Privacy Policy
Last Updated: 01 August 2024
1. Who is responsible for data processing and whom can I contact?
2. For what purpose do we process your data and on which legal basis?
3. Which data do we process when you visit our website?
4. Who is the recipient of my data?
5. Is my personal data processed outside the European Union and the EEA?
6. To what extent does automated decision making take place in individual cases?
7. How long will my data be stored?
8. What are my privacy rights?
Grover is committed to protecting your data and privacy rights. This Privacy Policy (“Privacy Policy”) provides information about how we collect your personal data, what we do with it, for what purposes and on what legal basis this happens, and what rights and claims are associated with it for you.
The Privacy Policy applies to information we obtain from and about you when you interact with us, our website, mobile application, products and services. However, it does not apply to job applicants, Grover employees, suppliers, existing or potential business partners.
Data Protection Requests: If you would like to raise a data protection request, please fill out our Privacy Webform via this link or contact our external Data Protection Officer at the email address provided below.
1. Who is responsible for data processing and whom can I contact?
Data Controller
Grover Deutschland GmbH (hereinafter referred to as “we”, “our” or “Grover”) is the data controller within the meaning of GDPR as being the operator of the website www.grover.com ("website") and the Grover App for the processing activities described in this Privacy Policy. It is also the contractual partner of the customer (hereinafter referred to as “you”, “your” or “customer"). Below you can find further company details:
Address: Potsdamer Str. 125, 10783 Berlin, Germany
Commercial Register: Amtsgerichts Charlottenburg
Commercial Register Number: HRB 246291 B
E-mail: support@grover.com
Please note we use this email address only for customer support inquiries. For data protection requests, we kindly ask that you could use our Privacy Webform.
In the course of our business relationship with you, we share your personal data with Grover Group GmbH ("Grover Group"). We and Grover Group are jointly responsible for the proper protection of your personal data (Article 26 of the GDPR). Both companies have entered into an agreement to determine which of them fulfils which obligations under data protection law. We provide you with the essential content of this agreement here. Grover Group is primarily responsible for exercising the rights of data subjects and for providing information for data processing.
Below you can find further company details:
Address: Potsdamer Str. 125, 10783 Berlin, Germany
Commercial Register: Amtsgerichts Charlottenburg
Commercial Register Number: HRB 166467 B
E-mail: support@grover.com
Please note we use this email address only for customer support inquiries. For data protection requests, we kindly ask that you could use our Privacy Webform.
The External Data Protection Officer
You can reach the external data protection officer of at
datenschutz nord GmbH
Branch office Berlin
Kurfürstendamm 212
10719 Berlin
e-mail: office@datenschutz-nord.de
2. For what purpose do we process your data and on which legal basis?
2.1 Data processing when using Grover services
We process personal data in accordance with the provisions of the GDPR and the Federal Data Protection Act (BDSG) for the following purposes:
a) For the performance of contractual and pre-contractual obligations (Article 6 (1) sentence 1 (b) GDPR)
The processing of personal data (Article 4 No. 2 GDPR) is carried out for the purpose of providing this website and for the marketing of the products, in particular for the conclusion and processing of contracts, for invoicing, for the implementation of pre-contractual measures, for answering inquiries in connection with our business relationship and for all activities required for the operation and administration of the company.
The purposes of data processing are primarily based on the specific product. Further details regarding the purpose of data processing within the scope of contracts can be found in the respective contract documents and terms and conditions.
In particular, Grover processes the personal information that you provide as a user during registration, for contractual purposes or within the scope of an inquiry. In particular, this concerns the following data: Name, date of birth, e-mail address, address (invoice and possibly differing shipping address), order information, optional telephone number and bank details. In addition, Grover stores the password, which the user can freely choose. The password is not stored in plain text, but only a so-called hash value.
If you use our service offering for digital products, we will collect data about your purchase of the digital item to ensure the proper functioning of our services, facilitate customer support and improve our products. This data includes transaction details, product identifiers, and purchase history.
If you use our service offering for tech-accessories, we will collect order data to ensure the proper functioning of our services, facilitate customer support and improve our products. This data includes order details, your full name, email address and shipping address.
If you utilize our add-on service, Grover Care, we will also collect data about product damages reported by You.
