Privacy Policy

§1 General Information

  1. Card-Arena GmbH (operator and controller) operates an Internet marketplace for non-playable sports and trading cards and accessories at www.card-arena.com (Card-Arena). Visiting this site, registering and using it triggers a number of data processing operations. Below we provide users with an overview of which of your personal data is collected, used and stored by us.
  2. This Privacy Policy applies to the use of Card-Arena and all applications, services (including payment services), tools and services. This Privacy Policy applies regardless of how users access or use our services, including access via mobile devices and apps.
  3. Personal data is data that can be attributed to a specific person (e.g. name, age, address, photos, email addresses, possibly also IP addresses). We also inform you about your rights with regard to the processing of your personal data. You are not obliged to provide us with your personal data. However, this may be necessary for individual functionalities of our website and services. These functionalities will not be available to you, or only to a limited extent, if you do not provide us with your personal data.
  4. The user's personal data will not be passed on. The only exceptions to this are our service partners, which we need to process the contractual relationship (e.g. providers of payment systems such as PayPal), as well as disclosure within the scope of legal and/or official obligations (e.g. to the tax office). In these cases, both the provisions of the Federal Data Protection Act (BDSG) and the General Data Protection Regulation (GDPR) are observed.
  5. The protection of personal user data is very important to us, which is why we use secure transmission technologies on Card-Arena as far as possible, such as TLS encryption. However, despite all precautions, data transmission on the Internet, especially when communicating by e-mail, can always have security gaps. Complete protection of data against access by third parties is unfortunately not possible.
  6. Users have the right to free information, correction, deletion or blocking of the stored data at any time, as far as it concerns personal data.

§2 Responsible Entity

The controller within the meaning of the GDPR and the BDSG is

Card-Arena GmbH
Managing director authorized to represent the company: Valentino Sole
Card Arena
Bischof-Ketteler-Straße 42
63165 Mühlheim am Main

Phone: +49 151 578 063 30
E-Mail: info@card-arena.com

Register court:
Local court Offenbach am Main
Register number:
HRB 56876

Sales tax identification number according to § 27a UStG:
not yet assigned

§3 General Information on the collection of personal data

Personal data is only processed to the extent necessary to provide a functional Internet marketplace, including its content and services. In principle, processing only takes place with the consent of the data subject. Exceptionally, processing is carried out without the consent of the data subject if this is not possible for factual reasons and the processing of the data is permitted by legal regulations.

§4 What personal user data does Card-Arena collect from users and for what purposes?

  1. we collect personal information when users contact us or in order to contact users when users provide us with information via a web form, to provide services and to continuously improve them. The following categories of personal information are collected:
    1. Information you give us. We collect and store all information that you provide to us in connection with the registration and use of Card-Arena. You may choose not to provide us with certain information, but this may result in you not being able to use some of our services.
    2. Automatic information. When you use Card-Arena, we automatically collect and store certain information, including your interaction with content and services available through Card-Arena. Among other things, like many other websites, we use so-called 'cookies' and other unique identifiers and receive certain information as soon as your web browser or device accesses Card-Arena and our content.
  2. we process personal user information in order to properly fulfill the user contract when users use Card-Arena's services, register, open a new account, add or update information to their account and make reviews. This includes
    1. Processing transactions. We use personal data for purchase, sale, payment and shipping as well as to communicate with users about sales, articles, services and promotional offers on and from Card-Arena
    2. Providing, troubleshooting and improving our services. We use personal information as part of performance analysis and to improve the user-friendliness of Card-Arena.
    3. Fraud prevention and credit risk. We use personal information to prevent and detect fraud and abuse and to protect the security of users and third parties. We may also use scoring procedures to assess and manage credit risks.
    4. Compliance with legal obligations. In certain cases, we collect and use your personal information to comply with our legal obligations (e.g. we collect information from sellers regarding the location of their registered office and their bank account information for identity verification purposes).
    5. Purposes for which we obtain your consent. We may ask for your consent to process your personal information for a specific purpose, which we will communicate to you. If you consent to the processing of your personal information for a specific purpose, you may freely withdraw your consent at any time and we will stop processing your information for that purpose.

