Stay logged in

Data protection declaration (GDPR)

of HF Data Datenverarbeitungsges.m.b.H

1. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data
protection laws of the member states as well as other data protection regulations is:

HF Data Datenverarbeitungsges.m.b.H
Schönbrunner Straße 231
1120 Wien
Österreich
Tel.: +43 / 1 / 981 16-0
E-Mail: office[at]hfdata.at
Website: www.firmenbuchgrundbuch.at


2. Name and address of the data protection officer

The data protection officer of the controller is:

Mag. Claudius Determann
Schönbrunner Straße 231
1120 Vienna
Austria
Tel.: +43 / 1 / 981 16-0
E-Mail: datenschutz[at]compass.at
To exercise your rights as a data subject - please write to datenschutz[at]compass.at


3. General information on data processing

As we provide our services as a clearing office for the Austrian Land Register [Grundbuch] and Business Register
[Firmenbuch] on behalf of the Federal Ministry of Justice, enquiries relating to data protection law concerning the
core of our activities are forwarded to the Federal Ministry of Justice pursuant to Article 28 GDPR. We as the
processor are not authorised to take action ourselves.

3.1 Extent of processing personal data

As a matter of principle, we collect and use our users' personal data only to the extent that this is necessary for
providing an operable website and our contents and services. As a rule, the personal data of our users is
collected and used only upon the user’s prior consent. An exception applies where the user's consent cannot be
obtained in advance for factual reasons and the processing of the data is permitted by statutory provisions.

3.2 Legal basis for the processing of personal data

Insofar as we obtain the data subject’s consent to the processing of personal data, Article 6(1)(a) of the EU
General Data Protection Regulation (GDPR) constitutes the legal basis.

For the processing of personal data that is necessary for performing a contract to which the data subject is a
party, Article 6(1)(b) GDPR constitutes the legal basis. This also applies to processing activities which are
necessary to implement pre-contractual measures.

Insofar as processing of personal data is necessary to fulfil a legal obligation to which this company is subject,
Article 6(1)(c) GDPR constitutes the legal basis.

In the event that processing of personal data is necessary in order to protect vital interests of the data subject or
another natural person, Article 6(1)(d) GDPR constitutes the legal basis.

Article 6(1)(f) GDPR constitutes the legal basis for data processing which is necessary to safeguard the legitimate
interests of this company or those of a third party and where the interests, fundamental rights or fundamental
freedoms of the data subject do not prevail over such interests.

3.3 Erasure of data; Storage period

The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage ceases
to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in
EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted
if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage
of the data for the conclusion or fulfilment of a contract.

3.4 Extent of processing personal data

HF Data Datenverarbeitungsges.m.b.H acts as a clearing office for the Land Register and the Business Register
on behalf of the Federal Ministry of Justice (https://www.justiz.gv.at/service/verrechnungsstellen.795.de.html).

The service is provided under a service licence, which was awarded in a public procurement procedure. In terms
of data protection law we thus act as the Federal Ministry's processor. When the contract was awarded, HF Data
Datenverarbeitungsges.m.b.H was put under an obligation to log accesses to the databases of the Republic of
Austria.

In order to enhance the findability of Land Register and Business Register information, Business Register and
cadastre data provided under the Austrian Act on Re-use of Public Sector Information
[Informationsweiterverwendungsgesetz/IWG] for further processing is also processed for index-linking.


4. Collection of data as part of HF-Data's activities (information acc. to Art. 14 GDPR)

4.1 Legal basis for the processing of personal data

The activities of HF Data Datenverarbeitungsges.m.b.H are thus primarily subject to Article 6(1)(b) and (c) GDPR.
Processing is required for fulfilling a contract to which the data subject is a party, or to carry out pre-contractual
measures; moreover, there is a legal obligation to process data where services are used.

4.2 Purpose of data processing

Personal data is processed in the course of a business relationship with customers where a trade is practised,
including systematic recording of all transactions concerning income and expenses.

