Privacy Policy
I. Name and Address of the Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:
WEDER & NOCH GmbH & Co. KG
Augustenstraße 16
80333 Munich
Deutschland
Tel.: +49 (0) 89 54 74 07 33
E-Mail: contact@matterlout.com
Website: https://matterlout.com
II. Name and Address of the Data Protection Officer
The external Data Protection Officer of the controller is:
Attorney-at-Law Dr. Benjamin Wanning
c/o WEDER & NOCH GmbH & Co. KG
Augustenstraße 16
80333 München
Deutschland
Tel.: +49 (0) 89 54 74 07 33
E-Mail: datenschutz@matterlout.com
III. General Information on Data Processing
1. Scope of Processing of Personal Data
We process personal data of our users only to the extent necessary to provide a functional website, our content, and services. The processing of personal data of our users regularly occurs only with the user’s consent. An exception applies in cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal regulations.
2. Legal Basis for the Processing of Personal Data
If we obtain consent from the data subject for processing operations involving personal data, Article 6(1)(a) of the General Data Protection Regulation (GDPR) serves as the legal basis.
For the processing of personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual measures.
If the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.
In cases where the processing is necessary to protect vital interests of the data subject or another natural person, Article 6(1)(d) GDPR serves as the legal basis.
If the processing is necessary for the purposes of legitimate interests pursued by our company or a third party and the interests, fundamental rights, and freedoms of the data subject do not override those interests, Article 6(1)(f) GDPR serves as the legal basis for the processing.
3. Data Deletion and Storage Duration
Personal data of the data subject will be deleted or blocked as soon as the purpose of the storage ceases to exist. Further storage may occur if this is provided for by European or national legislators in EU regulations, laws, or other provisions to which the controller is subject. Blocking or deletion of data will also occur when a storage period prescribed by the mentioned regulations expires, unless there is a need for further storage of the data for a contract conclusion or fulfillment.
IV. Provision of the Website and Creation of Log Files
1. Description and Scope of Data Processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.
The following data is collected:
- Information about the browser type and version used
- The user’s operating system
- The user’s internet service provider
- The user’s (encrypted) IP address
- Date and time of access
- Websites from which the user’s system reaches our website
- Websites accessed by the user’s system via our website
The data is also stored in our system’s log files. This data is not stored together with other personal data of the user.
2. Purpose of Data Processing
The temporary storage of the IP address by the system is necessary to deliver the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
Storing data in log files ensures the functionality of the website. Additionally, the data helps us optimize the website and ensure the security of our IT systems. The data is not evaluated for marketing purposes. These purposes also represent our legitimate interest in data processing pursuant to Article 6(1)(f) GDPR.
3. Duration of Storage, Objection, and Elimination Options
The data is deleted as soon as it is no longer necessary for the purpose of its collection. In the case of data collection for providing the website, this occurs when the session ends.
In the case of log file storage, this is no later than 90 days. Further storage is possible if the users’ IP addresses are anonymized, so they can no longer be assigned to the accessing client.
Data collection for website provision and storage in log files is essential for website operation. Thus, the user has no option to object.
V. Use of Cookies
Description and Scope of Data Processing
Our website uses cookies. Cookies are text files stored in the internet browser or by the internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is revisited.
We use the Borlabs Cookie to make our website user-friendly. Certain elements of our website require the calling browser to be identified even after a page change.
The Borlabs Cookie stores whether the user has consented to the use of tracking measures (e.g., Google Analytics). This makes it unnecessary to obtain the user’s consent again on subsequent visits.
Our website also uses cookies to enable an analysis of user behavior. These cookies are only used after obtaining the user’s explicit consent.
The following data may be transmitted:
- Entered search terms
- Frequency of page views
- Use of website functions
The data collected in this way is pseudonymized by technical precautions. Therefore, assigning the data to the accessing user is no longer possible. The data is not stored together with other personal data of the users.
Legal Basis for Data Processing
We only use analysis cookies if you have given your consent. The legal basis for the use of analysis cookies after the user’s consent is Article 6(1)(a) GDPR.
Purpose of Data Processing
The purpose of using analysis cookies is to improve the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can continually optimize our offer.
Duration of Storage, Objection, and Elimination Options
Cookies are stored on the user’s computer and transmitted to our site. As a user, you have full control over the use of cookies. By changing your internet browser settings, you can disable or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all website functions.
