager.

The processing of your data is based on your consent pursuant to Article 6(1)(a) GDPR. You may withdraw such consent with effect for the future at any time.

You can find more information on data protection on the following Google websites:

Privacy Statement: https://policies.google.com/privacy
FAQ Google Tag Manager: https://support.google.com/tagmanager/?hl=en-AU#topic=3441647
Terms of Use of Google Tag Manager: https://marketingplatform.google.com/intl/en/about/analytics/tag-manager/use-policy/

In order to provide appropriate safeguards for the protection of your personal data any data transmissions to Google servers in the USA are also based on EU standard data protection clauses pursuant to Article 46(2)(c) GDPR: https://business.safety.google/adsprocessorterms/.

XII. Google Marketing Platform / Google Ad Manager (formerly Doubleclick)

Purpose: Markting
Receiving country: USA

For the purpose of analysis, optimisation and commercial operation of our online services our website uses the Google Marketing Platform / Google Ad Manager of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

This is done by means of a pseudonymous identification number (pID), which your browser receives and is assigned. The pID allows Google to recognise the ads which have been displayed to you and accessed by you. The data serves the purpose of placing ads accross websites by allowing Google to identify the sites visited.

The information generated is transferred by Google to a server in the USA for analysis and will be stored there. Data transfers by Google to third parties will exclusively be made on the basis of statutory regulations or in the course of commissioned data processing. Google will in no case merge your data with other data collected by Google.

The processing of your data is based on your consent pursuant to Article 6(1)(a) GDPR. You may withdraw such consent with effect for the future at any time.

For information on the exact location of Google data centres please visit: https://www.google.com/about/datacenters/inside/locations/.

For more information on data usage by Google, settings options and the right to object please refer to the Google Privacy Policy on https://policies.google.com/technologies/ads?hl=en and the settings for displaying Google ads on https://adssettings.google.com/authenticated.

XIII. Microsoft Advertising

Purpose: Statistics
Receiving country: USA

Our website uses the Microsoft Advertising service (formerly Bing Ads) for analysing and optimising commercial operation. Microsoft Advertising is a conversion and tracking service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft").

Within the scope of this service, data is transferred to the USA or such transfer cannot be ruled out. We would like to point out that there is an adequate level of data protection in the case of data transfer to the USA, as Microsoft is listed in the EU-US Data Privacy Framework: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Active.

Microsoft Advertising places cookies on the devices of the users that analyse the user behaviour on our website. This requires that the user accessed our website via a Microsoft Advertising ad. This way, we receive information on the total number of users who clicked on such an ad, who were redirected to our website and had previously reached a certain target site (referred to as conversion measurement). No IP addresses are being stored and no personal information on the identity of our users is being provided.

The processing of your data is based on your consent pursuant to Article 6(1)(a) GDPR. You may withdraw such consent with effect for the future at any time.

For more information on the analysis services of Microsoft Advertising please visit the Microsoft website https://help.ads.microsoft.com/#apex/3/en/53056/2.

For more information on data protection at Microsoft please read Microsoft's Privacy Policy on https://privacy.microsoft.com/en-gb/privacystatement.

In order to provide appropriate safeguards for the protection of your personal data any data transmissions to Microsoft servers in the USA are also based on EU standard data protection clauses pursuant to Article 46(2) (c) GDPR: https://about.ads.microsoft.com/en-gb/resources/policies/microsoft-advertising-agreement

XIV. LinkedIn Conversion Tracking (Marketing)

Our website uses LinkedIn Conversion Tracking, a web analysis service provided by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA.

The information on your use of our website recorded by the LinkedIn Insight Tag will be encrypted.

The processing of your data is based on your consent pursuant to Article 6(1)(a) GDPR. Such consent may be withdrawn at any time with effect for the future.

LinkedIn members may also choose not to accept LinkedIn Conversion Tracking and go to https://www.linkedin.com/psettings/advertising/ in order to block or delete cookies or to deactivate the demographic features. LinkedIn does not offer a separate opt-out option for third-party impressions or click tracking for campaigns running on LinkedIn, since all underlying campaigns respect the settings of the LinkedIn members.

We use LinkedIn Conversion Tracking in order to analyse and regularly enhance the use of our website. The statistics gained allow us to improve our offers and make them more interesting to you as a user.

More information by the third-party provider:

https://www.linkedin.com/legal/privacy-policy
https://www.linkedin.com/help/lms/answer/85787 https://www.linkedin.com/help/linkedin/answer/a1444756/linkedin-marketinglosungen-und-die-datenschutz-grundverordnung-dsgvo-?lang=en

In connection with this service data is transmitted to the USA; in any case the possibility thereof cannot be excluded. In order to provide appropriate safeguards for the protection of your personal data any data transmissions to LinkedIn servers in the USA are based on EU standard data protection clauses pursuant to Article 46(2) (c) GDPR: https://de.linkedin.com/legal/l/dpa

XV. Google AdSense with Personalised Ads

For the purpose of analysis, optimisation and commercial operation of our online services our website uses the AdSense service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

AdSense helps to display ads on our website for whose display or other use we are paid. For these purposes user data such as a user's clicking on an ad and their IP address are processed.

