Privacy Notice
1. Name and address of the person responsible
OpenCall GmbH
Industriestr. 12
D-89081 Ulm
Germany
Phone: +49 (0) 731 / 55 05 60
Fax: +49 (0) 731 / 55 05 61 11
E-mail: info@opencall-callcenter.com
Website: www.opencall-callcenter.com
Represented by the shareholder:
Stefan Köhle
Managing Director:
Stefan Köhle
2. Contact data of the data protection officer
OpenCall GmbH
Data Protection Officer
Industriestr. 12
D-89081 Ulm
Germany
E-mail: datenschutz@opencall-callcenter.com
3. Data processing
3.1 General information on data processing
Data protection is of particular concern to us. We only process personal data if this is necessary to provide a functioning website, as well as our content, services and support.
If you wish to make use of special services on our website, it may be necessary to process personal data. This processing only takes place if there is a legal basis for it or if consent has been obtained beforehand.
This privacy notice only applies to our website. If you are redirected to other sites via links, please inform yourself there about the respective data protection.
This data protection declaration is based on the terms of the basic EU General Data Protection Regulation (GDPR). In order to maintain an easily readable and understandable form, these terms are described at the end of this statement. (5. Definition)
3.2 Access to Website – Server Logfiles
3.2.1 Purpose of processing
To make the Website and the services it contains available to you
3.2.2 Type and categories of personal data
In order to make the website available to you, the following data must be temporarily stored by the system:
– IP address
– browser type and version, operating system, language
– possibly referrer, i.e. from which page our site was accessed
– the subwebsite that is being accessed
– date and time of access, as well as the time zone
– Internet service provider of the accessing system
– amount of data transferred
– error and status messages
– transmission protocol used
The processing of the above-mentioned data serves to maintain the functionality of the website and guarantee security in the event of cyber attacks and, as a result, to provide the necessary information to the law enforcement authorities.
This data is stored separately from any other personal data that may have been provided.
3.2.3 Legal bases
Article 6 1f GDPR: Processing is necessary to protect the legitimate interests of the person responsible or a third party.
3.2.4 Receiver and data transmission
The hosting provider of our website processes the data by order. An order processing agreement was concluded with him for this purpose.
In the event of cyber attacks, the data is made available to the law enforcement authorities.
A transfer to third countries does not take place and is not planned.
3.2.5 Duration of storage
The IP addresses are usually deleted after 7 days. Further storage only takes place after prior anonymisation, so that it is no longer possible to trace back to the user.
In the event of a cyber attack, the IP addresses are only made anonymous or deleted when they are no longer needed for criminal prosecution.
3.2.6 Right of objection
There is no possibility of objection, since the processing of the data is technically and safety-related necessary. The only way to stop processing is to stop accessing the website.
3.3 Use of Cookies
Cookies are text files that are stored by your browser and contain information in text form, such as the language settings or a unique ID of the current browser session, in order to distinguish your session from the session of another user.
3.3.1 Purpose of processing
Two types of cookies are stored. Cookies, so-called session cookies, which are deleted after the end of the current session and cookies which remain after the end of the session in order to save your settings for the next visit and to enable evaluation of the use of the website in order to optimise them for you.
Session cookies are technically necessary to make the website user-friendly for you and to clearly identify you even after a page change, so that your language settings, your login information, items in the shopping basket, etc. are retained.
Cookies, which are stored beyond the session, give us information which contents and functions of the website are used and which are not. On the basis of this information we can, for example, further develop the website in areas that are increasingly used by visitors and reduce other unused areas.
3.3.2 Type and categories of personal data
Technical session cookies store the following data:
– Language settings
Cookies that are stored after a session process the following data:
– Use of website functions
– Page views
– Search words
– Language settings
3.3.3 Legal bases
In the first step, processing will be based on your consent under Article 6(1)(a) GDPR.
In addition, there is a legitimate interest of the responsible person according to Article 6 paragraph 1 letter f GDPR in a user-friendly presentation, as well as an optimization of the website on the basis of the information obtained by the cookie analysis.