HF Data Datenverarbeitungsges.m.b.H holds the following trade licence for providing its services: Services in
automated data processing and information technology as defined in Section 103(1)(a) No. 2 of the Austrian
Trade Code [Gewerbeordnung/GewO] of 1973. The purpose of data processing as defined in Article 5(1)(b)
GDPR is therefore to support the provision of services expressly permitted by law under the Trade Code.

4.3 Source of personal data

HF Data sources personal data from public registers; i.e. the Business Register, the Trade Register or the
Register of Associations.

4.4 Categories of personal data

All data categories from the underlying public registers are stored. Data may include the following: internal ID,
name, title, gender, date of birth, contact details, official ID (e.g. ZVR [Central Register of Associations] number).

4.5 Categories of recipients

There is a data transfer to third parties, if this is necessary for the execution of the contract. In principle, the
recipients of the data are only the users of HF Data services.

4.6 Storage period

We store data permanently because historical data is also of great value to us and our customers. For example,
Compass books from the interwar period were used as a key source for dealing with restitution issues. We have
digitised all data gathered in 150 years of publishing and offer this historical data as a separate product.

4.7 Right to object and erasure

Article 14 GDPR provides for duties to provide information where personal data was not collected from the data
subject; paragraph 5 of that Article, however, provides for exceptions to those information duties. Two of the
exceptions apply to us:

Paragraphs 1 to 4 (= duty to provide information) do not apply if and to the extent that

(b) provision of such information proves to be impossible or would require disproportionate efforts;

(c) obtaining or disclosure of data is expressly regulated by EU or Member State legislation to which the controller
is subject and which provides for appropriate measures to protect the data subject's legitimate interests.

Almost all data of Compass products originate from freely accessible public databases. Reuse of such data is
regulated in Directive 2013/37/EU and by the Austrian Act on Re-use of Public Sector Information. All of the said
legislation contains a reference to data protection provisions and therefore falls under letter (c). Moreover,
informing millions of data subjects would require disproportionate efforts. That is why we make such information
available to the public, as is also provided for in the last sentence of Article 14(5)(b) GDPR.


5. Provision of the website and creation of log files

5.1 Description and scope of data processing

Each time our website is visited, our system will automatically collect data and information from the computer
system of the calling computer.

The following data will be collected:

(1) Information about the browser type and version used
(2) The user's operating system
(3) The IP address of the user
(4) Date and time of access
(5) Websites from which the user's system reaches our website
(6) Websites accessed by the user's system via our website
(7) The user's request

Such data will be stored in the log files of our system as well. Such data will not be stored together with other
personal data of the user.

5.2 Legal basis for data processing

The legal basis for temporary storage of data and log files is Article 6(1)(f) GDPR.

5.3 Purpose of data processing

Temporary storage of the IP address by the system is necessary for delivering the website to the user's
computer. For that purpose, the user’s IP address must remain stored for the duration of the session.

Log files are stored to ensure the website’s functionality. In addition, such data helps us to optimise the website
and to ensure the security of our IT systems. No data will be analysed for marketing purposes in this connection.

The said purposes also constitute our legitimate interest in data processing as defined in Article 6(1)(f) GDPR.

5.4 Storage period

The data will be erased once it is no longer necessary for achieving the purpose for which it was collected. Where
data is collected for provision of the website, this will be done when the relevant session has ended.

Where data is stored in log files, this will be done after a maximum of three (3) months. Storage after that period
is possible. In that case the IP addresses of the users will be deleted or masked so that the calling client can no
longer be identified.

5.5 Right to object and erasure

Collection of data for provision of the website and storage of data in log files is absolutely necessary for operation
of the website. Consequently, users have no right to object.


6. Use of cookies; Local storage

6.1 Description and extent of data processing

Our website uses cookies to make our internet presence more user-friendly and functional. Some cookies will
remain stored on your terminal device.

Cookies are small data packages which are exchanged between your browser and the/our web server when you
visit our website. They cause no harm and merely serve the purpose of recognising visitors of the website.
Cookies may only store information provided by your browser, i.e. information you have entered into the browser
yourself or which is available on the website. Cookies cannot execute a code and cannot be used to access your
terminal device.