We use AdSense with personalised ads. To this end, Google draws conclusions on users' interests on the basis of the websites visited or the apps used by these users as well as the user profiles thus created. Advertisers use this information to tailor their campaigns to these interests, which benefits both users and advertisers. Google regards advertisements as personalised if and when recorded or known data determines or influences the choice of advertisements. It includes, among other things, previous search requests, activities, website visits, the use of apps, demographic and location information. In detail it includes: demographic targeting, targeting based on interest categories, remarketing and targeting based on lists for customer matching and target group lists that are uploaded to DoubleClick Bid Manager or Campaign Manager.

The processing of your data is based on your consent pursuant to Article 6(1)(a) GDPR. You may withdraw such consent with effect for the future at any time.

For more information on data usage by Google, settings options and the right to object please refer to the Google Privacy Policy (https://policies.google.com/technologies/ads?hl=en) and the settings for displaying Google ads (https://adssettings.google.com/authenticated).

In order to provide appropriate safeguards for the protection of your personal data any data transmissions to Google servers in the USA are also based on EU standard data protection clauses pursuant to Article 46(2) (c) GDPR: https://business.safety.google/adsprocessorterms/

XVI. Google AdSense with Non-Personalised Ads

AdSense helps to display ads on our website for the display or other use of which we are paid. For these purposes user data such as clicking on an ad and the IP address are processed, with the last two digits of the IP address being truncated.

We will use AdSense with non-personalised ads unless consent was given to the processing of personal data. The ads are not shown on the basis of user profiles. Thus, non-personalised ads are not based on previous user behaviour. Targeting uses context information including, without being limited to, rough (e.g. at a local level) geographical targeting based on the current location, the content of the current website or the app and recent search terms. Google prevents any personalised targeting, i.e. also demographic targeting and targeting on the basis of user lists.

In order to provide appropriate safeguards for the protection of your personal data any data transmissions to Google servers in the USA are also based on EU standard data protection clauses pursuant to Article 46(2) (c) GDPR: https://business.safety.google/adsprocessorterms/

XVII. Rights of the Data Subject

The following list includes all rights of data subjects under the GDPR. Rights which are of no relevance to our own website need not be mentioned. Thus, the list can be abridged.

If your personal data is processed, you are a data subject as defined in the GDPR and you have the following rights vis-à-vis the controller:

1. Right of Access

You may ask the controller to confirm whether personal data concerning you is processed by us.

If such processing takes place, you may request the following information from the controller:

(1) the purposes for which personal data is processed;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom personal data concerning you has been or will be disclosed;

(4) the planned period for which the personal data concerning you will be stored or, if there is no specific information in this regard, the criteria used to determine that period;

(5) the existence of a right to rectification or erasure of your personal data, a right of restriction of processing by the controller or a right to object to such processing;

(6) the existence of a right to lodge a complaint with a supervisory authority;

(7) all information available on the origin of data where the personal data is not collected from the data subject;

(8) the existence of automated decision-making including profiling as defined in Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether personal data concerning you will be transferred to a third country or an international organisation. In this context you may request to be informed about appropriate safeguards as defined in Article 46 GDPR in connection with the transfer.

This right of access may be restricted insofar as it is likely to render impossible or to seriously compromise the achievement of research or statistical purposes and where a restriction is necessary for achieving research and statistical purposes.

2. Right to Rectification

You have a right to rectification and/or completion of data vis-à-vis the controller, where the processed personal data concerning you is incorrect or incomplete. The controller must rectify the data immediately.

Your right to rectification may be restricted insofar as it is likely to render impossible or seriously compromise the achievement of research or statistical purposes and where a restriction is necessary for achieving research and statistical purposes.

3. Right to Restriction of Processing

You may request restriction of processing of personal data concerning you on the following prerequisites:

(1) you contest the accuracy of the personal data concerning you for a time period that is long enough to enable the controller to verify accuracy of the personal data;

(2) processing is unlawful and you oppose erasure of the personal data and request restriction of use of the personal data instead;

(3) the controller no longer needs the personal data for the purposes of processing, however you need the data for the establishment, exercise or defence of legal claims, or

(4) you have objected to processing pursuant to Article 21(1) GDPR and it is yet to be determined whether the controller's legitimate grounds outweigh your grounds.

If processing of personal data concerning you was restricted, any other processing of such data, except for storage, is only permissible upon your consent or for the establishment, exercise or defence of legal claims or for protecting the rights of another natural or a legal person or on grounds of an important public interest of the European Union or a Member State.

If processing was restricted in line with the above-mentioned prerequisites, the controller will notify you before the restriction is lifted.