3.3.4 Receiver and data transmission
The data will not be passed on to third parties. Within the position of the person responsible, the data is processed by the sales, marketing and technical departments.
A transfer to third countries does not take place and is also not planned
3.3.5 Duration of storage
The data of session cookies are stored until the end of the visit of the website.
The data of cookies, which were collected for analysis purposes, are pseudonymised for further processing.
3.3.6 Right of objection
The settings in your browser enable you to prevent cookies from being transferred from our website to your computer and thus you can permanently object to the setting of cookies. Since cookies are stored on your computer, you have full control over the cookies and can delete cookies already stored at any time. If you have cookies deactivated automatically, you may not be able to use our website or individual contents and functions of our website.
3.4 Contact and contact form
3.4.1 Purpose of processing
The website of OpenCall GmbH contains a contact form for direct and fast communication with us. The entered data will be transmitted to us and processed for contacting us. The data can be processed in a customer management system (CRM – Customer Relation Management System).
3.4.2 Type and categories of personal data
We process the following data:
Mandatory field:
– Email address
Voluntary information:
– Name
– Subject
– Message/Free text
Additional information always transmitted:
– IP address
– Date and time of entry
Alternatively, contact can be established via the e-mail address provided. In this case, the data specified in the e-mail will be processed.
3.4.3 Legal bases
In the first step, processing will be based on your consent under Article 6(1)(a) GDPR. Furthermore, OpenCall GmbH has a legitimate interest in establishing contacts with interested persons pursuant to Article 6 paragraph 1 letter f GDPR. If this results in pre-contractual measures or if a contract is concluded, we process the data in accordance with Article 6 paragraph 1 letter b GDPR and, if applicable, as a result of legal obligations in accordance with Article 6 paragraph 1 letter c GDPR.
3.4.4 Receiver and data transmission
The data will not be transmitted to third parties and a transmission to third countries does not take place and is not planned.
3.4.5 Duration of storage
The duration of the storage depends on the type and content of the contact. A simple communication recording without legal follow-up obligations will be deleted within 90 days after termination of the communication.
Contacts with pre-contractual and/or legal obligations will be deleted, taking into account the statutory retention obligations, if these are no longer necessary. We review the necessity every two years.
3.4.6 Right of objection
If you wish your data to be deleted, please contact the person responsible using the contact options provided. The data will then be deleted unless there are other legal obligations to store them.
3.5 Application by e-mail
Thank you for your interest in our company and for applying to OpenCall GmbH. We process your application data that you send to us via our website or by e-mail in accordance with Art 88 GDPR and § 26 BDSG (new).
3.5.1 Purpose of processing
We process your application data in order to be able to make a decision on the establishment of an employment relationship.
If we do not currently have a suitable position for you, but are interested in working with you in the future due to your application, we will obtain your consent for longer storage in the applicant pool for a maximum of 24 months.
There is no automated decision making according to Article 22 GDPR.
3.5.2 Type and categories of personal data
We are aware that candidate data may be sensitive data in the sense of special categories of data in accordance with Article 9 GDPR. For this reason, we treat applicant data with the appropriate protection requirements.
3.5.3 Legal bases
Processing is based on data processing in the context of employment within the meaning of Article 88 GDPR and § 26 BDSG (new), data processing for employment purposes.
If you are under 16 years of age, you must enclose the consent of the holder of parental responsibility pursuant to Article 8 GDPR with your application.
3.5.4 Receiver and data transmission
The e-mail processing in our company is always encrypted. The prerequisite for this is that your e-mail service provider has also activated e-mail encryption. In case you are not sure, we can offer you to use our PGP encryption or to send the application documents to us by post.
After successful transmission of the applicant data by e-mail, we will confirm receipt and point out your rights as a person concerned.
The data is passed on to the companies associated with OpenCall GmbH that participate in the application process.
A transfer to third countries does not take place and is also not planned
3.5.5 Duration of storage
Your application data will be deleted 3 months after completion of the application process. In order to defend legal claims, e.g. to be able to prove a conformal selection process according to the General Act on Equal Treatment (AGG), we can extend the storage period to 6 months.
