1. The person responsible
The person responsible as defined in the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection laws is:
87452 Altusried - OT Krugzell
Phone +49 83 74 / 4 11 00 87
(2) Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific characteristics which are expressions of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
(3) Data subject shall mean any identified or identifiable natural person whose personal data is processed by the controller.
(4) Processing shall mean any operation or set of operations which is carried out with or without the aid of automated processes and which relates to personal data, such as collection, recording, organisation, sorting, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or integration, qualification, erasure or destruction.
(5) Profiling shall mean any automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, conduct, whereabouts or movements of that natural person.
(6) Pseudonymisation shall mean the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the provision of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data are not attributed to an identified or identifiable natural person.
(7) The controller or data controller shall be the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are laid down by Union law or by the law of the Member States, the controller or controllers may be designated in accordance with Union law or with the law of the Member States on the basis of specific criteria.
(8) A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
(9) The recipient shall be a natural or legal person, public authority, agency or other body to whom personal data is disclosed, whether or not that person is a third party. However, authorities which may receive personal data under a particular investigation mandate in accordance with Union law or the law of the Member States shall not be considered as recipients.
(10) A third party shall mean any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or processor.
(11) Consent shall mean any voluntary, informed and unambiguous expression of the data subject’s will in a particular case, in the form of a statement or other unequivocal confirmatory act, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.
3. Provision of the website and creation of log files
(1) If you only use the website for information purposes, i.e. if you do not register or otherwise provide us with information, we automatically collect the following data and information from the computer system of the calling computer each time you access the website:
- Information about the browser type and the version used
- The user's operating system
- Date and time of access
- Websites from which the user's system accesses the website
- Websites accessed by the user's system via our website
- Content of the calls (specific pages)
- Names of downloaded files
The data is stored in the log files of our server. Not affected by this are the IP addresses of the user or other data which enable the assignment of the data to a user. These data are not stored together with other personal data of the user. When using this general data, we do not draw any conclusions about the person concerned. The data is only evaluated statistically.
(2) The legal basis for the temporary storage of log files is Art. 6 Para. 1 S. lit. f) GDPR.
(3) Temporary storage of data by the system is necessary in order to
- enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session.
- optimise the content of our website and the advertising for it
- ensure the functionality of our information technology systems and the technology of our website
- provide law enforcement agencies with the information necessary for law enforcement in the event of a cyber attack.
These purposes also include our legitimate interest in data processing pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR.
(4) The data will be deleted as soon as they are no longer required for the purpose - in this case at the end of the usage process.
(5) The collection of the data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website, which is why there is no possibility of objection.
(1) This website uses so-called cookies. Cookies are small text files that are sent from a web server to your browser when you visit a website. They are stored locally on your terminal device (PC, notebook, tablet, smartphone, etc.) and stored on your computer and send certain information to the user (i.e. us). Cookies do not damage the computer and do not contain viruses. Each cookie contains a characteristic string of characters (so-called cookie ID) that enables the browser to be uniquely identified when the website is called up again.
(4) The legal basis for the processing of personal data using technically necessary cookies is Art. 6 Para. 1 S. 1 lit. f) GDPR.
5. Contact form and e-mails
(1) A contact form is available on our website which can be used for electronic contact. If you make use of this possibility, the data entered in the input mask will be transmitted to us and stored. These data are:
- E-mail address
- Telephone number
At the time the message is sent, the following data will also be stored:
- IP address of the user
- Date and time of registration
Your consent will be obtained for the processing of the data as part of the sending process and reference will be made to this data protection declaration.
(2) You are welcome to contact us by e-mail. In this case, the personal data transmitted with the e-mail will be stored. Insofar as this involves information on communication channels (e.g. e-mail address, telephone number), you also agree that we may contact you via this communication channel in order to respond to your request. The data will not be passed on to third parties in this context. The data will only be used for the processing of the conversation.
(3) The legal basis for the processing of the data is Art. 6 Para. 1 S. 1 lit. a) GDPR if the user has given his consent. The legal basis for processing the data transmitted in the course of sending an e-mail is Art. 6 Para. 1 S.1 lit. f) GDPR. If the purpose of the e-mail contact is to conclude a contract, the additional legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b) GDPR.
