Data privacy

Status July 2021

The security of your personal data is extremely important to Geberit. You can visit our website without sharing your personal information with us. We only need information from you if you wish to use particular services. This privacy policy is intended to provide you with transparent information on what kind of data we collect, process and store and for what purpose.

PRIVACY POLICY AND DATA PROTECTION NOTICE FOR CUSTOMERS, SUPPLIERS AND OTHER BUSINESS PARTNERS

1 Scope of application

1.1 The privacy of your personal data is very important to us. The purpose of this privacy policy is to inform users of the Geberit Internet services, particularly the Geberit web-site(s) (“website”) – as well as customers, suppliers and other business partners – about how the Geberit companies within the EU, Switzerland, United Kingdom and Norway process personal data. With this in mind, not all aspects of this information may apply to you.

1.2 Personal data within the scope of this privacy policy refers to any data that relates or can be related to you, such as your name, address or email address.

2 Controller

2.1 The operator – and therefore the controller – of the Geberit website you have visited is the Geberit company listed in the imprint on the website in question.

2.2 Incidentally, the controller responsible for processing your personal data is Geberit Sales Ltd, Edgehill Drive, Warwick, CV34 6NH. gdpruk@geberit.com

3 Data Protection Officer

Our data protection department, including the data protection officer can be reached at dataprotection@geberit.com or at our postal address with the added information “data protection”.

To arrange a confidential appointment with only our data protection officer, please use the following contact details:

MAGELLAN Rechtsanwälte, Brienner Straße 11, 80333 Munich

Email: datenschutz_geberit@magellan-rechtsanwaelte.de

4 Automatic data collection and processing on Geberit websites

Our websites use certain technologies and tools, which are outlined below. If there are any that you do not want us to use, provided these are optional, we have provided vari-ous options and settings for each one that will prevent it from being used.

4.1 Server log files

4.1.1 As with every website, our server automatically and temporarily collects information transmitted by your browser in server log files, provided you have not disabled this feature. If you intend to view our website, we require certain types of data on a tech-nical level so that we can display our websites whilst also ensuring stability and securi-ty. This data is as follows:

- IP address of the computer sending the request
- file request of the client
- http response code
- the web page that linked you to our website (referrer URL)
- time of the server request
- browser type and version
- operating system used by the computer sending the request

4.1.2 The data in these server log files will not be analysed in a way that identifies individual persons. In cases where the information listed above contains personal data (particularly the IP address), the legal basis for collecting this data is point (f) of Article 6(1) of the General Data Protection Regulation (GDPR). The legitimate interest we pursue when collecting this data is to ensure the proper functioning of our websites. If you require further information about the balancing of interests that must be carried out in accordance with point (f) of Article 6(1) of the GDPR, please contact us using the de-tails provided in Section 2. It is necessary for us to temporarily save your personal da-ta to ensure that the website appears on your computer. To achieve this, your person-al data must be saved for the duration of your visit to our website. Your personal data is saved in log files in order to ensure the operability of the website. Your personal data also ensures the security of our IT systems. Your personal data is not processed fur-ther. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. In the case of your personal data being collected for the provision of the website, this applies as soon as you leave the website. If your personal data is saved in log files, these are deleted after 14 days at the latest. If the data is saved for reasons beyond these, your personal data is anonymised so that you cannot be associated with or identified from this data.

4.2 Improving quality, optimising the website, user behaviour analysis and playing personalised adverts

4.2.1 The legal basis for processing your personal data as part of using cookies or comparable technologies – such as pixels, tags, web beacons or browser fingerprinting (known as ‘tracking cookies’) – for improving quality, optimising the website, user-behaviour analysis and playing personalised adverts after merging with your contract master data and your purchase history, is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR.

4.2.2 Processing your personal data allows us to optimise the user experience on our web-site and to promote sales by selling goods or services.

4.2.3 Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed or if you revoke your consent.