If you have given your consent to the storage of your applicant data in the applicant pool for immediate consideration in future job advertisements, we will store the data for up to 24 months.
Should your application lead to the conclusion of an employment relationship, your data will be stored for the purpose of personnel management in compliance with legal regulations.
3.5.6 Right of objection
You can change or delete your applicant data at any time. Furthermore, you can revoke your consent to longer storage in the applicant pool at any time.
4. Rights of data subjects
You can request information about your stored data at any time, view it, have inaccurate data corrected and/or, taking into account the statutory storage periods, have it deleted or have processing restricted. Consent can be revoked at any time with effect for the future.
In detail and with reference to the GDPR you have the following rights as a data subject when your personal data is processed:
4.1 Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
1. The controller shall take appropriate measures to communicate to the data subject all information referred to in Articles 13 and 14 and all communications relating to processing referred to in Articles 15 to 22 and Article 34 in a precise, transparent, intelligible and easily accessible form in clear and simple language, in particular information specifically addressed to children. The information shall be transmitted in writing or in any other form, including, where appropriate, electronically. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject has been established in another form.
2. In the cases referred to in Article 11(2), the data controller may refuse to act on the data subject’s request to exercise his rights under Articles 15 to 22 only if he can demonstrate that he is unable to identify the data subject.
3. The data controller shall provide the data subject with information on the measures taken upon request in accordance with Articles 15 to 22 without delay and in any event within one month of receipt of the request. This period may be extended by a further two months if necessary, taking into account the complexity and number of applications. The person responsible shall inform the data subject of an extension of the time limit within one month of receipt of the application, together with the reasons for the delay. If the data subject submits the application electronically, he or she shall, if possible, be informed electronically, unless otherwise indicated.
4. If, at the request of the data subject, the data controller does not act, he shall inform the data subject without delay and at the latest within one month of receipt of the request, of the reasons for this and of the possibility of lodging an appeal with a supervisory authority or lodging a judicial appeal.
5. Information referred to in Articles 13 and 14 and all communications and measures referred to in Articles 15 to 22 and Article 34 shall be made available free of charge. In the case of manifestly unfounded or – particularly in the case of frequent repetition – excessive requests from a person concerned, the person responsible may either
(a) require an appropriate remuneration taking into account the administrative costs of information or notification or implementation of the action requested; or
(b) refuse to act on the application. The person responsible must provide evidence of the manifestly unfounded or excessive nature of the application.
6. Without prejudice to Article 11, where the controller has reasonable doubt as to the identity of the natural person making the application pursuant to Articles 15 to 21, he may request additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects in accordance with Articles 13 and 14 may be provided in combination with standardised icons in order to provide an easily perceptible, comprehensible and clearly comprehensible overview of the processing envisaged. If the symbols are displayed in electronic form, they must be machine-readable.
8. Powers are delegated to the Commission to adopt acts delegated pursuant to Article 92 to determine the information to be represented by symbols and the procedures for the provision of standardised symbols.
4.2 Article 13: Information to be provided where personal data are collected from the data subject
1. Where personal data are collected from the data subject, the data subject shall be informed by the data controller of the following at the time when such data are collected:
(a) the name and contact details of the person responsible and, where appropriate, his representative;
(b) where appropriate, the contact details of the data protection officer;
(c) the purposes for which the personal data are to be processed and the legal basis for the processing;
(d) where processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or a third party;
(e) where appropriate, the recipients or categories of recipients of the personal data; and
(f) where appropriate, the intention of the controller to transfer the personal data to a third country or an international organisation and the existence or absence of a Commission adequacy decision or, in the case of transfers pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or appropriate safeguards and the possibility of obtaining a copy thereof or where they are available.
2. In addition to the information referred to in paragraph 1, the data subject’s data controller shall, at the time of collection of such data, provide the following additional information necessary to ensure fair and transparent processing:
a) the duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration;
(b) the existence of a right of access by the controller to the personal data concerned and of rectification, deletion or restriction of processing or of a right of opposition to processing and of data transferability;
(c) where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of a right to withdraw consent at any time without prejudice to the legality of the processing carried out on the basis of the consent until withdrawal;
(d) the existence of a right of appeal to a supervisory authority;
(e) whether the provision of personal data is required by law or by contract or is necessary for the conclusion of a contract, whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide them; and
(f) the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.