(4) The processing of personal data from the input mask serves us solely to process the establishment of contact. We will of course use the data from your e-mail enquiries exclusively for the purpose for which you provide them to us when contacting us. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems. This is also our legitimate interest.
(5) The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the relevant facts have been conclusively clarified. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest. If the e-mail contact is aimed at the execution of a contract, the data will be deleted after expiry of the statutory (commercial or tax) storage periods required for this purpose.
(6) You have the possibility to revoke your consent to the processing of the e-mail and its contents at any time. In such a case the conversation cannot be continued. Please contact the responsible person in accordance with § 1. However, this revocation possibility only exists if the e-mail contact does not serve the preparation or execution of a contract.
(1) With your consent, you can subscribe to our free newsletter with which we inform you about our current interesting offers. The advertised goods and services are named in the declaration of consent. We use the so-called double opt-in procedure to register for our newsletter. This means that after your registration we will send you an e-mail to the given e-mail address in which we will ask you to confirm that you wish the newsletter to be sent. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we save the IP addresses you use and the dates of registration and confirmation. The purpose of the procedure is to prove your registration and, if necessary, to clarify any possible misuse of your personal data.
(2) Your e-mail address is the only mandatory information for sending the newsletter. The data will be forwarded to our newsletter service.
(3) We would like to point out that we evaluate your user behaviour when sending the newsletter. For this evaluation, the e-mails sent contain so-called web beacons or tracking pixels, which represent one-pixel image files stored on our website. For the evaluations we link the data [log files] and the web beacons mentioned in § 3 with your e-mail address and an individual ID. The data is collected exclusively under a pseudonym, i.e. the IDs are not linked to your other personal data, a direct personal reference is excluded. The legal basis for tracking is Art. 6 Para. 1 S. 1 lit. f) GDPR. This data will not be passed on to third parties. You can object to this tracking at any time by clicking on the separate link provided in each e-mail or by informing us of another contact method. The information is stored as long as you have subscribed to the newsletter. After you have unsubscribed, we store the data purely statistically and anonymously.
(4) We use the CleverReach service provided by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. CleverReach is a service with which the newsletter dispatch can be organized and analyzed. For this purpose, the previously described logged data (IP address, registration/confirmation time) and the data entered are stored on Clever Reach servers in Germany and Ireland. The data is collected exclusively under a pseudonym, i.e. the IDs are not linked to your other personal data and there is no possibility of any direct personal reference. The use of Clever Reach enables us to analyse the behaviour of newsletter recipients. Among other things, it can be analyzed how many recipients have opened the newsletter message and how often which link was clicked in the newsletter. With the help of so-called conversion tracking it can also be analysed whether a predefined action (e.g. purchase of a product on our website) has taken place after clicking on the link in the newsletter. This in turn serves to get to know the reading habits of the users and to adapt the contents to these; however, it is not intended to observe individual users. This is also our legitimate interest. Further information on data analysis through the CleverReach newsletter can be found at: www.cleverreach.com/de/funktionen/reporting-und-tracking/. Data processing for analysis purposes is based on our legitimate interests (Art. 6 para. 1 lit. f) GDPR). If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you provide to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe and will be deleted from both our servers and CleverReach's servers after you unsubscribe. This does not affect data stored by us for other purposes (e.g. e-mail addresses for the member area). For further details, please refer to CleverReach's data protection regulations at: www.cleverreach.com/de/datenschutz/. We have concluded a contract with CleverReach for order data processing and fully implement the strict requirements of the German data protection authorities when using CleverReach. The use of the CleverReach shipping service, the performance of statistical surveys and analyses as well as the logging of the registration procedure shall be based on our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR. With the revocation of the newsletter, we delete your data in CleverReach and the statistical analyses at the same time. A separate revocation of the dispatch by CleverReach or the statistical analysis is unfortunately not possible.
(5) The information will be stored as long as you have subscribed to the newsletter.
