Data protection information for the lending of test bikes in accordance with Art.13 GDPR
Organization responsible for data processing (controller) in accordance to Art. 13 para. 1a GDPR
Riese & Müller GmbH
Am Alten Graben 2
64367 Mühltal, Germany
Tel.: +49 (0) 6151 / 366 86-0
E-mail: [email protected]
Competent supervisory authority:
Der Hessische Datenschutzbeauftragte (Data Commissioner for the State of Hesse)
Prof. Dr. Michael Ronellenfitsch
Gustav-Stresemann-Ring 1
65189 Wiesbaden, Germany
Tel.: +49 (0) 611 / 14 08-0
E-Mail: [email protected]
or:
Postfach 31 63
65021 Wiesbaden, Germany
Our data protection office
Our company’s data protection officer is:
CTM-COM GmbH
In den Leppsteinswiesen 14
64380 Roßdorf, Germany
Tel.: +49 (0) 6154 / 57 60 51 11
E-Mail: [email protected]
Riese & Müller GmbH take the security of your personal data seriously. We take measures to ensure this security. To protect your collected data against accidental or intentional manipula-tion, loss, destruction or access by unauthorized persons, technical and organizational measures are used, which are continuously improved in line with technological development.
In the following we would like to inform you of how your data are processed in our company and inform you about your rights (in accordance with Art. 12-21 GDPR).
Data processing:
Data categories (type of personal data)
First name and last name
Address
for the purpose
• Test ride with a test bike owned by the Riese & Müller GmbH
Recipients or categories of recipients of the personal data
Internal:
• Persons entrusted with the fulfilment of the above-mentioned purposes
External:
• In case of loss of the bike, the responsible police authority
• In case of damage of the bike, our insurance
We will store your data for a maximum of two weeks after completion of the event and de-lete it afterwards.
You have the right to request a copy of your personal data. These are generally provided in electronic form, unless you have specified otherwise.
Your rights as a data subject
You have the right to obtain from us, at any time upon request, information on your personal data processed by us and/or our service provider.
Access (Art. 15 GDPR)
You have the right to request information at any time as to whether we are processing your personal data and if so, to request access to such personal data as
• the categories of personal data concerned (see above).
• the purposes of the processing (see above).
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
If your data is transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards in accordance with Art. 46 GDPR in connection with the transfer. Your data will only be transferred to third coun-tries with your written consent.
• The planned storage duration
If it is not possible to specify the storage duration, we are obliged to inform you of the criteria for determining the storage period. These are primarily the statutory retention periods
Right to rectification (Art. 16 GDPR)
You have the right to obtain from us without undue delay the rectification of inaccurate per-sonal data.
Right to erasure (Art. 17 GDPR)
You have the right to obtain from us the erasure of personal data if
• your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• you withdraw consent on which the processing is based, if there is no other legal ground for the processing
• you object to the processing pursuant to Art. 21 para. 1 GDPR and/or Art. 21 para. 2 GDPR (right of opposition)
• your personal data have been unlawfully processed
• it concerns personal data of a child (Art. 8 GDPR).
The right does not apply to the extent that processing is necessary:
• for exercising the right of freedom of expression and information.
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• for the establishment, exercise or defence of legal claims.
The erasure will take place immediately on our behalf.
If personal data has been made public by us (e.g. Intranet), we must ensure, as far as is tech-nically possible and reasonable, that third party data processors are also informed of the eras-ure request, including the erasure of links, copies and/or replications.
Right to restriction of processing (Art. 18 GDPR)
You have the right to obtain restriction of processing from the controller where one of the following applies in the event of:
• rectification
• unlawful processing
• establishment, exercise or defence of legal claims
• processing pursuant to Art. 21 para. 1 GDPR depending the verification whether the le-gitimate grounds of the controller override those of the data subject.
If you obtained restriction of processing, you will be informed before the restriction of pro-cessing is lifted.
Right of data portability (Art. 20 GDPR)
You have the right to receive from us the personal data concerning you which you have pro-vided us with in a structured, commonly used and machine-readable format or to transmit such data to another controller directly, where technically feasible.
The right to data portability only applies to data provided by you. It requires that you have consented to the processing or that it is carried out for the performance of a contract and is carried out with the help of automated procedures.
The exercise of this right is without prejudice to the right to erase (Art. 17 GDPR).
The right must not affect the rights and freedoms of others.
Right to object (Art. 21 GDPR)
You may withdraw your consent at any time with effect for the future. We will no longer pro-cess the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms for the establishment, exercise or defence of legal claims.
Automated decision-making/Profiling (Art. 22 GDPR)
You have the right to be informed whether your data is the subject of an automated deci-sion-making within the meaning of Art. 22 GDPR.
Decisions which have legal consequences for you or which significantly affect you must not be based exclusively on automated processing of your data, including profiling.
However, this does not apply if the automated decision:
• is necessary for entering into a contract between you and our company;
• is authorised by Union or Member State law (if measures are suitable to your rights and freedoms and legitimate interests
• is based on your explicit consent.
Dealing with data breaches (Art. 34 GDPR)
We will inform you without undue delay if a personal data breach is likely to result in a high risk to the rights and freedoms. We will provide you in particular with the following infor-mation:
• Description of the data breach
• Name and contact details of the data protection officer or other contact point for fur-ther information
• Description of the likely consequences of the data breach
• A description of the measures we have taken or propose to take to address the data breach, including measures to mitigate any adverse effects.
Information may be omitted in cases pursuant to Art. 34 para. 3 GDPR.
Exercise of the rights of the data subject (Art. 12 GDPR)
You have the right to confidentially contact our data protection officer mentioned above at any time in order to assert your rights.
The information, notifications and measures to be provided in accordance with the GDPR, in-cluding the exercise of data subject rights, are generally provided free of charge. In the case of manifestly unfounded requests, we are entitled to charge an appropriate fee for the pro-cessing or to refrain from taking action Art. 12 para. 5 of the GDPR).
In the event of reasonable doubt as to the identity of the data subject, additional information may be requested from him or her which is necessary to confirm his or her identity.
As a rule, requests for information and disclosure are processed without delay within one month of receipt of the request. The deadline may be extended by a further two months if this is necessary taking into account the complexity and/or the number of requests.
In the event of an extension, we will inform you within one month of receipt of your request, stating the reasons for the delay. If we do not act on a request, we will inform you immedi-ately within one month of receipt of the request, stating the reasons for the delay and in-forming you of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.
Legal protection
You furthermore have the right to lodge a complaint with a supervisory authority.
In case of complaints, you can contact any time the competent supervisory authority of the Union or the member states.
The above-mentioned supervisory authority is responsible for our company.