Privacy Policy

Effecto Group S.p.A. Privacy Policy

The following information provides a simple overview of what happens to your personal data when you visit our website or deal with our company. Personal data includes all data that can be used to identify you personally.

Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation and other national data privacy laws of the Member States and all other data protection regulations is:

Effecto Group S.p.A.

Via Francesco Melzi d’Eril, 7
20154 Milano (MI), Italy
E-mail: info@effectogroup.com
Website: https://www.effecto.com/

Main establishment:

Via Roma, 141/143
28017 San Maurizio d’Opaglio (NO)
Phone: +39 0322 96142
Fax: +39 0322 967453

I.   General Information about Data Processing

How do we collect your data?

One of the methods with which your data is collected is when you share it with us. For example, this data can include details that you enter in a contact form, the data on a business card that you give to us or data that is saved in the cloud.

Other data is automatically collected by our IT systems when you visit our website. This is primarily technical data (e.g., your internet browser, operating system, or the time that you viewed the page). This data is collected automatically as soon as you view our website.

For what purpose do we use your data?

Some of the data is collected to ensure that our website can be viewed without errors. Other data may be used to analyze your usage behavior or to provide cloud-based services.

What rights do you have with regard to your data?

You have the right at any time to receive, at no extra cost, information about the origin, recipient, and purpose of your stored personal data. You also have a right to have this data rectified, blocked, or erased. You can contact us at any time at any time using the address specified above and in the legal notice to request this and to discuss any further questions you may have about data protection. You also have a right to complain to the competent supervisory authority.

1. Scope of Personal Data Processing

We process personal data belonging to our users only as far as this is necessary to provide a functional website and to deliver our content and services. The personal data of our users is regularly processed only after receiving the user’s consent. An exception applies to cases in which obtaining prior consent is not possible for legitimate reasons and when processing of this data is permitted by law.

2. Legal Basis for Processing Personal Data

Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) applies as the legal basis for processing personal data when we obtain the consent of the data subject to collect personal data for processing.

When processing personal data that is required to fulfill a contract in which the contracting party is the data subject, Article 6(1)(b) of the GDPR applies as the legal basis. This also applies to processing operations necessary to implement pre-contractual measures.

When we process personal data to fulfill a legal obligation to which our company is subject, Article 6(1)(c) of the GDPR applies as the legal basis.

Article 6(1)(f) of the GDPR applies as the legal basis for processing data when this is necessary to protect a legitimate interest of our company or a third party, and the interests, fundamental rights and freedoms of the data subject do not override this legitimate interest.

3. Deleting Data and Storage Duration

The personal data of the data subject is deleted or blocked as soon as the purpose for storing the data has been fulfilled. In addition, data may be stored if data storage has been allowed by European or national legislators in Union regulations, laws, or other provisions to which the controller is subject. Data may also be blocked or deleted even if a storage period prescribed by the aforementioned standards expires unless a there is a need for continued storage of the data to allow the conclusion of a contract or fulfillment of a contract.

4. Processing Personal Data Belonging to Customers

If you are one of our customers, we regularly process the below personal data belonging to our natural point of contact. This data is processed by us exclusively for business purposes:

(1)   Name
(2)   First name
(3)   Company address
(4)   Billing address
(5)   Delivery address
(6)   Telephone number
(7)   Fax number
(8)   Cell phone number (optional)
(9)   Email address
(10)  Business bank details (only in the event of refund)

All of this data is necessary for us to contact you and to correctly process quotations and orders. Article 6(1)(b) of the GDPR forms the legal basis for these activities.

The data transferred to third parties relates only to documents such as invoices and, where relevant, delivery notes that are transferred for processing to the Italian Tax Office via our tax advisor. These documents generally contain no personal data aside from the name of the company (in the case of sole proprietorships). However, it is possible that the first and last names of contact partners or company owners are contained within these documents.

The data is not transferred to third countries.

This master data is stored in our IT systems for as long as the business relationship exists and there is a legitimate legal reason for storing the data. Customer data is deleted in accordance with the storage period that applies to the specific use of the data. If a data subject requests for their data to be erased or blocked, their data is blocked immediately and then erased once the legal storage period expires. If there is no reason for storage of the data to continue, the data will be erased.

5. Processing of Personal Data Belonging to Suppliers

If you are one of our suppliers, we regularly process the below personal data belonging to our natural point of contact. This data is processed by us exclusively for business purposes:

(1)     Name
(2)     First name
(3)     Company address
(4)     Billing address
(5)     Delivery address
(6)     Telephone number
(7)     Fax number
(8)     Cell phone number (optional)
(9)     Email address
(10)    Business bank details

All of this data is necessary for us to contact you and to correctly process quotations and orders. Article 6(1)(b) of the GDPR forms the legal basis for these activities.