Also, we collect and process personal data about you (including name, email and postal code), if you enroll in any of our loyalty programs.
b) Based on legitimate interests (Article 6 (1) sentence 1 (f) GDPR)
In addition, we process your data beyond the provision of the website and the actual fulfilment of the contract to protect legitimate interests of us or third parties, as in the following cases in particular:
Response to your inquiries outside of a contract or pre-contractual measures;
Advertising or market and opinion research, unless you have objected to the use of your data, this includes existing customer advertising;
Evaluation of our advertising measures, e.g. tracking of click and opening behavior in e-mail campaigns;
Enforcement of legal claims and defense in legal disputes;
Ensuring IT security and IT operation;
Creditworthiness check;
Prevention and investigation of criminal offences; among others, by verifying your identity;
Sending out payment reminder notifications regarding your upcoming payment if you select pay by invoice as your payment method;
Measures for business management and further development of products.
Our legitimate interest is to market our products in the best possible way and to further develop them and our company, or to protect our company against impairments and dangers and to enforce our claims.
c) Based on your consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
If you have given us your consent to process personal data for specific purposes (e.g. evaluation or use of data for marketing purposes, receipt of advertising by e-mail), the legality of this processing is based on your consent.
If you have given your consent for email marketing, we will contact you to celebrate your birthday. To facilitate this, we will process your name, email address and date of birth.
Your consent can be revoked at any time. Please note that the revocation is only effective for the future.
d) Due to legal requirements (Art. 6 para. 1 sentence 1 lit. c GDPR)
We are also subject to various legal obligations, e.g. money laundering law, tax laws, which require the processing of data.
e) Based on your explicit consent (Art. 9 para. 2 lit. a GDPR)
If you have given us your explicit consent to process personal data including biometric data or health data or data relating to religious or ideological beliefs revealed as a result of the bank account check (see below under 2.) for the purposes of fraud prevention, risk assessment and identity verification, the legality of this processing is based on your explicit consent. Your consent can be revoked at any time. Please note that the revocation is only effective for the future.
In cases of early termination due to health issues, we may collect and process personal data through your submission of health data.
2.2 Data processing for credit assessment, risk analysis and fraud prevention
a) Creditworthiness Check
In the course of the ordering process, we may check your creditworthiness. For this purpose we transmit the following data to so-called credit bureaus cooperating with us:
Customers (including Freelancer): Full name, billing and shipping address, date of birth, phone number, email.
Business customers: Company, company address.
We transfer your personal data to the following companies, among others, for credit assessment:
CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich
Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss
Schufa Holding AG, Kormoranweg 5, 65201 Wiesbaden
Creditsafe Germany GmbH, Schreiberhauer Straße 30, 10317 Berlin
For the decision on the conclusion, performance or termination of a contractual relationship, we use not only an address check, but also information about your previous payment behavior as well as probability values for your future behavior, which include, among other things, address data. We obtain this information from the following providers, among others:
CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich
Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss
Schufa Holding AG, Kormoranweg 5, 65201 Wiesbaden
Creditsafe Germany GmbH, Schreiberhauer road 30, 10317 Berlin
Personal data, including but not limited to, phone number, name, address and date of birth may be shared with mobile operators for the purpose of identity verification, fraud prevention and authentication.
Grover is collecting and sharing data about customer sessions (including name, address, email address, phone number and IP address) and payment with Mastercard Europe SA. The legal basis for this is legitimate interest (Article 6 (1) sentence 1 (f) GDPR), resulting from our interest in preventing abuse and fraud and avoiding debts in current and future rental contracts. In this regard, such personal data will be transferred and stored outside the country in which it was collected (e.g., transfer to and storage in the United States) based on the Mastercard Binding Corporate Rules, as approved by the competent Data Protection Authority in the EU. These rules include your right to enforce them as third-party beneficiaries.
For the decision on the establishment of a contractual relationship, we also carry out our own analyses to detect abuse and fraud. In particular, we use the following categories of data:
Customer characteristics (e.g. data from credit reports, age, mobile phone provider, e-mail provider)
Shopping cart data like device categories
Behavioral data (e.g. number of orders and their status, behavior on the website)
Payment data like payment methods
Reconciliation of account data with other user accounts with regard to matching data
Only if applicable, Bank account data, in particular, account balances, turnover and transaction data
Data required to complete identity verification checks including a scan of a photo ID (e.g. a passport, a driver's license or an identity card), an image, a video including audio data and biometric facial identifiers
Customer characteristics such as data from credit reports and mobile phone providers.