When you visit our website again using the same terminal device, the information stored in cookies may
subsequently either be sent back to us ("first-party cookie") or to a web application of the third-party providers to
which the cookie belongs ("third-party cookie"). By means of the stored and returned information the relevant web
application will recognise that you have previously retrieved and visited the website via the browser of your
terminal device.

Cookies contain the following information:

  • name of the cookie
  • name of the server from which the cookie originates
  • cookie ID number
  • a date at which the cookie will be deleted automatically

Depending on their designated purpose and function cookies are categorised as follows:

  • Strictly necessary cookies to ensure technical operation and the essential features of our website. These
    cookies are used, for example, to maintain your settings while you navigate the website, or to ensure
    that important information is maintained throughout the session (e.g. login, shopping basket).
  • Statistics cookies that help us understand how visitors interact with our website; such information is
    collected and analysed anonymously only. This gives us valuable insight to be able to help us optimise
    both the website and our products and services.
  • Marketing cookies to target visitors on our website with highly specific ads.
  • Non-classified cookies are cookies which we are currently trying to classify together with providers of
    individual cookies.
  • In addition, depending on the storage period cookies are categorised into session cookies and persistent
    cookies. Session cookies store information which is used during your current browser session. These
    cookies will be deleted automatically once you close your browser. No information will remain stored on
    your terminal device. Persistent cookies store information between two visits to the website. As a result
    of such information you will be recognised as a recurring visitor at your next visit and the website will
    respond accordingly. The duration of a persistent cookies is defined by the cookie provider. Remember
    the billing address Non-display of cookie notifications.

6.2 Legal basis for data processing

The legal basis for using strictly necessary cookies is our legitimate interest in technically sound operation and
smooth functionality of our website in line with Article 6(1)(f) GDPR. Without these cookies our website cannot
function properly. Use of statistics cookies or marketing cookies requires your consent pursuant to Article 6(1)(a)
GDPR.

6.3 Right to object and erasure

Pursuant to Article 7(3) GDPR you may withdraw your consent to the use of cookies at any time with effect for the
future. Consent is voluntary. If you do not consent, no disadvantages will occur. Further information on the
cookies we actually use (in particular on their purpose and duration) is contained in this data privacy statement
and in the information on cookies used by us in our cookie banner.

In addition, you may adjust your browser settings to generally prevent cookies from being stored on your terminal
device or to be asked for permission to place cookies. Cookies that have been placed can be deleted at any time.
For information on how this works please use your browser's help function. • Please note that if you disable
cookies in general, the functions on our website may be compromised.

Our website also uses so-called local storage functions (also referred to as "local storage"). This means that data
is stored locally in the cache of your browser, which continues to exist and may be read out even after the
browser is closed, unless you delete the cache or in the case of session storage.

Third parties cannot access data stored in local storage. Where special plugins or tools use the local storage
function, they will contain a description thereof.

If you do not want plugins or tools to use local storage functions, you can adjust your browser settings
accordingly. Please note that this may lead to functional limitations.


7. Google Marketing Platform / Google Ad Manager

For the purpose of analysis, optimisation and commercial operation of our online services our website uses the
Google Marketing Platform / Google Ad Manager of Google Ireland Limited, Gordon House, Barrow Street, Dublin
4, Ireland ("Google").

This is done by means of a pseudonymous identification number (pID), which your browser receives and is
assigned. The pID allows Google to recognise the ads which have been displayed to you and accessed by you.
The data serves the purpose of placing ads across websites by allowing Google to identify the sites visited.

The information generated is transferred by Google to a server in the USA for analysis and will be stored there.
Data transfers by Google to third parties will exclusively be made on the basis of statutory regulations or in the
course of commissioned data processing. Google will in no case merge your data with other data collected by
Google.

Within the scope of this service, data is transferred to the USA or such transfer cannot be ruled out. We would
like to point out that there is an adequate level of data protection in the case of data transfer to the USA, as
Google is listed in the EU-US Data Privacy Framework https://www.dataprivacyframework.gov/s/participantsearch/participant-detail?id=a2zt000000001L5AAI&status=Active.

