1) Right of confirmation
European legislators and regulators have granted data subjects the right to obtain confirmation from the controller as to whether their personal data is being processed. If a data subject wishes to exercise this right of confirmation, he or she may contact an employee of the controller at any time.
2) Right of access
European legislators and regulators have granted data subjects the right to obtain free information from controllers at any time regarding which of their personal data has been stored, and to receive a copy of that personal data on request. Furthermore, data subjects have access to the following information under European law:
- the purposes of processing
- the categories of personal data being processed
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
- If possible, the planned length of time for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
- the existence of a right to rectification or erasure of personal data concerning them, a right to restrict processing by the controller, or a right to object to such processing
- the existence of a right to lodge a complaint with a supervisory authority
- if the personal data is not collected from the data subject: All available information about the origin of the data
- Any usage of automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR and – at least in these cases – significant information about the logic involved in such processing, its scope, and the intended effects of such processing for the data subject
Furthermore, the data subject has the right to information as to whether their personal data has been transferred to a third country or to an international organisation. If this is the case, the data subject shall also have the right to obtain information about the applicable safeguards in place in connection with said transfer. If a data subject wishes to exercise this right of access, he or she may contact an employee of the controller at any time.
3) Right to rectification
European legislators and regulators have granted data subjects the right to request the immediate correction of any inaccuracies in their personal data. Furthermore, taking the purposes of such processing into account, the data subject has the right to request completion of any incomplete personal data, including by means of a supplementary declaration. Data subjects who wish to exercise this right to rectification may contact an employee of the controller at any time.
4) Right to erasure (right to be forgotten)
Data subjects have the right under EU law to request that the controller erasure personal data concerning him or her without undue delay, provided that such processing is not necessary and that one of the following grounds applies:
- The personal data has been collected or otherwise processed for purposes for which it is no longer necessary.
- The data subject withdraws the consent upon which processing pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR was based, and there is no other legal basis for such processing.
- The data subject submits an objection in accordance with Article 21(1) GDPR, and there are no overriding legitimate grounds for processing, or the data subject submits an objection pursuant to Art. 21(2) GDPR.
- The personal data has been unlawfully processed.
- The erasure of personal data is necessary for compliance with a legal obligation under European Union or Member State law to which the controller is subject.
- The personal data has been processed in relation to services offered by an information society in accordance with Art. 8(1) GDPR.
If any of the above reasons applies and a data subject wishes to prompt the erasure of personal data stored by Merete GmbH, the data subject may contact an employee of the controller at any time. The Merete GmbH employee shall arrange for prompt compliance with the erasure request. Taking into account the available technology and the implementation costs, if the personal data has been made public by Merete GmbH and our company is the controller pursuant to Art. 17(1) GDPR, Merete GmbH shall take reasonable measures, including technical measures, to notify other data controllers who process the published personal data that the data subject has requested that these other data controllers delete all links to this personal data or copies or replications of this personal data, insofar as such processing is not necessary. The Merete GmbH employee shall arrange for the necessary measures in individual cases.
5) Right to restriction of processing
European legislators and regulators have granted all data subjects the right to request that the controller restrict processing of their personal data if one of the following conditions is met:
The data subject contests the accuracy of the personal data, and does so for a period that enables the controller to check the accuracy of said personal data.
Such processing is unlawful; the data subject refuses erasure of the personal data and requests that its usage be restricted instead.
The controller no longer needs the personal data for the original purpose of its processing, but the data subject requires it for the establishment, exercise or defence of legal claims.
The data subject has objected to the processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the legitimate reasons of the controller override those of the data subject.
If any of the above prerequisites applies and a data subject wishes to exercise this right to restrict processing of personal data stored by Merete GmbH, the data subject may contact an employee of the controller at any time. The Merete GmbH employee shall arrange for said restriction of processing.
6) Right to data portability
European legislators and regulators have granted data subjects the right to receive any personal data they have provided to a controller in a structured, commonly used and machine-readable format. They also have the right to transfer this data to another controller without hindrance by the controller to whom the personal data was supplied, provided that the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and that the processing is carried out by automated means, insofar as such processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, when exercising their right to data portability pursuant to Art. 20(1) GDPR, the data subject has the right to have the personal data transferred directly from one controller to another controller, insofar as this is technically feasible and provided that this does not impair the rights and freedoms of other persons. To assert the right to data portability, the data subject may contact an employee of Merete GmbH at any time.
7) Right to object
European legislators and regulators have granted data subjects the right to object at any time, on grounds relating to their specific situations, to any processing of their personal data performed on the basis of Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions. Merete GmbH shall no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject, or unless the processing serves the purpose of asserting, exercising or defending legal claims. If Merete GmbH processes personal data for direct marketing purposes, the data subject shall have the right to object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling insofar as it is associated with such direct advertising. If the data subject objects to processing by Merete GmbH for direct marketing purposes, Merete GmbH will no longer process the personal data for those purposes. In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to the processing of his or her personal data by Merete GmbH for scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) GDPR, unless such processing is necessary for the performance of a task in the public interest. In order to exercise the right to object, the data subject may contact any Merete GmbH employee or another employee directly. In connection with the usage of information society services, data subjects also have the right to exercise their right of objection via automated means using technical specifications, Directive 2002/58/EC notwithstanding.
8) Specific cases involving automated decision-making, including profiling
European legislators have granted all data subjects who are affected by processing of personal data the right not to be subject to decisions based solely on profiling or other automated processing that will affect them legally or cause them significant restrictions in a similar vein, provided that such decisions (1) are not necessary for the conclusion or performance of a contract between the data subject and the controller; or (2) are permitted under European Union or Member State laws to which the controller is subject, and that such laws contain appropriate measures to safeguard the data subject’s rights, freedoms and legitimate interests; or (3) are based on the data subject’s explicit consent. If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is made with the express consent of the data subject, Merete GmbH shall take appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, including (at minimum) the right to secure intervention on the part of a person representing the controller, to state their own position and to contest the decision. If the data subject wishes to exercise their right to withdraw consent, they may contact an employee of the controller at any time.
9) Right to withdraw consent under data protection law
European law has granted any data subject affected by processing of personal data to withdraw his or her consent to the processing such personal data at any time. If the data subject wishes to exercise his or her right to withdraw consent, he or she may contact an employee of the controller at any time.