The credit information and the own analyses for fraud detection can contain probability values (score values), which are calculated on the basis of scientifically recognized mathematical-statistical procedures and their calculation includes among other things (but not exclusively) address data. The legal basis for this is Article 6 paragraph 1 letter f) GDPR. The legitimate interest results from our interest in reducing the contractual risk, in protection against bad debts and against the danger of misuse of our services by third parties. Your interests worthy of protection are taken into account in accordance with the statutory provisions.
In individual cases we check the calculation or the calculation result manually.
In order to prevent abuse and fraud and to avoid debts in current and future rental contracts of the customer, the longer-term storage (see 3.) of creditworthiness data and data from our own analyses is necessary for the detection of abuse and fraud. The legal basis is Art. 6 Paragraph 1 Letter f) GDPR. Our legitimate interest arises from our interest in detecting fraudulent behaviour or patterns of behaviour, recognising and taking into account developments in the creditworthiness of our customers, evaluating the rental agreements (the risk portfolio and the probability of default are relevant for investors, among others) and reviewing and improving our risk management (by analysing the data records - only in anonymised form).
If the other legal requirements are met, we will also forward information about delays in payment or a possible loss of receivables to credit agencies cooperating with us, such as Schufa Holding AG, Wiesbaden. The legal basis for this is article 6 paragraph 1 letter f) GDPR. Our legitimate interest results from our and third parties' interest in reducing contractual risks for future contracts.
b) Identity Check
In order to detect/prevent fraudulent activities, we use the services of Onfido Limited. It is necessary for us to check whether the scan of a photo ID is genuine or fraudulent by confirming that the photo/video matches the facial biometrics in the photo on the provided document or in our database. Biometrics adds a layer of protection against stolen IDs and impersonation attacks. For this data processing, the legal basis is your explicit consent in accordance with Art. 9 para. 2 lit. a GDPR. We do not share these types of data with third parties unless required by law. You can revoke your consent with effect for the future at any time. The data processing that took place until the revocation remains lawful. If you want to obtain further information on retention periods, please see “How long will my data be stored for?” further below.
c) Bank Account Check
You can have your bank account checked by us if your credit score is negative. During this process, we check your bank account data by using our partner called FinTecSystems GmbH. This is necessary for the purpose of deciding on the establishment of a contractual relationship, for identity verification and for fraud prevention. We only review your three months of financial data such as your account balances and turnover. We do not share your bank account data with third parties. The legal basis for this is Article 6 (1) sentence 1 (a) GDPR.
Even though we are only interested in your financial data, your data related to your health, religious or ideological beliefs may be visible in your transactions. In such cases, your consent extends to special categories of personal data pursuant to Article 9 (1) of the GDPR. The legal basis for this is your explicit consent in accordance with Article 9 paragraph 2 letter a) GDPR.
You can revoke your consent with effect for the future at any time in this context. The data processing that took place until the revocation remains lawful. If you want to obtain further information on retention periods, please see “How long will my data be stored for?” further below.
3. Which data do we process when you visit our website?
3.1 Usage data
When you visit our website, our web server temporarily evaluates so-called usage data for statistical purposes as a protocol in order to improve the quality of our website. This data record consists of
the name and address of the requested content,
the date and time of the query,
the transferred data volume,
the access status (content transferred, content not found),
the description of the used web browser and operating system,
the referral link, which indicates from which page you reached ours,
the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established.
The mentioned log data will only be evaluated anonymously.
In addition, we store the IP address transmitted by your web browser solely for the purposes of fraud detection and prevention as well as to protect you against such fraudulent activities based on Article 6 para. 1 letter f) GDPR. We may also transfer the IP address to third parties solely for the fulfillment of these purposes.
3.2 Cookies and similar technologies
Grover's websites use cookies and similar technologies to offer you a secure and personalized user experience on our sites and to improve our communications and products. For further information on cookies please refer to our Cookie Policy.
The types of cookies used on our website serve various purposes and can be categorized as follows:
Strictly Necessary Cookies.
These cookies are necessary for the website to function and cannot be switched off in our systems. Based on Article 6 para. 1 lit. f GDPR, we use these strictly necessary cookies:
to identify you as being logged in to the website and to authenticate you;
to make sure you connect to the right service on the website when we make any changes to the way it works;
for the effective functioning of our services, such as tracking fraudulent activity and behaviour.
We do not use these required cookies for range analysis, tracking or advertising purposes. You can set your browser to inform you about the placement of cookies. This makes the use of cookies transparent for you. You can also delete cookies at any time using the appropriate browser setting and prevent the setting of new cookies. Please note that our web pages may not be able to be displayed and some functions may no longer be available for technical reasons.