VI. Web Analysis via Google Analytics
1. Description and Scope of Data Processing
We use Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics uses cookies—text files stored on your computer—to analyze your use of the website. The information generated by the cookie about your use of this website is typically transmitted to a Google server in the United States and stored there. If IP anonymization is activated on this website, your IP address will be truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be sent to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services related to website activity and internet usage to the website operator.
The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other Google data.
Our website uses Google Analytics with the extension “_anonymizeIp()”. This ensures that IP addresses are processed in truncated form, excluding direct personal reference. If the data collected is associated with a person, this reference is immediately excluded, and the personal data is promptly deleted.
2. Legal Basis for Data Processing
We use Google Analytics only if you have given your consent. The legal basis for processing personal data after user consent is Article 6(1)(a) GDPR.
3. Purpose of Data Processing
We use Google Analytics to analyze and regularly improve the use of our website. The statistics gathered allow us to improve our offerings and make them more interesting for you as a user.
4. Duration of Storage, Objection, and Elimination Options
Cookies are not stored if you have not provided your consent. You can also prevent the storage of cookies by adjusting your browser software settings or delete them retroactively even after giving consent. However, please note that in such cases, you may not be able to use all website functions fully. You can also prevent Google from collecting and processing the data generated by the cookie about your use of the website (including your IP address) by downloading and installing the browser plug-in available at: http://tools.google.com/dlpage/gaoptout?hl=en.
Further information about Google’s data privacy practices can be found at:
Privacy Policy: http://www.google.com/policies/privacy
User Terms: http://www.google.com/analytics/terms/us.html
Privacy Overview: http://www.google.com/intl/en/analytics/learn/privacy.html
VII. Use of Microsoft Clarity
Description and Scope of Data Processing
This website uses Clarity, a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter referred to as “Clarity”).
Clarity is a tool for analyzing user behavior on this website. Clarity specifically captures mouse movements and creates a graphical representation of which parts of the website users frequently scroll to (heatmaps). Clarity can also record sessions, allowing us to view site usage in video form. Additionally, we receive general information about user behavior on our website.
Clarity uses technologies that allow user recognition for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). Your personal data is stored on Microsoft servers (Microsoft Azure Cloud Service) in the United States.
If consent is obtained, the aforementioned service is used exclusively based on Article 6(1)(a) GDPR and Section 25 TTDSG. Consent can be revoked at any time. If no consent has been obtained, the use of this service is based on Article 6(1)(f) GDPR; the website operator has a legitimate interest in effective user analysis.
Further details about Clarity’s privacy practices can be found here: https://docs.microsoft.com/en-us/clarity/faq.
The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States to ensure compliance with European data protection standards in data processing in the United States. Every company certified under the DPF is obligated to adhere to these data protection standards. Further information about this can be found on the provider’s website: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active.
VIII. Use of the SalesViewer® Technology
This website uses the SalesViewer® technology of SalesViewer® GmbH to collect and store data for marketing, market research, and optimization purposes based on the legitimate interests of the website operator (Art. 6 (1) lit. f GDPR).
For this purpose, a JavaScript-based code is used, which serves to collect company-related data and its corresponding use. The data collected by this technology is encrypted using a non-reversible one-way function (so-called hashing). The data is immediately pseudonymized and not used to personally identify the visitor to this website.
The data stored within SalesViewer will be deleted as soon as they are no longer required for their intended purpose and no legal retention obligations contradict the deletion.
You can object to the collection and storage of data at any time with effect for the future by clicking on this link https://www.salesviewer.com/opt-out to prevent future data collection by SalesViewer® on this website. An opt-out cookie will be placed on your device for this website. If you delete your cookies in this browser, you will need to click this link again.
IX. Integration of Google Maps
Description and Scope of Data Processing
On this website, we use the Google Maps service.
By visiting the website, Google receives the information that the user has accessed the corresponding subpage of our website. Additionally, the data mentioned under section IV.1. of this statement is transmitted. This occurs regardless of whether Google provides a user account, through which the user is logged in, or if no user account exists. If the user is logged into Google, the data is directly associated with the user’s account. Google stores the user’s data as usage profiles and uses it for advertising, market research, and/or tailored design of its website. Such analysis is conducted especially (even for users who are not logged in) to deliver targeted advertising and inform other users of the social network about your activities on our website.