§5 Concrete information collected

  1. when Card-Arena is called up, the system automatically collects the following data and information from the operating system of the calling terminal device:
    1. IP address
    2. Date and time of the request
    3. Time zone difference to Greenwich Mean Time (GMT)
    4. Content of the website
    5. Access status (HTTP status)
    6. Amount of data transferred
    7. Web browser
    8. Language and version of the browser
    9. Operating system
    10. Website from which you accessed the website
    The data is stored in the log files of the system. This data is not stored together with other personal data of the user. The legal basis for this is Art. 6 para. 1 lit. f GDPR. The data is deleted when the respective session has ended. The collection of the data and the storage of the data in log files is absolutely necessary for the provision of Card-Arena. Consequently, there is no possibility of objection.
  2. Card-Arena offers users the opportunity to register / log in by providing personal data. The data is entered into an input mask, transmitted and stored. The data is not passed on to third parties. The following data is collected as part of the registration process:
    1. First name and surname
    2. Residential address (street, house number, zip code, street, country)
    3. E-mail address
    4. Date of birth
    5. Date and time of registration
    In the case of commercial users, the company name, VAT ID and telephone number are also requested and, if necessary, a tax certificate is requested in accordance with Section 22 f (1) sentence 2 UStG. As part of the registration process, the user's consent to the processing of this data is obtained with reference to the privacy policy. The legal basis for this is Art. 6 para. 1 lit. a GDPR if the user has given consent. If the registration serves the fulfillment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR. Insofar as we are obliged to process data from commercial users and private sellers, the legal basis is Art. 6 para. 1 c). User registration is required to set up a user account. This serves to identify the user and fulfill the user contract. The information provided by commercial users or private sellers is collected to fulfill our legal obligations to the tax authorities. The data is deleted as soon as it is no longer required for the purpose for which it was collected. This is the case during the registration process for the fulfillment of a contract or for the implementation of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to fulfill contractual or legal obligations. Data subjects have the option of changing user data in their user profile at www.card-arena.com/account at any time. If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.
  3. Inventory and contract data are processed for the use of Card-Arena:
    1. Contact data of users (e.g. name and address),
    2. user name and user ID
    3. Services used, names of contact persons, payment information
    4. IP address, URLs accessed and time of the respective user action
    This data is stored in the log files of our system. In addition, third-party data entered by the user is processed. The purpose of the processing is the fulfillment of the user contract to which the user is a party, or the implementation of pre-contractual measures, as well as billing purposes. In addition, the processing is carried out to improve our services (analysis, optimization and improvement of the online offer and the user experience within the meaning of Art. 6 para. 1 lit. f. GDPR), as well as to determine access authorization. The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given consent. Consent is obtained when the contract is concluded. An additional legal basis for processing is Art. 6 para. 1 lit. b GDPR. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for the data collected during the registration process to fulfill the contract or to carry out pre-contractual measures if the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations (in particular retention periods under tax law). If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion. In particular, the notice periods for existing contracts remain unaffected by this.
  4. If users are redirected to the offer of a payment service provider (e.g. PayPal) as part of the processing of a payment, the data entered by the user will be processed directly by the payment service provider. The privacy policy of the respective payment service provider then applies.
    1. PayPal. This is a service provided by PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg. As part of the payment process, you will be forwarded directly to the PayPal user interface where the payment is processed. The data you enter there will not be collected, processed or stored by us. In this respect, only PayPal's data protection guidelines apply, which you can access at https://www.paypal.com/webapps/mpp/ua/privacy-full, as well as any other data protection declarations specified there.
    2. Credit card. If you pay by credit card, the technical processing is carried out with the involvement of your account-holding bank and depends on the type of card you use. In any case, payment transactions are accepted and settled in accordance with the German Payment Services Supervision Act (ZAG) or the German Banking Act (KWG). Information on data protection can be found at the card-operating bank responsible for you.
    The legal basis for the processing of data during payment by the user is Art. 6 para. 1 lit. a GDPR if the user has given consent. In addition, Art. 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data, insofar as these are used to fulfill a contract. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data used for payment, this is the case when the respective contractual relationship with the data subject has ended. As a rule, the contractual relationship is terminated upon completion, termination or when any warranty rights have expired. Affected users have the option of withdrawing their consent to the processing of personal data at any time. The obligation to fulfill contracts remains unaffected by this.
  5. Card-Arena offers the possibility to rate transactions. When using this function, the data entered in the input mask is transmitted to us and stored there. These data are
    1. Name (voluntary), user name
    2. e-mail address
    3. Content of the transaction
    4. IP address
    5. Date and time
    Insofar as the evaluation is published on the website, this is done exclusively in anonymized form. Otherwise, the data will not be passed on to third parties. The data is used exclusively for processing the rating. The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given consent. Otherwise, the legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR. The processing of personal data from the input screen of the evaluation function serves solely to evaluate the transaction. Our legitimate interest in processing lies in providing other users with useful information about articles and users. The other personal data processed during the submission process is used to prevent misuse of the rating function and to ensure the security of the information technology systems. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the evaluation form, this is the case when the transaction has been fully completed and evaluated. The additional personal data collected during the sending process is automatically deleted after a period of seven days at the latest. The data subject has the option of withdrawing their consent to the processing of personal data at any time. Although the storage of personal data can be revoked at any time, the transaction cannot be evaluated in such a case. All personal data stored in the course of the evaluation will be deleted in this case.
  6. Card-Arena uses contact forms which can be used for electronic contact. When an e-mail is sent or used, the data entered in the input mask is transmitted to us and stored there. These data are
    1. e-mail address
    2. Content of the contact
    3. IP address
    4. Date and time
    5. We reserve the right to transfer personal user information, particularly the email address, to the third-party provider Brevo, in order to conduct our email marketing through their platform. Brevo acts solely as a service provider for sending informational and promotional communications initiated by us. Further details about our collaboration with Brevo can be found in §11
    No data is passed on to third parties in this context. The data is used exclusively for processing the conversation. To process inquiries via the contact form, we work with the XY software, a service of XY Inc. 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA. The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given consent. The legal basis for the processing of data transmitted in the course of sending an email is Art. 6 para. 1 lit. f GDPR. If the contact is aimed at the conclusion or fulfillment of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR. The processing of personal data from the input screen or the email is solely for the purpose of processing the contact. If you contact us by email, this also constitutes the necessary legitimate interest in processing the data. The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of the information technology systems. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input screen of the contact form and those sent by email, this is the case when the respective conversation with the data subject has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest. We have concluded a 'Data Processing Agreement' with XY. This is a contract in which XY undertakes to protect the data of our users and to process the data exclusively in accordance with the data protection regulations on our behalf and in accordance with our instructions. It contains the so-called standard contractual clauses as provided for by the GDPR. Further information can be found at https://www.freshworks.com/privacy/. The data subject has the option to withdraw their consent to the processing of personal data at any time. When contacting us by email, the storage of personal data can be objected to at any time. In such a case, however, the conversation cannot be continued. All personal data stored in the course of making contact will be deleted in this case.