Functional Cookies.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.
These cookies support additional functionality that enhances our website. They are used to remember user location, chosen language or other settings to provide a personalised user experience on our website. Other examples of functional cookies include chat services and user preferences.
The data processing is based on your consent in accordance with Article 6 para. 1 p. 1 lit. a GDPR or Section 25 para. 1 Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG), if you have given your consent via our banners. If you do not allow these cookies then some or all of these services may not function properly.
Performance and Analytics Cookies.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and then anonymous.
In addition, we use the following functions in the context of visitor measurement:
We enrich the aggregated data with additional data provided by third parties. In this way, we are able to record demographic characteristics of our visitors, e.g. statements on age, gender and place of residence.
We use a recognition method that allows us to capture and subsequently evaluate the mouse pointer movement of our visitors.
The data processing is based on your consent in accordance with Article 6 para. 1 p. 1 lit. a GDPR or Section 25 para. 1 TTDSG, if you have given your consent via our banners. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
In the following, we will name the third-party providers with whom we work in connection with visitor measurement. If the data is processed outside the EU or EEA in this context, please note that there is a risk that authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. If we use providers in insecure third countries and you give your consent, the transfer to a third country is based on Art. 49 para. 1 lit. a GDPR.
i) Provider = Google LLC (USA)
Maximum storage period: 2 years
Adequate level of data protection: No adequate level of data protection. The data is transmitted on the basis of Art. 49 para. 1 lit. a GDPR.
ii) Provider = Amplitude, Inc. (USA)
Maximum storage period: As long as necessary
Adequate level of data protection: No adequate level of data protection. The data is transmitted on the basis of Art. 49 para. 1 lit. a GDPR.
Revocation of consent: If you wish to revoke your consent, please scroll to the bottom of our website, click on "Cookie settings" and make the appropriate setting via our banner.
Profiling and Targeting Cookies.
We use cross-device tracking technologies to help us display targeted advertising on other websites based on your visit to our websites and to help us determine how effective our advertising efforts have been.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
We also engage in affiliate marketing, which is done by embedding tracking links into the website. If you click on a link for an affiliate partnership, a cookie will be placed on your browser to track any sales for commission payments. The purpose of storing this data is to process commission payments between the advertiser and us as an affiliate, which are processed via the affiliate network.
We participate in the partner program of Tradedoubler International AB, Mainzer Str. 13 80804 München, Germany. Further information about Tradedoubler's use of data can be found here (https://www.tradedoubler.com/de/privacy-policy/).
We are a member of the partner network of CJ Affiliate (Epsilon International UK Ltd), 1st Floor 2 Television Centre, 101 Wood Lane, London, England, W12 7FR. Further information on the use of data by CJ Affiliate can be found here (www.cj.com/legal/privacy-policy-services).
We, among others, partnered with Klarna MAS AB, Sveavägen 46, 111 34 Stockholm, Sweden, which enables us to manage, measure and optimize our performance marketing and influencer marketing campaigns. Further information about Klarna‘s use of data can be found here (https://creator.klarna.com/about/privacy-policy-consumer).
We use targeted advertising services of Criteo SA, 32 Rue Blanche, 75009 Paris, France. In order to be able to show you interest-based advertising, we or other Criteo partners need to be able to recognize you. For this purpose, a cookie is stored on your device or a comparable identifier is used, which links your user behavior with a pseudonymous user profile.
Criteo collects the following data: Criteo cookie, technical information related to the device you use, data regarding your internet connection, browsing events, IP addresses and hashed mail addresses. The email addresses are subject to pseudonymization methods to irreversibly transform them into a series of characters. For details, please refer to Criteo's privacy policy at: https://www.criteo.com/de/privacy/.
Criteo and we are joint controllers within the meaning of Art. 26 GDPR. A joint processing agreement has been concluded between Criteo and us, the essence of the arrangement can be found here; https://www.criteo.com/de/privacy/how-we-use-your-data/.
Both controllers are independently responsible for ensuring your data subject rights.
Your personal data and the Criteo cookies stored in your browser will be stored for a maximum of 13 months from the date of collection. The use of the above-mentioned service is carried out based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can disable these Criteo services via the following link: https://www.criteo.com/privacy/#user-choices.
The data processing is based on your consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR or Section 25 para. 1 TTDSG, if you have given your consent via our banner. Your consent is voluntary and can be revoked at any time.