7.1 Legal basis for data processing

The processing of your data is based on your consent pursuant to Article 6(1)(a) GDPR. You may withdraw such
consent with effect for the future at any time. For information on the exact location of Google computing centres
please visit: hhttps://datacenters.google/locations/

7.2 Right to object and erasure

For more information on data usage by Google, configuration options and the right to object please refer to the
Google Privacy Policy on https://policies.google.com/technologies/ads and the settings for displaying Google ads
on https://adssettings.google.com/authenticated.

7.3 Data processing terms and conditions for Google advertising products

For information on the Google Controller-Controller Data Protection Terms and additional standard contractual
clauses for data transfers to third countries please refer to: https://business.safety.google/adscontrollerterms.


8. Microsoft Advertising

On our website, the service Microsoft Advertising (formerly Bing Ads) is used to analyze and optimize the
economic operation. Microsoft Advertising is a conversion and tracking service of Microsoft Corporation, One
Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft").

Within the scope of this service, data is transferred to the USA or such transfer cannot be ruled out. We would
like to point out that there is an adequate level of data protection in the case of data transfer to the USA, as
Microsoft is listed in the EU-US Data Privacy Framework: https://www.dataprivacyframework.gov/s/participantsearch/participant-detail?id=a2zt0000000KzNaAAK&status=Active.

Cookies are set on users' devices by Microsoft Advertising, which analyze user behavior on our website. This
assumes that the user has arrived at our website via an ad from Microsoft Advertising. This provides us with
information on the total number of users who clicked on such an ad, were redirected to our website and
previously reached a specific landing page (so-called conversion measurement). In the process, no IP addresses
are stored and no personal information about the identity of our users is communicated.

You can find more information on the analysis services of Microsoft Advertising on the Microsoft website at
https://help.ads.microsoft.com/#apex/3/de/53056/2.

For information on the exact location of Microsoft computing centres please visit:
https://www.datacenters.com/microsoft-azure-data-center-locations.

8.1 Legal basis for data processing

The processing of your data is based on your consent pursuant to Article 6(1)(a) GDPR. You may withdraw such
consent with effect for the future at any time.

8.2 Right to object and erasure

For more information on data usage by Microsoft, configuration options and the right to object please refer to the
Microsoft Privacy Policy on https://about.ads.microsoft.com/en-us/policies/legal-privacy-and-security.

8.3 Data processing terms and conditions for Microsoft advertising products

For information on the Microsoft Controller-Controller Data Protection Terms and standard contractual clauses for
data transfers to third countries please refer to: https://privacy.microsoft.com/de-de/privacystatement.

In order to provide appropriate safeguards for the protection of your personal data, any data transfers to Microsoft
servers in the U.S. will additionally be made on the basis of EU standard data protection clauses pursuant to
Article 46(2)(c) DSGVO: https://about.ads.microsoft.com/de-de/ressourcen/richtlinien/microsoft-advertisingvertrag.


9. Contact form and email contact

9.1 Description and extent of data processing

Our website provides a contact form which may be used to contact us electronically. If a user makes use of that
option, the data entered into the input form will be transmitted to us and stored. This data includes:

  • First name
  • Surname
  • Title
  • Business name
  • Email address
  • Subject
  • Message

In addition, the following data is stored at the time the message is sent:

  • the user's IP address
  • Date and time of registration

Alternatively, you may contact us via the email address provided. In that case the user's personal data
transmitted by email will be stored.

In this context no data will be passed on to third parties. Data will be used exclusively for processing the
conversation.

9.2 Legal basis for data processing

The legal basis for data processing is Article 6(1)(a) GDPR, provided that the user has given his/her consent.
The legal basis for processing data transmitted in the course of sending an email is Article 6(1)(f) GDPR. If the
purpose of the email contact is to conclude a contract, Article 6(1)(b) GDPR is an additional legal basis for
processing.

9.3 Purpose of data processing

Personal data from the input form will be processed by us only to process your enquiry. If you contact us by
email, this also constitutes the necessary legitimate interest in data processing. Other personal data processed
during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT
systems.