The data transferred to third parties relates only to documents such as invoices and, where relevant, delivery notes that are transferred for processing to the Italian Tax Office via our tax advisor. These documents generally contain no personal data aside from the name of the company (in the case of sole proprietorships). However, it is possible that the first and last names of contact partners or company owners are contained within these documents.

The data is not transferred to third countries.

This master data is stored in our IT systems for as long as the business relationship exists and there is a legitimate legal reason for storing the data. Supplier data is deleted in accordance with the storage period that applies to the specific use of the data. If a data subject requests for their data to be erased or blocked, their data is blocked immediately and then erased once the legal storage period expires. If there is no reason for storage of the data to continue, the data will be erased.

 

II.   Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Every time you visit our website, our system automatically collects data and information from the system on the computer accessing the website.

The following data is collected:

(1)   Information about the browser type, the version in use, the language in use
(2)   Information about the device type and the resolution in use
(3)   The user’s operating system
(4)   The user’s internet service provider
(5)   The user’s IP address
(6)   The user’s location
(7)   The date, time, and duration of access
(8)   The page views during the access period
(9)   Websites from which the user’s system accessed our website
(10)  Websites accessed by the user’s system via our website

The data is also stored in the log files in our system. This data is not stored alongside other personal data belonging to the user.

2. Legal Basis for Data Processing

Article 6(1)(f) forms the legal basis for temporarily storing data and log files.

3. Purpose of Data Processing

Temporary storage of the user’s IP address by the system is necessary to allow the website to be delivered to the user’s computer. For this purpose, the IP address of the user must be stored for the duration of the session.

The data is stored in log files to guarantee the functionality of the website. In addition, the data helps us to optimize the website and to guarantee the security of our information systems. Analysis of the data for marketing purposes does not take place in this scenario.

For these purposes, our legitimate interest in processing the data is also based on Article 6(1)(f) of the GDPR.

4. Duration of Storage

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected. In the case of data being collected in order to provide the website, this is the case when the respective session is finished.

Storage beyond this point is possible. In this case, the user’s IP addresses are deleted or pseudonymized so that it is no longer possible to use them to identify the accessing client.

5. Right to Object and to Rectification

Collecting data for the purpose of providing the website and storing this data in log files is mandatory for operating our website. For this reason, the user has no right to object.

III.   Use of cookies

1. Description and Scope of Data Processing

Our website uses cookies. We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you have provided to them or that they have collected from your use of their services. You consent to our cookies if you continue to use our website.

Cookies are small text files that can be used by websites to make a user’s experience more efficient.

The GPDR states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.

Our website uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

For the optimal transparency and control over all the cookies and similar tracking on our website we use the Cookiebot consent management platform (CMP).

You can at any time change or withdraw your consent from the Cookie Declaration on our website: See https://effecto.com/cookies-policy/?lang=en

More information about the analysis tools that we use is provided in the following explanations and links:

Google Analytics:

This website uses Google Analytics, a web analysis service provided by Google, Inc. (“Google”). Google Analytics uses “cookies” — text files that are stored on your computer and enable the analysis of website usage. The information produced by the cookie about your use of this website is usually sent to a Google server in the USA and stored there. However, if IP anonymization is activated on this website, your IP address will first be shortened by Google within member states of the European Union or other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to analyze your use of the website, compile reports about website activities and provide the site operator with other services relating to website and internet use. The IP address sent by your browser as part of Google Analytics will not be merged with other Google data. You may prevent cookies from being stored on your computer by selecting the relevant setting in your browser software; however, we would like to point out that in this case some parts of this website may lose full functionality. You can also prevent Google from collecting and processing the data generated by the cookie and relating to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en

Google Tag Manager, Google Font, Google Drive, Google Maps, Google DoubleClick

This website uses Google Tag Manager, Google Font and Google Drive.

Google declares that they may collect information such as how the Service is used, and how and what tags are deployed. They may use this data to improve, maintain, protect and develop the Service as described in Google’s privacy policy, but they will not share this data with any other Google product without our consent.

More information and the data protection provisions applicable at Google can be found at: https://policies.google.com/privacy

Font Awesome

This website uses Font Awesome.