3.3 Access Protected Area
If you wish to use our access-protected area, prior registration is necessary.
We only collect the data required for registration. The processing is based on Art. 6 para. 1 sentence 1 letter b GDPR or on Art. 6 para. 1 letter f GDPR in the interest of providing you with the services and information of the access-protected area.
If we collect additional data, these are marked as voluntary and are based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
4. Who is the recipient of my data?
Within the respective responsible company, those departments that need access to your data to fulfil our contractual and legal obligations are granted access to your data.
We will pass on your data to the recipients named in this privacy policy. We also pass on your data to the following categories of recipients if this is necessary to fulfil a contractual relationship with you or to carry out pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR) or to safeguard legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
IT service providers, especially software as a service, hosting, storage and cloud computing providers
Logistics service provider
E-mail marketing service providers and customer service providers who, among other things, create offers and invoices for us
Marketing service providers, especially Google Adwords and WhatsApp consulting service providers
Payment service providers and credit institutions for the collection of a charge or the provision of a payment service
Collection agency for the enforcement of claims
Service providers who support us in risk analysis and fraud prevention
Insurance companies and legal service providers
Identity verification service provider called Onfido Limited for the purpose of verifying your true identity and validity of your identity documents in order to detect/prevent fraudulent activities
If you use our service offering for special products, namely, digital products and/or tech-accessories, we will send data to our partner service providers to facilitate the services.
Insofar as processing is necessary to protect legitimate interests, for example when using IT services, our legitimate interest is to outsource functions.
In addition, your personal data will be passed on or transmitted if required by law (Art. 6 para. 1 sentence 1 lit. c GDPR) or if you have given your consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
5. Is my personal data processed outside the European Union and the EEA?
For the processing of your data we also use service providers located in third countries outside the European Union or the European Economic Area (EEA). These countries may have a different level of data protection than within the European Union. Unless there is a decision by the EU Commission that these third countries generally offer an adequate level of data protection, we have taken special measures to ensure that your data is processed in the third countries as securely as within the European Union. With service providers in third countries we conclude the standard data protection clauses of the European Commission to provide appropriate guarantees for the protection of your data with service providers in the third country. You can request a copy of these data protection clauses by contacting us at the contact details given above. Furthermore, we carry out Transfer Impact Assessments to make sure that service providers in third countries provide adequate protection of personal data. In addition, we encrypt or pseudonymize personal data before transferring it to a service provider in a third country, provided that this is technically possible and appropriate.
An adequacy decision (Data Privacy Framework Program) applies to the U.S., under which certified companies can demonstrate an adequate level of data protection. If a data recipient is not certified, we conclude the European Standard Contractual Clauses with them.
6. To what extent does automated decision making take place in individual cases?
When establishing contractual relationships, we use fully automated decision-making processes in the sense of Art. 22 Para. 1 GDPR, taking into account the creditworthiness data provided by credit agencies and the score value determined by our own analyses for abuse and fraud detection (see above under 2.) This is necessary for the conclusion of the contract in the sense of Art. 22 para. 2 lit. a GDPR: automated decision making allows for greater coherence and fairness, the risk of non-payment due to lack of solvency, abuse or fraud is minimized and we can make decisions within shorter deadlines and increase our efficiency. All this is essential in our mass and time-critical online business. It is therefore possible that we may automatically reject your order based on the determined creditworthiness or the determined probability of abuse or fraud. If you do not agree with our decision, you can inform us in writing or by filling out our Privacy Webform and express your point of view. A member of staff will then review the decision, taking your point of view into account, and correct it if necessary.
7. How long will my data be stored?
Your data will be processed according to the legal regulations and deleted in accordance with the intended deletion periods.
As far as necessary, we process and store your personal data for the duration of our contractual relationship, which also includes, for example, the initiation and execution of a contract. Please note that our contractual relationship is usually a continuing obligation.
In the case of contractual relationships, but also in the case of other civil law claims, the storage period is also governed by the statutory limitation periods, which, for example, according to §§ 195 ff. of the German Civil Code (BGB), are usually three years, but in certain cases can be up to thirty years.
In addition, we are subject to various storage and documentation regulations, which result from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The periods of retention or documentation specified there are six years for correspondence in connection with the conclusion of a contract and 10 years for accounting records and business letters (§§ 238, 257 para. 1 and 4 HGB, § 147 para. 1 and 3 AO).