§6 Cookies

  1. Card-Arena uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. Cookies cannot transfer viruses to the end device or execute programs themselves. Cookies are used to make a website more user-friendly. Some elements of the website require that the accessing browser can be identified even after a page change.
  2. If cookies are not technically necessary, they are only loaded with the user's consent. For this purpose, we use a plugin that does not collect any personal data itself. The information about the existence of consent is in turn stored in a cookie. However, no personal data is collected in this process.
  3. Transient cookies are automatically deleted when the session is closed. These include session cookies, which store the so-called session ID, which can be used to assign various requests from the web browser to the shared session. This makes it possible to recognize the end device during a new session.
  4. Persistent cookies are automatically deleted after a specified storage period, which may vary depending on the cookie. The corresponding settings can be deleted at any time in the web browser settings.
  5. The following data is stored in the cookies:
    1. Log-in information
    2. Language settings
    3. search terms entered
    4. Number of visits to the website
    5. Use of individual functions of the website
  6. The legal basis for the use of technically necessary cookies is Art. 6 para. 1 lit. f GDPR. The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of the website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change. The user data collected by technically necessary cookies is not used to create user profiles.
  7. the legal basis for the use of technically unnecessary cookies is Art. 6 para. 1 lit. a GDPR if the user has given his consent for the respective cookie. The purpose of using technically unnecessary cookies is to analyze the use of the website and to be able to continuously improve individual functions and offers as well as the user experience. By statistically evaluating user behavior, the offer can be improved and made more interesting for the user. Further details can be found in the respective sections of this privacy policy.
  8. cookies are stored on the user's computer and transmitted from there to our website. As a user, you therefore have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies independently of the opt-in banner. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

§7 Google Analytics

  1. Card-Arena uses Google Analytics, a web analysis service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as: 'Google'). Google uses cookies, i.e. small text files that are stored on the end device and enable the use of the website to be analyzed. The information generated by the cookie about the use of the website is usually transferred to a Google server in the USA and stored there. If anonymization of the IP address to be transmitted by the cookie is activated on the website by the extension '_anonymizeIp()' (hereinafter referred to as: 'IP anonymization'), the IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information for the purpose of evaluating the use of the website on behalf of the controller, compiling reports on website activity and providing other services relating to website activity and internet usage. Pseudonymous user profiles can be created from the processed data. The IP address transmitted when using Google Analytics will not be merged with other Google data.
  2. Card-Arena only uses Google Analytics with the previously described activated IP anonymization. This means that your IP address is only processed by Google in abbreviated form. This makes it impossible to identify you personally.
  3. Google Analytics is only activated with your consent via our cookie banner. The legal basis for processing is therefore the consent of the user within the meaning of Art. 6 para. 1 lit. a. GDPR. The purpose of Google Analytics is to analyze the use of the website and to continuously improve individual functions and services as well as the user experience. By statistically evaluating user behavior, services can be improved and made more interesting for the user. This also constitutes the legitimate interest in the processing of the above data by Google.
  4. Regardless of the opt-in banner, the storage of cookies generated by Google Analytics can be prevented by making the appropriate settings in the web browser. Please note that in this case you may not be able to use all functions of the website. If you wish to prevent the collection of data generated by the cookie and related to user behavior (including your IP address) and the processing of this data by Google, you can download and install the web browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout

  5. In order to oblige Google to process the transmitted data only in accordance with the instructions and to comply with the applicable data protection regulations, the controller has concluded an order processing contract with Google. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the Privacy Shield Agreement concluded between the European Union and the USA and has been certified. Google thereby undertakes to comply with the standards and regulations of European data protection law. Further information can be found in the following linked entry: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status =Active

    Information from the third-party provider: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Further information on the use of data by Google, on setting and objection options and on data protection can be found on the following Google websites:

    For visitors accessing our website from the People's Republic of China (PRC), it is possible that we use the services of Site Monitor from the provider Miaozhen Ltd, Beijing, PRC with servers in the PRC, instead of Google Analytics for the same purpose and with the same restrictions. To deactivate the services of Site Monitor, visit

§8 Google (invisible) reCAPTCHA

  1. card-arena uses 'Google reCAPTCHA', a test provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as: 'Google'). Google checks whether the data input on the website is made by a human or by an automated program. For this purpose, user behavior is analyzed on the basis of various characteristics. The analysis begins automatically as soon as the website is accessed. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent on a website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.
  2. he legal basis for processing is Art. 6 para. 1 lit. f. GDPR. The purpose of using reCAPTCHA is our legitimate interest in protecting the website from abusive automated spying and SPAM.
  3. or more information about Google reCAPTCHA and Google's privacy policy, please see the following links: https://www.google.com/intl/de/policies/privacy/
    https://www.google.com/recaptcha/intro/android.html

§9 Cloudflare

  1. card-arena uses 'Google reCAPTCHA', a test provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as: 'Google'). Google checks whether the data input on the website is made by a human or by an automated program. For this purpose, user behavior is analyzed on the basis of various characteristics. The analysis begins automatically as soon as the website is accessed. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent on a website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.
  2. The processing of the data specified in this section is neither legally nor contractually required. However, the functionality of the website is not guaranteed without the processing. The legal basis for processing is Art. 6 para. 1 lit. f. GDPR. Your personal data will be stored by Cloudflare for as long as is necessary for the purposes described.
  3. For further information on Cloudflare's data protection, your objection and removal options, please refer to the following link:: https://www.cloudflare.com/de-de/trust-hub/gdpr/

§10 Stripe

  1. Card-Arena offers the option of processing payment transactions via the payment service provider Stripe, ℅ Legal Process, 510 Townsend St., San Francisco, CA 94103 (Stripe). In this context, we pass on the following data to Stripe to the extent necessary for the fulfillment of the contract
    1. Name of the cardholder
    2. e-mail address
    3. customer number
    4. order number
    5. bank details
    6. Credit card details
    7. Credit card expiry date
    8. Credit card verification number (CVC)
    9. Date and time of the transaction
    10. Transaction amount
    11. Name of the provider
  2. Stripe assumes a dual role as controller and processor for data processing activities. As a controller, Stripe uses your submitted data to fulfill regulatory obligations. Stripe acts as a processor in order to complete transactions within the payment networks. Within the framework of the order processing relationship, Stripe acts exclusively in accordance with our instructions and has been contractually obliged to comply with data protection regulations within the meaning of Art. 28 GDPR.
  3. The processing of the data specified in this section is neither legally nor contractually required. However, we cannot process a payment via Stripe without the transmission of your personal data. You have the option of choosing a different payment method. The legal basis for the processing of your personal data is Stripe's legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR and our interest in the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR.
  4. Your data will be stored by us until the completion of payment processing. This also includes the period required for the processing of refunds, receivables management and fraud prevention. [In accordance with [§ 147 AO / § 257 HGB], we have a statutory retention period of [X] years for the following documents.
  5. Stripe has implemented compliance measures for international data transfers. These apply to all global activities where Stripe processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). Further information on Stripe's data protection, as well as your objection and removal options vis-à-vis Stripe, can be found at https://support.stripe.com/questions/privacy-and-security-of-personal-information-submitted-to-stripe

§11 Use of Brevo as Email Marketing Service Provider

We use the services of Sendinblue GmbH, operating under the brand Brevo, for our email marketing. Brevo enables us to send informational and promotional communications to our users. For this purpose, we transfer personal user information, particularly email addresses, to Brevo. This data is used solely for conducting email campaigns initiated by us.