Font Awesome collects data about use of its content delivery networks.
Content delivery networks are worldwide networks of computer servers that make sure everyone online can download files quickly from servers near to them. Font Awesome uses content delivery networks to serve files for its free and Pro icons. Many websites using Font Awesome icons have visitors download the icons from Font Awesome’s content delivery networks.
When you visit a website that uses a Font Awesome content delivery network to load icons, Font Awesome collects data about what icon files you download and when.

More information and the data protection provisions applicable at Font Awesome can be found at: https://fontawesome.com/privacy

WP Statistics

WP Statistics is compliant with GDPR.

WP Statistics does not collect, store, or send any personal data of our site’s visitors.

WP Statistics does not store any cookies on your browsers.

The IP address of the visitor is anonymized by masking the last digits of the IP addresses.

https://wp-statistics.com/2018/08/16/wp-statistics-gdpr/?utm_source=WordPress&utm_medium=link&utm_campaign=ProductIntroduction

2. Legal Basis for Data Processing

Article 6(1)(f) of the GDPR forms the legal basis for processing personal data using cookies.

Article 6(1)(a) of the GDPR is the legal basis for processing personal data using cookies for analysis purposes when the user has provided their consent.

3. Purpose of Data Processing

The purpose of using technically necessary cookies is to make it simpler for users to navigate websites. Some features of our website cannot be offered without the use of cookies. In these cases, it is also necessary for the browser to be identified again after the user has moved on to a different page.

We need cookies for the following applications:

(1)     Transferring language settings
(2)     Recording search terms
(3)     Product comparisons
(4)     Website navigation
(5)     Tracking tools — for optimizing ease of use
(6)     Guaranteeing the technical functionality of the website

The user data obtained by technically necessary cookies is not used to create user profiles.

Analysis cookies are used for the purpose of improving the quality of our website and its content. Using analysis cookies, we find out how the website is used and can therefore continuously optimize our offering.

For these purposes, our legitimate interest in processing personal data is also based on Article 6(1)(f) of the GDPR.

4. Duration of Storage and the Right to Object and to Rectification

Cookies are stored on the user’s computer and transmitted from here to our website. As a result, you therefore also have full control over the use of cookies as a user. Changing the settings in your internet browser allows you to disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. It is also possible to automate this process. If cookies are disabled for our website, it may no longer be possible to use all functions of the website in full.

 

IV.   Social media

1. Description and scope of data processing

As a company, we operate business profiles on various social media platforms. As result of operating these profiles, statistical data is collected by the platform operators and made available to us in the form of an evaluation. Our company’s own usage profiles also give us access to various types of personal data relating to users who visit our social media pages. We do not store this data.
This data can be:

(1)     Username; last name, first name
(2)     Job title
(3)     Employer, sector
(4)     Profile picture

In accordance with Art. 26 GDPR, we – as the operator of the profile – and the operators of the social media platforms are both considered to be the data controller since we decide on the purpose of data processing together.
Your personal data is also processed by the operators of these social media platforms. The scope of these processing activities depends on the respective general terms and conditions of the social media platform as well as their respective data protection regulations. As a company, we have only limited influence on these data processing activities.
If you do not wish to use a social media platform, you can also contact us via our website.
If you would like to know more, please use the links below to obtain more information about data processing conducted by social media platforms.

• Twitter: https://twitter.com/en/privacy
• Instagram: https://help.instagram.com/519522125107875
• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• YouTube: https://policies.google.com/privacy

2. Legal basis for data processing

Data processing is based on our company’s overriding legitimate interest in line with Article 6(1)(f) GDPR.

3. Purpose

We use social media platforms to inform online users about our company and the products we offer. The platforms provide us with the opportunity to understand what impression you as a customer or interested party have of our market presence, which allows us to continuously improve our company and our products.
Furthermore, these platforms give you a quick way to easily ask us questions and receive an immediate response.

 

V.   Newsletter

1. Description and Scope of Data Processing

There is an option to subscribe to a free newsletter on our website. When you register for the newsletter, the data from the input screen is sent to us. This data includes:

(1)     First name
(2)     Last name
(3)     Email address
(4)     Company

The following data is also collected during registration:

(1)     IP address of the accessing computer
(2)     Date and time of registration
(3)     Country
(4)     Language

As part of the registration process, your consent to your data being processed is obtained and you are referred to this Privacy Policy.

The data is transferred to Mailchimp platform when data is processed for the purpose of sending newsletters. The data is used solely for sending the newsletter.

More information and the data protection provisions applicable at Mailchimp can be found at

See https://mailchimp.com/legal/privacy/

2. Legal Basis for Data Processing

Article 6(1)(a) of the GDPR forms the legal basis for processing data following registration for a newsletter when the user has provided their consent.