3. If the data controller intends to process the personal data for a purpose other than that for which the personal data were collected, he shall provide the data subject with information on that other purpose and any other relevant information in accordance with paragraph 2 before such further processing.
4. Paragraphs 1, 2 and 3 shall not apply if and in so far as the data subject already has the information.
4.3 Article 14: Information to be provided where personal data have not been obtained from the data subject
1. Where personal data are not collected from the data subject, the data subject shall be informed by the data controller of the following:
(a) the name and contact details of the person responsible and, where appropriate, his representative;
b) additionally the contact data of the data protection officer;
(c) the purposes for which the personal data are to be processed and the legal basis for the processing;
(d) the categories of personal data being processed;
(e) where appropriate, the recipients or categories of recipients of the personal data;
(f) where appropriate, the intention of the controller to transmit the personal data to a recipient in a third country or an international organisation and the existence or absence of a Commission adequacy decision or, in the case of transfers pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or appropriate safeguards and the possibility of obtaining a copy thereof or where they are available.
2. In addition to the information referred to in paragraph 1, the data controller shall provide the data subject with the following information necessary to ensure fair and transparent processing towards the data subject:
a) the duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration;
(b) where processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or a third party;
(c) the existence of a right of access by the controller to the personal data concerned and of rectification, deletion or restriction of processing and of a right of opposition to processing and of data transferability;
(d) where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of a right to withdraw consent at any time without prejudice to the legality of the processing carried out under the consent until withdrawal;
(e) the existence of a right of appeal to a supervisory authority;
(f) the source of the personal data and, where appropriate, whether they come from publicly available sources;
(g) the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.
3. The person responsible shall provide the information referred to in paragraphs 1 and 2
a) taking into account the specific circumstances of the processing of the personal data within a reasonable period after obtaining the personal data, but no later than one month,
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to him or her; or,
(c) if disclosure to another recipient is intended, at the latest at the time of the first disclosure.
4. If the data controller intends to process the personal data for a purpose other than that for which the personal data were obtained, he shall provide the data subject with information on that other purpose and any other relevant information in accordance with paragraph 2 before such further processing.
5. Paragraphs 1 to 4 shall not apply if and to the extent that
(a) the data subject already has the information,
(b) the provision of such information proves impossible or would require a disproportionate effort, in particular for processing for archival purposes of public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and guarantees referred to in Article 89(1) or where the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously prejudicial the attainment of the objectives of such processing. In such cases, the data controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including the provision of such information to the public,
(c) the law of the Union or of the Member States to which the data controller is subject and which provides for appropriate measures to protect the legitimate interests of the data subject is expressly established; or
(d) the personal data are subject to professional secrecy in accordance with Union law or the law of the Member States, including a duty of confidentiality laid down in the statutes, and must therefore be treated confidentially.
4.4 Article 15: Right of access by the data subject
1. The data subject shall have the right to request confirmation from the data controller as to whether personal data concerning him or her are being processed; if this is the case, he or she shall have a right of access to such personal data and to the following information:
(a) processing purposes;
(b) the categories of personal data being processed;
(c) the recipients or categories of recipients to whom the personal data have been or are still being disclosed, in particular recipients in third countries or international organisations;
d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
(e) the existence of a right of rectification or deletion of personal data concerning him or of a restriction on processing by the controller or of a right of opposition to such processing;
(f) the existence of a right of appeal to a supervisory authority;
(g) where the personal data are not collected from the data subject, all available information on the origin of the data;
(h) the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.
2. Where personal data are transferred to a third country or international organisation, the data subject shall have the right to be informed of the appropriate guarantees in accordance with Article 46 in relation to the transfer
3. The controller shall make available a copy of the personal data which are the subject of the processing. For all other copies requested by the data subject, the data processor may charge an appropriate fee on the basis of the administrative costs. Where the data subject submits the application electronically, the information shall be provided in a common electronic format, unless otherwise indicated.