Brevo acts as a data processor on our behalf in compliance with legal data protection regulations and processes the data only according to our instructions. Sendinblue GmbH is based in Germany and is subject to the strict requirements of the EU General Data Protection Regulation (GDPR).

For more information on Brevo's privacy practices, please refer to their privacy policy at: https://www.brevo.com/legal/privacypolicy/

Brevo's Adddress:
Sendinblue GmbH
Köpenicker Straße 126
10179 Berlin
+49 (0)30 / 311 995 10
support@brevo.com

§12 Use of Brevo as Email Marketing Service Provider

We use the services of Sendinblue GmbH, operating under the brand Brevo, for our email marketing. Brevo enables us to send informational and promotional communications to our users. For this purpose, we transfer personal user information, particularly email addresses, to Brevo. This data is used solely for conducting email campaigns initiated by us.

§13 Your rights as a data subject affected by data processing

If your personal data is processed, you as a user are a 'data subject' within the meaning of the GDPR and - subject to possible restrictions under national law - you have the following rights vis-à-vis Card-Arena:

  1. Right to information
    The data subject may request confirmation from the controller as to whether personal data is being processed. If such processing is taking place, the data subject may request the following information from the controller:
    1. the purposes for which the personal data are processed;
    2. the categories of personal data being processed
    3. the recipients or categories of recipient to whom the personal data have been or will be disclosed
    4. the envisaged period for which the personal data will be stored, or, if specific information on this is not possible, the criteria used to determine that period
    5. the existence of a right to rectification or erasure of personal data, a right to restriction of processing by the controller or a right to object to such processing
    6. the existence of the right to lodge a complaint with a supervisory authority
    7. any available information as to the source of the data if the personal data are not collected from the data subject
    8. the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
    The data subject has the right to request information as to whether personal data is transferred to a third country or to an international organization. In this context, the data subject may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
  2. Right to rectification
    There is a right to rectification and/or completion vis-à-vis the controller if the processed personal data is incorrect or incomplete. The controller must make the rectification without undue delay.
  3. Right to restriction of processing
    The restriction of the processing of personal data may be requested under the following conditions
    1. if you contest the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data;
    2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
    3. the controller no longer needs the personal data for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; or
    4. if an objection to the processing pursuant to Art. 21 para. 1 GDPR has been lodged and it has not yet been established whether the legitimate reasons of the controller outweigh those of the data subject.
    Where processing of personal data has been restricted, such data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been restricted in accordance with the above conditions, the data subject shall be informed by the controller before the restriction of processing is lifted.
  4. Right to erasure
    You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
    2. The consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR is withdrawn and there is no other legal basis for the processing.
    3. An objection is lodged against the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or an objection is lodged against the processing pursuant to Art. 21 para. 2 GDPR
    4. The personal data has been processed unlawfully
    5. The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
    6. The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

    Where the controller has made the personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

    The right to erasure does not apply if the processing is necessary

    1. for exercising the right of freedom of expression and information
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
    3. for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR
    4. or archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    5. for the establishment, exercise or defense of legal claims.
  5. Right to information
    If the right to rectification, erasure or restriction of processing has been asserted against the controller, the controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed of these recipients by the controller.
  6. Right to data portability
    You have the right to receive the personal data that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
    1. the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
    2. the processing is carried out by automated means.
    In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this. The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  7. Right to object
    The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where processing for direct marketing purposes has been objected to, the personal data shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the right to object may be exercised by automated means using technical specifications.
  8. Right to revoke the declaration of consent under data protection law
    You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  9. Automated decision in individual cases including profiling
    You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her. This does not apply if the decision
    1. is necessary for the conclusion or performance of a contract between the data subject and the controller
    2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
    3. with the express consent of the data subject.
    However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in (i) and (iii), the controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  10. Right to lodge a complaint with a supervisory authority
    Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of the data subject's habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

§14 End of the privacy policy

You can save and/or print the data protection declaration as a PDF here. To do this, you will need the appropriate software, e.g. Adobe Acrobat Reader. You can download the current version of this program free of charge from the Internet. If you only want to update your version of Adobe Acrobat Reader ('Update') or if you need a MacOS-compatible version, go to 'further download options' from Adobe.