3. Purpose of Data Processing

The purpose of collecting the user’s email address is to deliver the newsletter.

The purpose of collecting other personal data during the registration process is to prevent misuse of the service or of the email address in use.

4. Duration of Storage

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected unless we are authorized or obligated to retain the data due to any other legal obligation (e.g., existing supply relationships). The user’s email address is accordingly stored for as long as the subscription to the newsletter is active.

The other personal data collected during the registration process is deleted along with the email address.

5. Right to Object and to Rectification

The subscription to the newsletter can be canceled by the relevant user at any time. A corresponding link is available in each newsletter for this purpose.

This link also allows the user to withdraw his/her consent to the storage of the personal data collected during the registration process.

 

VI.   Contact Forms, Contact via Email, Product Registration and Product Returns

1. Description and Scope of Data Processing

Forms for contacting us electronically are provided on our website. If a user makes use of these forms, the data entered in the input screen is sent to us and stored. This data may include:

(1)     First name
(2)     Last name
(3)     Company
(4)     Country
(5)     City
(6)     Postal code
(7)     Address
(8)     Telephone number
(9)     E-mail address
(10)    Company website
(11)    Business area
(12)    Company sector
(13)    Number of employees
(14)    Company role
(15)    Username

When the message is submitted, the following data is also stored:

(1)   Date and time of registration

As part of the submission process, your consent to your data being processed is obtained and you are referred to this Privacy Policy.

As an alternative, users can contact us via the email address provided. In this case, the user’s personal data transmitted with the email is stored.

No data is transferred to third parties in this scenario. The data is used exclusively for processing the conversation.

2. Legal Basis for Data Processing

Article 6(1)(a) of the GDPR forms the legal basis for processing data when the user has provided their consent.

Article 6(1)(f) of the GDPR forms the legal basis for processing data transmitted when an email is sent. Article 6(1)(b) of the GDPR forms the legal basis for processing if the purpose of contact via email is to conclude a contract.

3. Purpose of Data Processing

We process personal data from the input screen solely for the purpose of processing your query. A legitimate interest is also required to process data from contact via email.

The other personal data processed when an email is sent is used to prevent forms being misused and to guarantee the security of our information systems.

4. Duration of Storage

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected. For the personal data from the input screens of the forms and the data sent via email, this happens when the respective conversation with the user is finished. The conversation is considered finished when the circumstances make it clear that the relevant issue has been resolved in full.

5. Right to Object and to Rectification

The user has the option to withdraw his/her consent to the processing of personal data at any time. If the user contacts us via email, he/she can object to the storage of his/her personal data at any time. In this scenario, the conversation cannot be continued.

All personal data stored during the conversation will therefore be deleted.

 

VII.   Contact via Providing Business Cards

1. Description and Scope of Data Processing

There is the possibility of establishing contact by providing us with a business card. The data contained on the card will be processed by us. The following data is processed:

(1)     First name
(2)     Last name
(3)     Company
(4)     Company website
(5)     Address
(6)     Country
(7)     Telephone number
(8)     Mobile number
(9)     Email address
(10)    Company email address
(11)    Social media profile

Contact will be made using the data provided.

If the business card is provided to us in a country other than the home country of the customer or interested party, the data is also passed on to the respective Effecto Group subsidiary and is processed in the country where the customer or interested party is based.

2. Legal Basis for Data Processing

Article 6(1)(f) of the GDPR forms the legal basis for processing data when we are provided with business cards by customers or interested parties.

3. Purpose of Data Processing

Data is collected from customers or interested parties for the purpose of establishing contact.

4. Duration of Storage

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected unless we are authorized or obligated to retain the data due to any other legal obligation (e.g., existing supply relationships).

 

VIII. Visiting or working in our premises

1. Description and Scope of Data Processing

This notice is for all contractors and visitors who work and visit our premises. It explains the purposes for which we hold information about you (your personal data).

1.1. Access Control System – If you are issued with an ID card, we will collect the following information:

–  Contractors – Company name, your name and address, contact telephone number, and in certain circumstances a passport size photograph and security notes (special instructions and access restrictions) and times swiped in and out of the building.

–  Visitors – Name, Company name and address, contact telephone number and in certain circumstances a passport size photograph and security notes (special instructions and access restrictions) and times swiped in and out of the building.

The collected data will be used for recording and controlling access into the premises and security.

1.2. CCTV – Will take images of people around the premises

Closed Circuit Television (CCTV) is installed at strategic locations to provide a safe and secure learning environment in all buildings as a part of the company’s commitment to community safety, security and crime prevention.