Legal Basis for Data Processing
We use Google Maps only if you have given your consent. The legal basis for processing the personal data of users, after consent, is Art. 6 (1) lit. a GDPR.
Purpose of Data Processing
By using Google Maps, we can display interactive maps directly on the website, enabling you to conveniently use the map function.
Duration of Storage, Right to Object, and Deletion Options
If you do not wish to associate the data with your Google profile, you must log out before activating the button.
You have the right to object to the creation of these user profiles, but you must contact Google to exercise this right.
Further information on the purpose and scope of data collection and processing by the plugin provider can be found in the provider’s privacy policy. You will also find additional information on your rights and privacy settings to protect your privacy here: http://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and is certified under the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
X. Contact Form and Email Contact
1. Description and Scope of Data Processing
Our website contains a contact form that can be used for electronic communication. If a user takes advantage of this option, the data entered in the input form is transmitted to us and stored. This data includes:
- Name*
- Company
- Phone
- Email address*
The data marked with * is mandatory.
For processing the data, your consent is obtained during the submission process, and reference is made to this privacy policy.
Alternatively, contact can be made via the provided email address. In this case, the personal data transmitted by the user via email is stored.
There is no transfer of data to third parties in this context. The data is used solely for processing the conversation.
2. Legal Basis for Data Processing
The legal basis for processing the data is the user’s consent, pursuant to Art. 6 (1) lit. a GDPR.
The legal basis for processing the data transmitted in the course of sending an email is Art. 6 (1) lit. f GDPR. If the email contact aims at concluding a contract, the additional legal basis for processing is Art. 6 (1) lit. b GDPR.
3. Purpose of Data Processing
The processing of personal data from the input form serves solely to process the contact request. In the case of email contact, the legitimate interest in processing the data is also present.
4. Duration of Storage, Right to Object, and Deletion Options
The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. For personal data from the contact form and data sent via email, this is generally the case when the respective conversation with the user is concluded. The conversation is considered concluded when it can be inferred from the circumstances that the matter in question has been finally resolved. Further storage will only occur if there is a legal basis for doing so. This may be the case if the data is required to carry out pre-contractual measures or to fulfill a contract (Art. 6 (1) lit. b GDPR).
The user has the right to withdraw their consent to the processing of personal data at any time. If the user contacts us via email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.
The withdrawal of consent and objection to storage can be made by email to datenschutz@wederundnoch.de.
All personal data stored in the course of contact will be deleted in this case.
XI. Application Form
1. Description and Scope of Data Processing
On our website, users can directly apply for open positions. If a user takes advantage of this option, the data entered in the input form is transmitted to us and stored. This data includes:
- Name*
- Street*
- Postal Code and City*
- Email Address*
- Phone*
The data marked with * is mandatory.
For processing the data, your consent is obtained during the submission process, and reference is made to this privacy policy.
2. Legal Basis for Data Processing
The legal basis for processing the data is the user’s consent, pursuant to Art. 6 (1) lit. a GDPR.
3. Purpose of Data Processing
The processing of personal data from the input form, as well as any other data transmitted by the user, serves solely to process the application.
4. Recipients of the Data
To support the application process, we use a carefully selected service provider who works for us in the context of order processing. Through strict contractual arrangements, technical and organizational measures, as well as additional controls, we ensure the protection of your data.
5. Duration of Storage, Right to Object, and Deletion Options
The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. For the personal data from the input form and any other data transmitted by the user, this is generally the case once the application process is completed. Further storage will only occur with the applicant’s consent.
The user has the right to withdraw their consent to the processing of personal data at any time.
A withdrawal of consent and an objection to storage can be sent by email to datenschutz@wederundnoch.de.
All personal data stored during the application process will be deleted in this case. The application will not be followed up.
XII. TikTok Pixel
Our website uses “TikTok Pixel,” a service provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereafter referred to as “TikTok”). The TikTok Pixel is a JavaScript code snippet that allows us to understand and track the activities of visitors to our website (so-called event data). This allows us to, for example, show our ads on TikTok only to users who have visited our website, especially those who have shown interest in our offerings or in certain topics or products. TikTok Pixel uses, among other things, cookies that are stored locally in your browser’s cache on your device.