4. The right to obtain a copy in accordance with paragraph 1b shall not prejudice the rights and freedoms of other persons.
4.5 Article 16: Right to rectification
The data subject shall have the right to request the controller to rectify any inaccurate personal data concerning him/her without delay. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
4.6 Article 17: Right to erasure (“Right to be forgotten”)
1. The data subject shall have the right to require the data controller to delete personal data concerning him/her without delay and the data controller shall be obliged to delete personal data without delay if one of the following reasons applies:
a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
(b) the data subject withdraws his/her consent on which the processing referred to in Article 6(1)(a) or Article 9(2)(a) was based and there is no other legal basis for the processing.
(c) the data subject opposes processing in accordance with Article 21(1) and there are no overriding legitimate grounds for processing or the data subject opposes processing in accordance with Article 21(2).
d) The personal data have been processed unlawfully.
(e) The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
(f) the personal data have been collected in relation to information society services provided in accordance with Article 8(1).
2. Where the data controller has made the personal data public and is obliged to delete them in accordance with paragraph 1, he shall take appropriate measures, including technical measures, taking into account the technology available and the implementation costs, to inform data processors of the personal data that a data subject has requested them to delete all links to such personal data or copies or replications of such personal data.
3. Paragraphs 1 and 2 shall not apply where processing is necessary
(a) the exercise of freedom of expression and information;
(b) for the performance of a legal obligation required for processing under the law of the Union or of the Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
(c) on grounds of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
(d) for archiving purposes of public interest, scientific or historical research purposes or for statistical purposes referred to in Article 89(1), where the right referred to in paragraph 1 is likely to render impossible or seriously prejudicial the attainment of the objectives of such processing; or
e) to assert, exercise or defend legal claims.
4.7 Article 18: Right to restriction of processing
1. The data subject shall have the right to require the controller to restrict processing if one of the following conditions is met:
(a) the accuracy of the personal data is disputed by the data subject for a period which enables the data controller to verify the accuracy of the personal data,
(b) the processing is unlawful and the data subject refuses to delete the personal data and instead requests that the use of the personal data be restricted;
(c) the data controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the purpose of asserting, exercising or defending claims; or
(d) the data subject has lodged an objection to the processing referred to in Article 21(1) until it has been established whether the data subject’s legitimate reasons outweigh those of the data subject.
2. Where the processing referred to in paragraph 1 has been restricted, such personal data may not be processed except with the data subject’s consent or for the purpose of asserting, exercising or defending rights or for the protection of the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.
3. A data subject who has obtained a restriction on processing in accordance with paragraph 1 shall be informed by the data controller before the restriction is lifted.
4.8 Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall notify all recipients to whom personal data have been disclosed of any correction or deletion of the personal data or any restriction on the processing referred to in Articles 16, 17(1) and 18, unless this proves impossible or involves a disproportionate effort. The data controller shall inform the data subject of these recipients if the data subject so requests.
4.9 Article 20: Right to data portability
1. The data subject shall have the right to receive the personal data relating to him which he has provided to a controller in a structured, current and machine-readable format and to transmit such data to another controller without interference by the controller to whom the personal data have been provided, provided that
(a) processing is based on the consent referred to in Article 6(1)(a) or Article 9(2)(a) or on a contract referred to in Article 6(1)(b); and
(b) processing is carried out by means of automated methods.
2. In exercising his right to data transferability under paragraph 1, the data subject shall have the right to have the personal data transferred directly by a data controller to another data controller, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
4. The right referred to in paragraph 2 shall not prejudice the rights and freedoms of other persons.
4.10 Article 21: Right to object
1. The data subject shall have the right to object at any time to the processing of personal data relating to him/her on the basis of Article 6(1)(e) or (f) for reasons arising from his particular situation, including profiling based on those provisions. The data controller no longer processes the personal data unless he can prove compelling grounds for protection for the processing which outweigh the interests, rights and freedoms of the data subject or the processing serves to assert, exercise or defend legal claims.