(6) The legal basis for the processing of the data by the user after subscription to the newsletter is Article 6 para. 1 sentence 1 lit. a) GDPR. The use of the CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, www.cleverreach.com statistical surveys and analyses as well as logging of the registration procedure are carried out on the basis of our legitimate interests pursuant to Art. 6 Para. 1 S. 1 lit. f) GDPR.
(7) The collection of the user's e-mail address serves to deliver the newsletter. The collection of other personal data (IP address, time of registration/confirmation) during the registration process serves to prevent misuse of the services or the e-mail address used.
(8) The data is deleted as soon as they are no longer required for the purpose of their collection. Your e-mail address and other personal data will therefore be stored as long as the newsletter subscription is active. The other personal data collected during the registration process (IP address, time of registration/confirmation) are usually deleted after a period of seven days.
(9) You can cancel the receipt of our newsletters at any time and thus revoke your consent by clicking on the "Unsubscribe newsletter" field in our newsletter binder or by sending us an e-mail to info(at)lernen-im-allgaeu.de or a message to the contact details given in the imprint.
This also enables you to revoke your consent to the storage of personal data collected during the registration process (IP address, time of registration/confirmation). Upon revocation of the newsletter, we will simultaneously delete your data in CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, www.cleverreach.com and the statistical analyses. A separate revocation of the shipment by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, www.cleverreach.com or of the statistical analysis is unfortunately not possible.
(1) We offer you the opportunity to register on our website by providing personal data. The data will be entered into an input mask and transmitted to us and stored. These data will not be passed on to third parties unless there is a legal obligation to do so or the passing on of the data serves criminal or legal prosecution. The following data is collected as part of the registration process:
- Email address
- Password of your choice
- IP address
- Date and time of registration
- Date of birth
- Indication whether private person or company
The other data (company, telephone, salutation) are voluntary.
(2) We use the so-called double opt-in procedure for registration. This means that after your registration we will send you an e-mail to the given e-mail address in which we will ask you to confirm that you wish to register. If you do not confirm your registration within [24 hours], your information will be blocked and automatically deleted after one month. In addition, we store the IP addresses you use and the dates of registration and confirmation. The purpose of the procedure is to prove your registration and, if necessary, to clarify any possible misuse of your personal data.
(3) If you use the portal, your following data may become accessible to other participants of the portal according to the contractual service. Non-registered members will not receive any information about you. For all registered members your user name, your comment and the date of the post are visible, independently of whether you released these. On the other hand, your entire profile with the data you have released is visible to all members who have confirmed you as a personal contact. If you make content accessible to your personal contacts that you do not send by means of a private message, this content can be viewed by third parties as long as your personal contact has given permission. As far as you post messages in public groups, these are visible for all registered members of the portal. The legal basis for the use of the portal is Art. 6 Para. 1 S. 1 lit. a) GDPR. The storage takes place as long as you are registered in the portal. You can revoke the use and application of the data by us at any time. In this case, as well as in the case of deletion of your portal access, we will immediately delete your photo and your access and personal data. If you have posted messages in public groups, we will anonymise these data so that they can no longer be traced back to you. A deletion of the posts is not possible, however.
(4) Our forum can be read without a registration being necessary. If you would like to participate actively in the forum, you must register. The following data is collected as part of the registration process for the forum:
- Email address
- Password of your choice
- Freely chosen username
- IP address
- Date and time of registration
As part of the registration process, your consent to the processing of this data will be obtained. If you register a forum account, we store up to your deregistration beside your registration data all data, which you make in the forum, thus public messages, pin board entries, friendships, private messages etc., in order to operate the forum. The legal basis for the use of the forum is Art. 6 Para. 1 S. 1 lit. a) GDPR. The storage takes place as long as you are registered in the forum. You can revoke the use and application of the data by us at any time. In this case as well as in the case of the deletion of your forum access, we immediately delete your above-mentioned data. If you have posted messages in public groups, we will anonymise these data so that they can no longer be traced back to you.