If you are logged into TikTok with your user account, the visit to our online offer will be recorded in your user account. The data collected about you is anonymous to us, so it does not allow us to draw conclusions about your identity. However, this data may be associated with your user account on TikTok. We have no influence on the scope and further use of the data processed by TikTok through the use of TikTok Pixel. Even if you are not registered with TikTok or logged in, TikTok may still learn and store your IP address and possibly other identifying characteristics.
In principle, your data is processed within the EU or the European Economic Area (EEA). An appropriate data protection agreement has been concluded with TikTok for this purpose. If personal data is transmitted to countries outside the EU or EEA, this is done within the framework of the standard contractual clauses of the Commission for the transfer of personal data to third countries.
This collection and transmission of event data is carried out by us and TikTok as joint controllers. We have entered into an agreement with TikTok regarding joint processing, which specifies the distribution of data protection responsibilities between us and TikTok. In this agreement, we and TikTok have agreed, among other things:
- That we are responsible for providing you with all information pursuant to Art. 13, 14 GDPR regarding the joint processing of personal data;
- That TikTok is responsible for enabling the rights of the data subjects in accordance with Art. 15 to 20 GDPR.
You can access the agreement between us and TikTok at https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms.
We use TikTok Pixel for marketing and optimization purposes, in particular to display relevant and interesting ads on TikTok, improve our offerings, make them more engaging for users, and avoid annoying ads. The legal basis for this is Art. 6 (1) lit. a GDPR (consent).
You can withdraw your consent for the processing of personal data by TikTok Pixel and the use of your data for displaying TikTok ads at any time for the future. The data processing by TikTok is carried out within the framework of TikTok’s privacy policy: https://www.tiktok.com/legal/privacy-policy-eea?lang=en.
XIII. Facebook Pixel
Our website uses “Facebook Pixel,” a service provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereafter referred to as “Facebook”). Facebook Pixel enables Facebook to show our ads on Facebook, known as “Facebook Ads,” only to Facebook users who have visited our website, particularly those who have shown interest in our offerings or specific topics or products. Facebook Pixel also serves to verify whether a user has been redirected to our website after clicking on our Facebook Ads. Facebook Pixel uses, among other things, cookies that are locally stored in your browser’s cache on your device.
If you are logged into Facebook with your user account, the visit to our online offer will be recorded in your user account. The data collected about you is anonymous to us, meaning it does not allow us to draw conclusions about your identity. However, this data may be associated with your user account on Facebook. We have no influence on the scope and further use of the data processed by Facebook through the use of Facebook Pixel. Even if you are not registered with Facebook or not logged in, Facebook may still gather and store your IP address and potentially other identifying characteristics.
We use Facebook Pixel for marketing and optimization purposes, specifically to display relevant and interesting ads to you on Facebook, improve our offerings, make them more appealing for you as a user, and avoid annoying ads. The legal basis for this is Art. 6 (1) lit. a GDPR (Consent).
You can withdraw your consent for the processing of personal data by Facebook Pixel and the use of your data for displaying Facebook Ads at any time for the future. Settings regarding the types of ads displayed to you on Facebook can be made directly on the Facebook website: https://www.facebook.com/settings?tab=ads. Please note that this setting will be deleted if you delete your cookies in the browser.
You can also prevent participation in tracking by disabling interest-based ads from providers by clicking on one of the links provided. In the context of self-regulation campaigns, an opt-out cookie will be set. However, this setting will be deleted if you delete your cookies.
- http://optout.networkadvertising.org/
- http://www.aboutads.info/choices
- http://www.youronlinechoices.com/uk/your-ad-choices/
Information on data processing based on standard contractual clauses can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum.
Third-party information: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Further information from the third-party provider on data protection can be found on the following Facebook website: https://www.facebook.com/about/privacy. Information on Facebook Pixel can be found on the following Facebook website: https://www.facebook.com/business/help/651294705016616.
XIV. Rights of the Data Subject
If personal data about you is processed, you are a data subject according to the GDPR, and you have the following rights against the data controller:
1. Right of Access
You may request confirmation from the controller as to whether personal data concerning you is being processed.
If such processing occurs, you may request the following information from the controller:
(1) The purposes for which the personal data is processed;
(2) The categories of personal data being processed;
(3) The recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
(4) The planned duration for storing the personal data concerning you, or, if specific details are not available, the criteria for determining the storage duration;
(5) The existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
(6) The existence of a right to lodge a complaint with a supervisory authority;
(7) All available information about the source of the data if the personal data has not been collected from the data subject;
(8) The existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and, at least in such cases, meaningful information about the logic involved and the scope and intended consequences of such processing for the data subject.