9.4 Storage period

The data will be erased once it is no longer necessary for achieving the purpose for which it was collected. For
personal data from the input mask of the contact form and for personal data sent by email this is the case once
the relevant conversation with the user has ended. A conversation ends if and when the circumstances suggest
that the matter concerned has been clarified exhaustively.

Any additional personal data collected during the sending process will be erased after a maximum period of
seven days.

9.5 Right to object and erasure

The user may withdraw his/her consent to the processing of personal data at any time. If the user contacts us by
email, s/he may object to storage of his/her personal data at any time. In that case the conversation cannot be
continued.

You may withdraw your consent and object to storage at any time by sending an email to
datenschutz@compass.at.

In that case all personal data stored during our contact will be erased.


10. Web analysis by Matomo (formerly: PIWIK)

10.1 Extent of processing personal data

Our website uses the open-source software tool Matomo (formerly: PIWIK) to analyse the browsing behaviour of
our users. The software places a cookie on the user’s computer (for information on cookies see above). If specific
pages of our website are accessed, the following data will be stored:

two bytes of the IP address of the user’s calling system
the accessed website
the website from which the user was referred to the accessed website (referrer)
the sub-pages retrieved from the accessed website
the time spent on them website
the frequency with which the website is accessed.

The software runs exclusively on the servers of our website. Personal data of users is only stored there. The data
is not passed on to third parties. The software is set in such a way that the IP addresses are not stored
completely, but two (2) bytes of the IP address are masked (e.g. 192.168.xxx.xxx). In this way it is no longer
possible to associate the shortened IP address with the calling computer.

10.2 Legal basis for the processing of personal data

The legal basis for processing personal data of users is Article 6(1)(f) GDPR.

10.3 Purpose of data processing
Processing personal data of users allows us to analyse the browsing behaviour of our users. By analysing the
data collected we are able to compile information on the use of specific components of our website. This helps us
to constantly improve our website and its userfriendliness. For the said purposes we have a legitimate interest in
data processing as defined in Article 6(1)(f) GDPR. By anonymising the IP address the users’ interest in
protecting their personal data is sufficiently taken account of.

10.4 Storage period

The data will be erased once it is no longer required for recording purposes.

10.5 Right to object and erasure

Cookies are stored on the user's computer and transmitted from there to our website. Therefore, you as the user
have full control over the use of cookies. By adjusting the settings in your internet browser you can disable or
restrict transmission of cookies. Cookies which have been stored can be deleted at any time. This can also be
done automatically. If cookies are disabled for our website, you may no longer be able to use all of the website's
functions in full.

Our website offers our users the possibility to opt out from the analysis procedure. To opt out use the following
link: (https://piwik.compass.at/index.php?module=CoreAdminHome&action=optOut&language=de
&backgroundColor=&fontColor=&fontSize=&fontFamily=).

In this way another cookie will be placed on their system that signals to our system not to store user data. If a
user deletes the relevant cookie from his/her own system in the meantime, s/he must set the opt-out cookie
again. For more detailed information on privacy settings of Matomo Software please visit:
https://matomo.org/docs/privacy/.


11. E-commerce

11.1 Extent of processing personal data

We offer a platform for concluding purchase and service contracts. In order to provide the same, the following
personal data is processed:

  • Email address
  • First name and surname
  • Business name
  • Address
  • Products
  • IP address for VAT calculation

11.2 Legal basis for the processing of personal data

The legal basis for processing personal data is Article 6(1)(b) GDPR.

11.3 Purpose of data processing

Storage of the data is necessary for you to be able to buy our products and for us to issue an invoice.

11.4 Storage period

Data will generally be erased once the purpose for which it was collected has been achieved. We are under a
statutory obligation to retain invoices for seven (7) years.

11.5 Right to object and erasure

Collection and storage of data is absolutely necessary when purchasing our products. Consequently, users have
no right to object.