(5) The legal basis for processing the data is Art. 6 Para. 1 S. 1 lit. a) GDPR if the user has given his consent; this applies in particular to voluntary data. If the purpose of registration is to fulfil a contract to which you are a party or to carry out pre-contractual measures, the additional legal basis for processing the data is Art. 6 para. 1 sentence 1 lit. b) GDPR.
(6) Registration is required for the performance of the contract or for the implementation of pre-contractual measures.
(7) The data shall be deleted as soon as they are no longer necessary for achieving the purpose for which they were collected. This is the case during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures if the data are no longer required for the implementation of the contract. Even after the conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations. Continuing obligations require the storage of personal data for the duration of the contract. In addition, warranty periods must be observed and the data must be stored for tax purposes. It is not possible to determine which storage periods are to be adhered to here as a lump sum, but must be determined in each individual case for the contracts and contracting parties concluded in each case. If you delete your account, your public statements, in particular posts to the forum, remain visible to all readers, but your account is no longer retrievable and marked in the forum with "[guest]". All other data will be deleted. If you wish that also your public messages are deleted, please contact the responsible person under the contact data indicated above.
(8) If the data is necessary for the fulfilment of a contract or for the execution of pre-contractual measures, a premature deletion of the data is only possible as far as contractual or legal obligations do not oppose a deletion. In addition, you are free to have the personal data provided during registration completely deleted from the database of the data controller by notifying the data controller in accordance with § 1 via e-mail or by post of the revocation. In this case your data will be deleted immediately.
8. SSL encryption
Our website uses SSL encryption in the event of the transmission of confidential or personal data. This encryption is used, for example, for payment transactions and inquiries to us via this website. In order to ensure that this encryption is actually active, this must be monitored by you. The status of the encryption is indicated by the browser line, which changes from "http://“ to "https://". In the case of encryption, your data cannot be read by third parties. If the encryption is not active, please contact us confidentially via another contact option.
(1) To protect your data and your requests, we use the reCAPTCHA service of Google Inc. for our forms. (Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA). This serves primarily to differentiate between whether the input of data was carried out by a natural person or in an abusive manner by mechanical or automated services. For this reCAPTCHA analyzes the behavior of the website visitor on the basis of different characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, length of stay of the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. Google uses the data to evaluate the use of this service.
(2) The legal basis for the use is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the exclusion of mechanical and automated services. Google has submitted to the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework.
(3) We have no influence on the collected data and data processing operations, nor are we aware of the full scope of data collection, the purposes of processing, the storage periods. We also do not have any information on the deletion of the collected data by Google.
(4) You have the right to object to the creation of these user profiles. The person responsible is Google Ireland Ltd, Gordon House, 4 Barrow Street, Dublin, Ireland, Fax: +353 (1) 436 1001.
(5) For more information about the purpose and scope of the data collection and processing, as well as your respective rights, to and from Google, please visit https://www.google.com/policies/privacy/partners/?hl=de
10. Rights of the data subject
If personal data is processed by you, you are the data subject within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the person responsible in accordance with § 1:
- Right to information
- Right to rectification
- Right to restriction of processing
- Right to erasure
- Right to notification
- Right to data portability
- Right to restriction of processing
- Right to revoke the declaration of consent under data protection law
- Right to object automated individual decision-making
- Right to appeal to a supervisory authority
10.1 Right to information
(1) You may request confirmation from the person responsible as to whether personal data relating to you will be processed by us. If such a processing exists, you can at any time request from the responsible person free information about the personal data stored about you as well as about the following information:
a) The purposes for which the personal data is processed;
b) The categories of personal data processed;
c) The recipients or categories of recipients to whom the personal data relating to you have been or will be disclosed;
d) The intended duration of the retention of the personal data relating to you or, if it is not possible to provide specific information in this respect, the criteria for determining the retention period;
e) The existence of a right to have personal data concerning you rectified or erased, a right to limit the processing carried out by the controller or a right to object to such processing;
f) The existence of a right of appeal to a supervisory authority;
g) Any available information as to the source of the data, where the personal data are not collected from the data subject;
(h) The existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.