You have the right to request information about whether the personal data concerning you is transferred to a third country or an international organization. In this context, you can request to be informed about the appropriate safeguards under Art. 46 GDPR in relation to the transfer.
2. Right to Rectification
You have the right to request the rectification and/or completion of personal data concerning you, if the processed data is inaccurate or incomplete. The controller must rectify the data without undue delay.
3. Right to Restriction of Processing
Under the following conditions, you may request the restriction of processing of personal data concerning you:
(1) If you contest the accuracy of the personal data concerning you for a period that allows the controller to verify the accuracy of the personal data;
(2) The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
(3) The controller no longer needs the personal data for processing, but you need it for the establishment, exercise, or defense of legal claims; or
(4) If you have objected to the processing in accordance with Art. 21 (1) GDPR, and it has not yet been determined whether the legitimate grounds of the controller override your reasons.
Once the processing of personal data concerning you is restricted, such data may only be processed – aside from storage – with your consent or to establish, exercise, or defend legal claims, or to protect the rights of another natural or legal person, or for important public interest reasons of the Union or a Member State.
If the restriction of processing has been applied based on the conditions mentioned above, you will be informed by the controller before the restriction is lifted.
4. Right to Erasure
a) Obligation to Erase
You can request that the controller erase personal data concerning you without undue delay, and the controller is obligated to erase such data without undue delay if one of the following reasons applies:
(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent on which the processing is based under Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR, and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
(4) The personal data concerning you has been processed unlawfully.
(5) The erasure of personal data concerning you is necessary for the fulfillment of a legal obligation under Union law or the law of a Member State to which the controller is subject.
(6) The personal data concerning you was collected in relation to the offer of information society services under Art. 8 (1) GDPR.
b) Notification to Third Parties
If the controller has made the personal data concerning you public and is required to erase it under Art. 17 (1) GDPR, the controller shall, taking into account available technology and implementation costs, take reasonable steps, including technical measures, to inform controllers who process the personal data about your request to delete all links to, or copies or replications of, these personal data.
c) Exceptions
The right to erasure does not exist insofar as the processing is necessary:
(1) For the exercise of the right to freedom of expression and information;
(2) For compliance with a legal obligation that requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) For reasons of public health in accordance with Art. 9 (2) lit. h and i, and Art. 9 (3) GDPR;
(4) For archiving purposes in the public interest, scientific or historical research, or statistical purposes under Art. 89 (1) GDPR, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) For the establishment, exercise, or defense of legal claims.
5. Right to Notification
If you have exercised your right to rectification, erasure, or restriction of processing, the controller is obligated to notify all recipients to whom the personal data concerning you has been disclosed about the rectification or erasure of the data or the restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controller about these recipients.
6. Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance by the controller to whom the personal data was provided, if:
(1) The processing is based on consent under Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR, or a contract under Art. 6 (1) lit. b GDPR, and
(2) The processing is carried out by automated means.
In exercising this right, you also have the right to request that the personal data concerning you be directly transmitted from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected.
The right to data portability does not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to Object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you based on Art. 6 (1) lit. e or f GDPR, including profiling based on these provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
If the personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes, including profiling to the extent related to such direct marketing.
If you object to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
You also have the option to exercise your right to object in the context of the use of information society services, notwithstanding Directive 2002/58/EC, through automated procedures using technical specifications.
8. Right to Withdraw Consent to Data Processing
You have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated Decision-Making, Including Profiling
You have the right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you. This does not apply if the decision:
(1) Is necessary for the entry into or performance of a contract between you and the controller,
(2) Is authorized by Union or Member State law to which the controller is subject and contains appropriate measures to safeguard your rights, freedoms, and legitimate interests, or
(3) Is based on your explicit consent.
However, such decisions may not be based on special categories of personal data under Art. 9 (1) GDPR unless Art. 9 (2) lit. a or g GDPR applies and appropriate safeguards for the rights and freedoms of data subjects have been implemented.
In cases (1) and (3), the controller takes appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to have the decision reviewed by a person, to express your point of view, and to contest the decision.
10. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your residence, place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint has been submitted shall inform the complainant about the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.