12. Rights of the data subject

The following list includes all rights of data subjects under the GDPR. Rights which are of no relevance to our
own website need not be mentioned. Thus, the list can be shortened. Where your personal data is processed,
you are a data subject as defined in the GDPR and you have the following rights vis-à-vis the controller:

12.1 Right of access

You may ask the controller to confirm whether personal data concerning you is processed by us. If such
processing takes place, you may request the following information from the controller:

  • the purposes for which personal data is processed
  • the categories of personal data being processed
  • the recipients or categories of recipients to whom personal data concerning you has been or will be
    disclosed
  • the planned period for which the personal data concerning you will be stored or, if there is no specific
    information in this regard, the criteria used to determine that period
  • the existence of a right to rectification or erasure of your personal data, a right of restriction of
    processing by the controller or a right to object to processing
  • the existence of a right to lodge a complaint with a supervisory authority
  • all information available on the origin of data where the personal data is not collected from the data
    subject
  • the existence of automated decision-making including profiling as defined in Article 22(1) and (4) GDPR
    and, at least in these cases, meaningful information about the logic involved, as well as the significance
    and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether personal data concerning you will be transferred to a third
country or an international organisation. In this context you may request to be informed about appropriate
safeguards as defined in Article 46 GDPR in connection with the transfer.

This right of access may be restricted insofar as it is likely to render impossible or seriously compromise the
achievement of research or statistical purposes and where a restriction is necessary for achieving research and
statistical purposes.

12.2 Right to rectification

You have a right to rectification and/or completion of data vis-à-vis the controller if the processed personal data
concerning you is incorrect or incomplete. The controller must rectify the data immediately.
Your right to rectification may be restricted insofar as it is likely to render impossible or seriously compromise the
achievement of research or statistical purposes and where a restriction is necessary for achieving research and
statistical purposes.

12.3 Right to restriction of processing

You may request restriction of processing of personal data concerning you on the following prerequisites:

  • if you contest the accuracy of the personal data concerning you for a time period that is long enough to
    enable the controller to verify accuracy of the personal data
  • processing is unlawful and you oppose erasure of the personal data and instead request restriction of use of the personal data
  • the controller no longer needs the personal data for the purposes of processing; however you need the data for the establishment, exercise or defence of legal claims, or
  • if you have objected to processing pursuant to Article 21(1) GDPR and it is yet to be determined whether the controller's legitimate grounds outweigh your grounds.

If processing of personal data concerning you was restricted, any other processing, except for storage, is only
permissible upon your consent or for the establishment, exercise or defence of legal claims or for protecting the
rights of another natural or a legal person or on grounds of an important public interest of the European Union or
a Member State. If processing was restricted in line with the above-mentioned prerequisites, the controller will
notify you before the restriction is lifted.

Your right to restriction of processing may be restricted insofar as it is likely to render impossible or seriously
compromise the achievement of research or statistical purposes and where a restriction is necessary for
achieving research and statistical purposes.

12.4 Right to erasure

12.4.1 Erasure obligation

You may ask the controller to erase personal data concerning you without undue delay, and the controller shall
have the obligation to erase such data without undue delay if any of the following reasons applies:

  • The personal data concerning you is no longer necessary for the purposes for which it was collected or
    otherwise processed.
  • You withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR and there is no other legal basis for processing. Data Privacy Statement HF Data Version/Revised on: 2.0, 28.04.23 14 / 16 © Compass-Gruppe
  • You object to processing pursuant to Article 21(1) GDPR and there are no prevailing legitimate grounds for processing, or you object to processing pursuant to Article 21(2) GDPR.
  • The personal data concerning you was processed unlawfully.
  • Erasure of the personal data concerning you is necessary to comply with a legal obligation under EU or Member State law to which the controller is subject.
  • The personal data concerning you was collected in connection with services of the information society offered as defined in Article 8(1) GDPR

12.4.2 Information to third parties

If the controller has made the personal data concerning you public and is required to erase it pursuant Article
17(1) GDPR, the controller shall take reasonable measures, taking into account the technology available and the
cost of implementation, including technical measures, to inform controllers who process the personal data about
the fact that you as the data subject have asked for erasure of all links to such personal data or copies or
replications of such personal data.