1.3. Visitors Register

We maintain a register of visitors which includes visitors, contractors, and external hire participants. For this register we will collect and keep your personal data such as names, company details, and reason of the visit. This information is collected for health and safety and security purposes.

We will collect and retain your personal data when you visit our premises in the following ways:

– Visitors registers at various entrance receptions

– External Contractors register

– External Hire register

1.4.  Accidents and Incidents Reporting

Our company will collect personal data from the injured party or person suffering from ill health, such as, Name, Address, and details of the incident. The data is collected as the company has a legal duty to document workplace incidents/accidents and to report certain types of accidents, injuries and dangerous occurrences arising out of its work activity to the relevant enforcing authority.

Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents re-occurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. Monitoring is undertaken but on an anonymized basis. The information is also retained in the event of any claims for damages.

2. Legal Basis for Data Processing

Article 6(1)(f) of the GDPR applies as the legal basis for processing data when this is necessary to protect a legitimate interest of our company or a third party, and the interests, fundamental rights and freedoms of the data subject do not override this legitimate interest.

Article 6(1)(c) of the GDPR forms the legal basis for processing data of our visitor or subcontractors in case of accidents or incidents for a legal obligation to which we are subject

The legal basis for processing is as set out below:

AREA	LEGAL BASIS	FURTHER INFORMATION
Access	Control Legitimate interests	It is in the Company’s legitimate interests to ensure that there is a safe environment for work, study and the community accessing facilities
CCTV	Legitimate interests	It is in the Company’s legitimate interests to ensure that there is a safe environment for work, study and the community accessing facilities
Visitors register	Legitimate interests	It is in the Company’s legitimate interests to ensure that there is a safe environment for work, study and the community accessing facilities
Accidents and incidents reporting	Legal requirement	This is a requirement under our Health and Safety obligations

3. Purpose of Data Processing

See 1 and 2.

4. Duration of Storage

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected unless we are authorized or obligated to retain the data due to any other legal obligation (e.g., existing supply relationships).

5. Right to Object and to Rectification

Under the GDPR you have a right to request a copy of your personal data held by our company. Our company is required to fulfil this request within 20 working days.

You also have the right to:

• withdraw consent where that is the legal basis of our processing;
• rectify inaccuracies in personal data that we hold about you;
• request to remove some personal data we hold about you restrict the processing in certain ways;
• object to certain processing of your personal data by us.

 

IX.  Rights of the Data Subject

If your personal data is processed, you are the data subject as defined by the GDPR. The GDPR grants you the following rights in relation to the controller:

1. Right of Access by the Data Subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed,

and, where that is the case, access to the personal data and the following information:

(1)   the purpose of the processing;

(2)   the categories of personal data concerned;

(3)   the recipients or categories of recipient to whom the personal data have been or will be disclosed;

(4)   where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(5)   the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(6)   the right to lodge a complaint with a supervisory authority;

(7)   where the personal data are not collected from the data subject, any available information as to their source;

(8)   the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The data subject shall have the right to request information about whether the personal data is being transferred to a third country or to an international organization. Where personal data is transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

2. Right to Rectification

Article 6(1)(a) of the GDPR forms the legal basis for processing data of our visitors and contractors. Article 6(1)(b) of the GDPR forms the legal basis for processing if the purpose of the visit is to conclude a contract.

3. Right to Restriction of Processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(1)   the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(2)   the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(3)   the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise, or defense of legal claims

(4)   the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to the above shall be informed by the controller before the restriction of processing is lifted.

4. Right to Erasure

1. a) Obligation to Erase

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(1)   the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

(2)   the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there are no other legal grounds for the processing;

(3)   the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(4)   the personal data has been unlawfully processed;

(5)   the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(6)   the personal data has been collected in relation to the offer of information society services referred to in Article 8(1).

1. b) Information to Third Parties

Where the controller has made the personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

1. c) Exceptions

The right to erasure shall not apply to the extent that processing is necessary:

(1)     for exercising the right of freedom of expression and information;

(2)     for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3)     for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(4)     for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5)     for the establishment, exercise, or defense of legal claims.

5. Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.

The controller shall inform the data subject about those recipients if the data subject requests it.

6. Right to Data Portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where:

(1)   the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(2)   the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others.

That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

8. Right to Withdraw Consent to the Data Protection Declaration

The data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

9. Automated Individual Decision-Making, Including Profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not apply if the decision:

(1)   is necessary for entering into, or performance of, a contract between the data subject and a controller;

(2)   is authorized by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(3)   is based on the data subject’s explicit consent.

These decisions shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.