Logfiles are deleted in principle after the end of the respective browser session, at the latest after seven days, unless their further storage is exceptionally necessary and lawful. The storage period of cookies depends on the individual case and is usually between twelve and 24 months.
Customer data and your customer account will be deleted five years after the end of your last rental contract or after your last login, whichever comes later.
We usually delete the following customer data within the following shorter periods:
Data on telephone conversations with customers (for example telephone number) will be deleted one year after the last telephone conversation with the customer. If we record a telephone conversation in individual cases, which is only done with the customer's voluntary consent, the recording is automatically deleted after 30 days.
Credit scoring data (see above under 2.) of customers whose order was rejected for reasons of creditworthiness, we delete or anonymize after six months. Otherwise, we delete or anonymize creditworthiness data five years after the end of your last rental agreement or after your last login, whichever comes later.
Bank account data including account balances, turnover and transaction data for the purpose of deciding on the establishment of a contractual relationship, for identity verification and for fraud prevention (see above under 2.), we will delete or anonymize your data after six months from the receipt of your data.
Data from our own analyses for abuse and fraud detection (see above under 2.) we will delete or anonymize your data five years after the end of your last rental agreement or after your last login, whichever comes later.
Data required to complete ID verification checks including a scan of a photo ID (e.g. a passport or a driver's license or an identity card), an image, a video including audio data and the biometric facial identifiers extracted by Onfido Limited from the image/video (see above under 2.), we will delete these types of data after 6 months following the completion of identity verification process.
8. What are my privacy rights?
In order to assert all these rights as well as for further questions regarding personal data, you can fill out our Privacy Webform or contact our data protection officer.
You have the right of access (Art. 15 GDPR), the right of rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to limit processing (Art. 18 GDPR) and the right of data transferability (Art. 20 GDPR).
You also have the right to object to data processing by us (Art. 21 GDPR).
Your rights in detail:
You can request confirmation as to whether and how we process your personal data. In particular, you have a right of access to your personal data and the information about the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed, if possible the envisaged storage period, or, if this is not possible, the criteria for determining this period; the existence of a right to rectification or erasure of your personal data, to restriction of the processing or to object to such processing; the existence of a right to lodge a complaint with a supervisory authority; the source of the data if the personal data has not been collected from you, the existence of automated decision-making, including profiling, and, if applicable, meaningful information about the logic involved and the significance and envisaged consequences of such processing. If we transfer personal data to a third country or an international organisation, you may also request information about the safeguards we have in place to protect your data. Your right to information may be limited in individual cases by national law (Sections 29 (1) sentence 2, 34 BDSG) and the rights and freedoms of others.
You may request the rectification of inaccurate personal data with undue delay or, taking into account the purposes of the processing, the completion of incomplete personal data - also by means of providing a supplementary declaration.
You have a right to immediate erasure of your personal data under certain circumstances, e.g. if your personal data is no longer necessary for the purposes for which it was collected or otherwise processed, if you withdraw your consent and there is no other legal basis for the processing, or if you have objected to the processing of your data for direct marketing purposes. The right does not exist to the extent the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the exercise of a public power vested in us, or for the establishment, exercise or defence of legal claims. Your right to erasure may be limited in individual cases by national law (Section 35 BDSG).
You may request the restriction of processing if you contest the accuracy of the personal data for the duration of the verification of the accuracy by us, if the processing is unlawful but you object to the erasure of your personal data, if we no longer need your personal data but you need the data to establish, exercise or defend legal claims, or if you have objected to the processing.
You have the right to data portability, i.e. the right to receive and transmit the personal data you have provided to us in a structured, commonly used and machine-readable format, if we process your personal data on the basis of your consent or a contract and the processing is carried out by automated means.
Insofar as our processing of your personal data is based on consent (Art. 6 para. 1 sentence 1 lit. a GDPR), you may revoke this consent at any time; the legality of the data processing carried out on the basis of the consent until revocation remains unaffected.
Right to object (Art. 21. GDPR)
Insofar as we process your personal data on the basis of a legitimate interest, you further have the right to object on grounds relating to your particular situation; this also applies to profiling based on a legitimate interest. Insofar as we process your personal data for direct marketing purposes, you may object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
Notwithstanding the above, you have the right to lodge a complaint with a supervisory authority - in particular in the EU member state of your residence, place of work or place of the alleged violation - if you believe that the processing of the personal data you provided violates the GDPR or other applicable data protection laws (Art. 77 GDPR, § 19 BDSG).