2. Where personal data are processed for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him/her for the purpose of such advertising, including profiling, in so far as it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for these purposes.
4. The data subject shall be expressly informed of the right referred to in paragraphs 1 and 2 at the latest at the time of the first communication with him/her, in an intelligible form separate from other information.
5. In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his right of opposition by means of automated procedures using technical specifications.
6. The data subject shall have the right to object to the processing of personal data relating to him/her for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) for reasons arising from his particular situation, unless such processing is necessary for the performance of a task in the public interest.
4.11 Article 22: Automated individual decision-making, including profiling
1. The data subject shall not be subject to a decision based exclusively on automated processing, including profiling, which has legal effect against him or her or significantly affects him or her in a similar manner.
2. Paragraph 1 shall not apply where the decision
(a) is necessary for the conclusion or performance of a contract between the data subject and the data controller,
(b) is admissible under Union or Member State law to which the data controller is subject and that law contains appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject; or
(c) with the express consent of the data subject.
3. In the cases referred to in paragraph 2(a) and (c), the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain the intervention of a person by the controller, to state his own position and to challenge the decision.
The decisions referred to in paragraph 2 shall not be based on specific categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to protect the rights, freedoms and legitimate interests of the data subject.
4.12 Article 23: Restrictions
1. Legislation of the Union or of the Member States to which the controller or the processor is subject may enact legislative measures to restrict the obligations and rights referred to in Articles 12 to 22, Article 34 and Article 5, insofar as their provisions comply with the rights and obligations provided for in Articles 12 to 22, provided that such a restriction respects the substance of fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society which ensures the following:
(a) national security;
(b) national defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of sentences, including protection against and prevention of threats to public security;
(e) the protection of other important general public interest objectives of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, such as monetary, budgetary, fiscal, public health and social security objectives;
(f) the protection of the independence of the judiciary and the protection of judicial proceedings;
(g) the prevention, detection, investigation and prosecution of breaches of the professional rules of regulated professions;
(h) control, surveillance and regulatory functions permanently or temporarily connected with the exercise of official authority for the purposes referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of other persons;
(j) the enforcement of civil law claims.
2. Each legislative measure referred to in paragraph 1 shall contain, in particular, where appropriate, specific provisions concerning at least
(a) the purposes of the processing or the categories of processing,
(b) the categories of personal data,
(c) the extent of the restrictions imposed,
(d) the guarantees against misuse or unlawful access or transmission;
(e) the details of the person or categories of persons responsible,
(f) the storage periods and the guarantees in force, taking into account the nature, scope and purposes of the processing or processing categories,
(g) the risks to the rights and freedoms of data subjects
and
(h) the right of data subjects to be informed of the restriction, provided that this is not detrimental to the purpose of the restriction.
4.13 Article 77: Right to lodge a complaint with a supervisory authority
1. Without prejudice to any other administrative or judicial remedy, any data subject shall have the right of appeal to a supervisory authority, in particular in the Member State where he resides, works or is alleged to have infringed, where the data subject considers that the processing of his personal data is contrary to this Regulation.
2. The supervisory authority to which the complaint has been lodged shall inform the complainant of the state and outcome of the complaint, including the possibility of a judicial remedy under Article 78.