Your right to restriction of processing may be restricted insofar as it is likely to render impossible or seriously compromise the achievement of research or statistical purposes and where a restriction is necessary for achieving research and statistical purposes.

4. Right to Erasure

a) Erasure Obligation

You may ask the controller to erase personal data concerning you without undue delay, and the controller has the obligation to erase such data without undue delay if any of the following reasons applies:

(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.

(2) You withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR and there is no other legal basis for processing.

(3) You object to processing pursuant to Article 21(1) GDPR and there are no prevailing legitimate grounds for processing, or you object to processing pursuant to Article 21(2) GDPR.

(4) The personal data concerning you was processed unlawfully.

(5) Erasure of the personal data concerning you is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.

(6) The personal data concerning you was collected in connection with information society services offered as defined in Article 8(1) GDPR.

b) Information to Third Parties

If the controller has made public the personal data concerning you and is required to erase it under Article 17(1) GDPR, the controller will take reasonable measures, taking into account the technology available and the cost of implementation, including technical measures, to inform controllers who process the personal data about the fact that you as the data subject have asked for erasure of all links to such personal data or copies or replications of such personal data.

c) Exceptions

The right to erasure does not apply to the extent that processing is necessary for

(1) exercising the right of freedom of expression and information;

(2) fulfilling a legal obligation that requires processing under Union or Member State law to which the controller is subject, or for fulfilling a task which is in the public interest or which is undertaken in the exercise of official authority that was conferred on the controller;

(3) reasons of public interest in the area of public health as defined in Article 9(2)(h) and (i) as well as Article (9)(3) GDPR;

(4) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes as defined in Article 89(1) GDPR insofar as the right stated for paragraph (a) is likely to render impossible or seriously compromise achievement of the aims of such processing, or

(5) the establishment, exercise or defence of legal claims.

5. Right to be Informed

If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller must notify all recipients to whom personal data concerning you has been disclosed of such rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate efforts.

You have a right vis-à-vis the controller to be informed about those recipients.

6. Right to Data Portability

You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. Moreover, you have the right to transfer this data to another controller without being hindered by the controller to whom the personal data has been provided, where

(1) processing is based on consent as defined in Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract as defined in Article 6(1)(b) GDPR; and

(2) processing is carried out by means of automated processes.

When exercising this right you also have the right to request that the personal data concerning you be directly transferred from one controller to another controller to the extent that this is technically feasible. Freedoms or rights of other persons must not be detrimentally affected thereby.

The right to data portability does not apply to the processing of personal data which is necessary for fulfilling a task which is in the public interest or undertaken in the exercise of official authority that was conferred on the controller.

7. Right to Object

You have the right, on grounds relating to your particular situation, to object to the processing of personal data concerning you on the basis of Article 6(1)(e) or (f) GDPR at any time; this also applies to profiling that is based on those provisions.

In that case the controller will no longer process the personal data concerning you unless the controller is able to demonstrate compelling legitimate grounds for the processing that override your interests, rights or freedoms or for the establishment, exercise or defence of legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object to processing of the personal data concerning you for the purpose of such advertising at any time; this also applies to profiling to the extent that it is related to such direct marketing.

If you object to processing for the purpose of direct marketing, the personal data concerning you will no longer be processed for such purposes.

In connection with using information society services you may, irrespective of Directive 2002/58/EC, exercise your right to object by automated means for which technical specifications are used.

You also have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you for scientific or historical research purposes or for statistical purposes as defined in Article 89(1) GDPR.

Your right to object may be restricted insofar as it is likely to render impossible or seriously compromise the achievement of the research purposes or statistical purposes and where a restriction is necessary for achieving these research and statistical purposes.

8. Right to Withdraw Your Consent Given Under Data Protection Law

You may withdraw your consent given under data protection law at any time. The lawfulness of processing done up to the time of withdrawal will not be affected by your withdrawal of consent.

9. Automated Individual Decision-Making Including Profiling

You have the right not to be subject to any decision that is exclusively based on automated processing, including profiling, which would have a legal effect on you or would significantly affect you detrimentally in a similar way. This does not apply if the decision

(1) is necessary for concluding or performing a contract between you and the controller,

(2) is permissible due to legal provisions of Union or Member State law to which the controller is subject and if these legal provisions include appropriate measures to safeguard your rights and freedoms as well as your legitimate interests or

(3) is made upon your express consent.

However, these decisions must not be based on special categories of personal data as defined in Article 9(1) GDPR unless Article 9(2)(a) or (g) GDPR applies and appropriate measures to safeguard your rights and freedoms as well as your legitimate interests have been taken.

With regard to the cases mentioned in paragraph (1) and (3) the controller will take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express one's point of view and to contest the decision.

10. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy you may have, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged informs the complainant on the progress or outcome of the complaint, including the option of a judicial remedy as defined in Article 78 GDPR.

Last revised in October 2023