12.4.3 Exceptions

The right to erasure does not apply insofar as processing is necessary for

  • exercising the right of freedom of expression and information
  • fulfilling a legal obligation that requires processing under EU or Member State law to which the controller
    is subject, or for fulfilling a task which is in the public interest or which is undertaken in the exercise of
    official authority that was conferred on the controller
  • reasons of public interest in the area of public health as defined in Article 9(2)(h) and (i) as well as Article
    (9)(3) GDPR
  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
    as defined in Article 89(1) GDPR insofar as the right stated for paragraph (a) is likely to render
    impossible or seriously compromise achievement of the aims of such processing, or
  • the establishment, exercise or defence of legal claims.

12.5 Right to be notified

If you have exercised your right to rectification, erasure, or restriction of processing vis-à-vis the controller, the
controller must notify all recipients to whom personal data concerning you has been disclosed of such rectification
or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate efforts.
You have a right vis-à-vis the controller to be informed about those recipients.

12.6 Right to data portability

You have the right to receive the personal data concerning you which you have provided to the controller in a
structured, commonly used and machine-readable format. Moreover, you have the right to transfer this data to
another controller without being hindered by the controller to whom the personal data has been provided, where

  • processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a
    contract pursuant to Article 6(1)(b) GDPR; and
  • processing is carried out by means of automated procedures

When exercising this right, you also have the right to request that the personal data concerning you be directly
transferred from one controller to another controller to the extent that this is technically feasible. Freedoms or
rights of other persons must not be detrimentally affected thereby. The right to data portability does not apply to
the processing of personal data which is necessary for fulfilling a task which is in the public interest or undertaken
for exercising official authority that was conferred on the controller.

12.7 Right to object

You have the right, on grounds relating to your particular situation, to object to the processing of personal data
concerning you on the basis of Article 6(1)(e) or (f) GDPR at any time; this shall also apply to profiling that is
based on those provisions.

In that case the controller will no longer process the personal data concerning you unless the controller is able to
demonstrate compelling legitimate grounds for the processing that override your interests, rights or freedoms or
for the establishment, exercise or defence of legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object to
processing of the personal data concerning you for the purpose of such advertising at any time; this shall also
apply to profiling to the extent that it is related to such direct marketing.

If you object to processing for the purpose of direct marketing, the personal data concerning you will no longer be
processed for such purposes. In connection with using information society services you may, irrespective of
Directive 2002/58/EC, exercise your right to object by automated means for which technical specifications are
used.

You also have the right, on grounds relating to your particular situation, to object to processing of personal data
concerning you for scientific or historical research purposes or for statistical purposes as defined in Article 89(1)
GDPR.

Your right to object may be restricted insofar as it is likely to render impossible or seriously compromise the
achievement of the research purposes or statistical purposes and where a restriction is necessary for achieving
these research and statistical purposes.

12.8 Right to withdraw your consent given under data protection law

You may withdraw your consent given under data protection law at any time. The lawfulness of processing done
up to the time of withdrawal shall not be affected by withdrawing consent.

12.9 Automated individual decision-making including profiling

You have the right not to be subject to any decision that is exclusively based on automated processing, including
profiling, which would have a legal effect on you or would significantly affect you detrimentally in a similar way.

This shall not apply if the decision

  • is necessary for concluding or performing a contract between you and the controller,
  • is permissible due to legal provisions of EU or Member State law to which the controller is subject and if
    these legal provisions include appropriate measures to safeguard you rights and freedoms as well as
    your legitimate interests or
  • is made upon your express consent.

However, these decisions must not be based on special categories of personal data as defined in Article 9(1)
GDPR unless Article 9(2)(a) or (g) GDPR applies and appropriate measures to safeguard your rights and
freedoms as well as your legitimate interests have been taken.

With regard to the cases stated in paragraph (1) and (3) the controller shall take appropriate measures to
safeguard your rights and freedoms as well as your legitimate interests, including at least the right to obtain
human intervention on the part of the controller, to express one's point of view and to contest the decision.

12.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy you have the right to lodge a complaint with a
supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the
alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress
or outcome of the complaint, including the option of a judicial remedy as defined in Article 78 GDPR.

HF DATA SERVICEDESK
+43 1 981 16-800