5. Definition
For the purposes of this Regulation and Article 4 GDPR, the following definitions shall apply:
1) „Personal data“ means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics which express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;
2) “Processing” means any operation carried out, with or without the aid of automated procedures, or any such series of operations relating to personal data, such as the acquisition, collection, organisation, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction;
3) “Restriction of processing” means the marking of stored personal data with the aim of restricting their future processing;
4) “Profiling” means any automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person;
5) “Pseudonymisation” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6) “File system“ means any structured collection of personal data accessible according to specific criteria, whether centralised, decentralised, functional or geographical;
7) “Controller” means the natural or legal person, authority, body or other body which, alone or in association with others, decides on the purposes and means of processing personal data; where the purposes and means of such processing are specified by Union law or by the law of the Member States, the controller may or may provide for the specific criteria for his appointment under Union law or the law of the Member States;
8) “Processor” means any natural or legal person, authority, institution or other body processing personal data on behalf of the data controller;
9) “Recipient” means any natural or legal person, authority, institution or other body to which personal data is disclosed, whether or not it is a third party. However, authorities which may receive personal data under Union law or the law of the Member States under a particular investigation mandate shall not be considered recipients; the processing of such data by the said authorities shall be carried out in accordance with the applicable data protection rules in accordance with the purposes of the processing;
10) “Third party” means any natural or legal person, authority, institution or other body other than the data subject, the data processor, the data processor and the persons authorised to process the personal data under the direct responsibility of the data processor or the data processor;
11) “Consent” of the data subject means any voluntary declaration of intent, in an informed and unequivocal manner, in the form of a declaration or other clear affirmative act, in which the data subject indicates his or her consent to the processing of personal data concerning him or her;
12) “Breach of the protection of personal data” means a breach of security which, whether unintentional or unlawful, leads to the destruction, loss, alteration or unauthorised disclosure or access to personal data transmitted, stored or otherwise processed;
13) “Genetic data“ means personal data relating to the genetic characteristics, inherited or acquired, of a natural person which provide clear information on the physiology or health of that natural person and which have been obtained in particular from the analysis of a biological sample of the natural person concerned;
14) “Biometric data” means personal data obtained by specific technical procedures relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
15) “Health data“ means personal data relating to the physical or mental health of a natural person, including the provision of health services, and providing information on their state of health;
16. „Head office“
(a) in the case of a controller with establishments in more than one Member State, the place of his head office in the Union, unless the decisions concerning the purposes and means of processing personal data are taken in another office of the controller in the Union and that office is empowered to have those decisions implemented, in which case the office taking such decisions shall be considered the principal office;
(b) in the case of a processor with establishments in more than one Member State, the place of his head office in the Union or, where the processor has no head office in the Union, the place of business of the processor in the Union where the processing operations are mainly carried out in the context of the activities of a processor´s establishment, where the processor is subject to specific obligations under this Regulation;
17) “Representative“ means a natural or legal person established in the Union who has been appointed in writing by the person responsible or processor in accordance with Article 27 and who represents the person responsible or processor in accordance with their respective obligations under this Regulation;
18) “Business” means any natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations, which regularly pursue an economic activity;
19) “Group of businesses” means a group consisting of a controlling business and the businesses controlled by it;
20) “Binding internal data protection rules” means measures to protect personal data which a controller or processor established in the territory of a Member State undertakes to respect in one or more third countries with regard to data transfers or a category of data transfers of personal data to a controller or processor of personal data from the same group of undertakings or the same group of undertakings carrying out a joint economic activity;
21) “Supervisory authority” means an independent public authority established by a Member State in accordance with Article 51;
22) “Supervisory authority concerned“ means a supervisory authority which is affected by the processing of personal data because
(a) the person responsible or the processor is established in the territory of the Member State of that supervisory authority,
(b) such processing has or may have significant effects on data subjects residing in the Member State of that supervisory authority; or
(c) a complaint has been lodged with that supervisory authority;
23) “Cross-border processing” means either
(a) processing of personal data in the context of the activities of establishments of a controller or contract processor in the Union in more than one Member State where the controller or contract processor is established in more than one Member State, or
(b) processing of personal data in the context of the activities of an individual establishment of a controller or contract processor in the Union, but which has or may have significant effects on data subjects in more than one Member State;
24) “Relevant and well-founded opposition“ means an opposition to a draft decision as to whether there has been an infringement of this Regulation or whether the measures envisaged against the controller or the processor are in conformity with this Regulation, clearly indicating the scope of the risks posed by the draft decision in relation to the fundamental rights and freedoms of data subjects and, where appropriate, the free movement of personal data within the Union;
25) “Information Society Service” means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council ( );
26) “International organisation” means an international organisation and its subsidiary bodies or any other body established by or on the basis of an agreement concluded between two or more countries.
Version 1.0
04.07.2018