(2) You have the right to request information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
10.2 Right to rectification
You have the right to have your personal data corrected and/or completed without delay by the data controller if the personal data processed concerning you is inaccurate or incomplete.
10.3 Right to restriction of processing
(1) Under the following conditions, you may request the data controller to immediately restrict the processing of your personal data:
a) If you dispute the accuracy of the personal data concerning you for a period of time which allows the controller to verify the accuracy of the personal data;
b) The processing is unlawful and you refuse to erase the personal data and instead request that the use of the personal data be restricted;
c) The controller no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defence of legal claims, or
d) if you have objected to the processing pursuant to Art. 21 para. 1 DSGVO and it has not yet been established whether the legitimate reasons of the data controller outweigh your reasons.
(2) If the processing of personal data relating to you has been restricted, such data - apart from their storage - may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State. If the processing restriction has been limited in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
10.4 Right to erasure
(1) You may request the data controller to immediately delete the personal data concerning you if one of the following reasons applies:
(a) Personal data relating to you is no longer necessary for the purposes for which it was collected or otherwise processed.
b) You revoke your consent on which the processing pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR was based and there is no other legal basis for the processing.
c) You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.
d) The personal data concerning you has been processed unlawfully.
e) The deletion of your personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
f) The personal data relating to you has been collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.
(2) If the data controller has made the personal data concerning you public and is obliged to delete them pursuant to Art. 17 para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform the data controllers processing the personal data that you, as the data subject, have requested them to delete all links to this personal data or copies or replications of this personal data.
(3) The right to deletion does not exist if the processing is necessary
(a) To the exercise of freedom of expression and information;
(b) To fulfil a legal obligation which processing is subject to under the law of the Union or of the Member States to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) For reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
d) For archival purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to under a) is likely to make it impossible or seriously impair the attainment of the objectives of such processing, or
e) to assert, exercise or defend legal claims.
10.5 Right to notification
If you have exercised your right to rectify, cancel or limit the processing of your personal data against the controller, the latter is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification/deletion/restriction, unless this proves impossible or involves a disproportionate effort. You have the right to be informed of such recipients by the controller.
10.6 Right to data portability
(1) You have the right to receive the personal data concerning you that you have provided to the responsible person in a structured, common and machine-readable format. In addition, you have the right to communicate this data to another controller without being hindered by the controller to whom the personal data was provided, provided that
a) the processing is based on a consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
(b) the processing is carried out by automated means.
(2) In exercising this right, you also have the right to obtain that the personal data relating to you be transmitted directly by one responsible person to another responsible person, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.
(3) The right to data transfer shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In order to exercise the right to data transfer, the data subject may at any time contact the controller.
10.7 Right to restriction of processing
(1) You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.
(2) The person responsible will no longer process the personal data concerning you unless he or she can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.
(3) If personal data relating to you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data relating to you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
(4) In connection with the use of information society services, you may exercise your right of objection by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.
(5) In order to exercise the right of opposition, the data subject may apply directly to the controller.
10.8 Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of your consent does not affect the legality of the processing carried out on the basis of your consent until you revoke it. You can contact the responsible person for this.
10.9 Right to object automated individual decision-making
(1) You have the right not to be subject to any decision based solely on automated processing, including profiling, which has any legal effect on you or which similarly significantly affects you. This does not apply if the decision
a) is necessary for the conclusion or performance of a contract between you and the person responsible,
b) is authorised by legislation of the Union or of the Member States to which the person responsible is subject and contains appropriate measures to safeguard your rights and freedoms and your legitimate interests; or
c) with your express consent.
(2) However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.
(3) With regard to the cases referred to in (1) and (3), the person responsible shall take appropriate measures to protect the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the person responsible, to state his own position and to challenge the decision.
(4) If the data subject wishes to exercise rights relating to automated decisions, he or she may at any time do so by contacting the controller.
10.10 Right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of presumed infringement, if you consider that the processing of your personal data is in breach of the GDPR. The supervisory authority with which the complaint was lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
11. Amendments to the Data Protection Directive