4.2.4 You can find an overview of the advertising cookies used on our website at www.geberit.co.uk/cookie-policy.

You may revoke your consent to the processing of your personal data using tracking cookies at any time with future effect by:

(1) Changing your consent settings on our website

On our website, you can simply revoke your consent to the processing of your personal data using tracking cookies. To access this setting, click on the link in the website footer (‘Change cookie settings’) to open the cookie banner.

Revoking your consent places a further cookie on your computer, which indicates to us that no tracking cookies can be used. If you delete this cookie, you will be asked to submit your declaration of consent again the next time you open our website.

(2) Changing your browser settings

Alternatively, you can change your browser settings to deactivate or limit the transfer of cookies in general. You can delete saved cookies at any time. This process can also be automated. If technically necessary cookies are disabled on our website, it may cause certain functions to cease, or may stop you from fully utilising all functions on our website.

(3) Exception: Google Analytics

If you do not want your personal data to be processed by Google Analytics, you can install a browser add-on to deactivate it. This add-on instructs the Google Analytics JavaScript (ga.js, analytics.js and dc.js) on websites to disable the trans-fer of information to Google Analytics.

If you would like to deactivate Google Analytics, open the website mentioned be-low and install the add-on for deactivating Google Analytics in your browser. You can find detailed information on installing and uninstalling the add-on in the rele-vant help documents for your browser.

Browser and system updates may stop your deactivation add-on from functioning as intended. You can find more information on managing add-ons for Chrome on the websites mentioned below. If you do not use Google Chrome, please check directly with your browser’s manufacturer whether the add-ons work in the version of the browser you are using.

The latest versions of Internet Explorer occasionally load the add-on for deactivat-ing Google Analytics after your personal data has already been sent to Google Analytics. If you use Internet Explorer, the add-on will therefore install cookies on your computer. These cookies ensure that any data collected is immediately deleted from the server that has collected it. Ensure that third-party cookies are not deactivated on your version of Internet Explorer. If you delete your cookies, these cookies will be replaced shortly by the add-on to ensure that your Google Analytics browser add-on continues to function as intended.

The browser add-on for deactivating Google Analytics does not stop personal data being sent to the website or other tracking services.

For more information on terms of use and data protection, please visit:

http://www.google.com/analytics/terms/de.html or

https://support.google.com/analytics/answer/6004245?hl=de

IP addresses are also anonymised on our website.

If you would like to deactivate Google Analytics, open the website mentioned below and install the add-on for deactivating Google Analytics in your browser. You can find detailed information on installing and uninstalling the add-on in the relevant help documents for your browser.

4.3 Google AdWords

4.3.1 We use the services of Google AdWords (including Google AdWords remarketing) so that we can place advertisements (called “Google AdWords”) on external websites for the purpose of drawing attention to attractive offers. Using the data gathered from these advertising campaigns, we are able to determine how effective individual advertisements are. We use this tool to show you advertisements that might interest you, to make our website more appealing to your specific interests, and to calculate our advertising costs in a fair manner.

4.3.2 These advertisements are delivered by Google via what are known as ad servers. For this purpose, we use ad server cookies that enable us to gauge success by means of a number of metrics, such as how often advertisements are displayed and how many times they are clicked by users. If you are linked to our website by a Google adver-tisement, Google AdWords will save a cookie on your PC. These cookies will normally expire after 90 days and are not used to identify you personally. A cookie of this type will normally contain data for analysis such as the unique cookie ID, the number of ad impressions for each placement (frequency), last impression (relevant for post-view conversions) and opt-out information (a flag specifying that the user no longer wishes to be shown advertisements).

4.3.3 These cookies allow Google to recognise your Internet browser. If a user visits specific pages on the website of an AdWords customer and the cookie saved on the user’s computer has not yet expired, Google and the customer are able to discern that the user has clicked on the advertisement and was linked to this page. A different cookie is assigned to each AdWords customer. It is therefore not possible to track cookies via the websites of AdWords customers. We do not collect or process any personal data ourselves in the aforementioned advertisements. Rather, we simply receive statistical analyses of the data from Google. Based on these analyses, we are able to determine which of the advertisements placed are particularly effective. We do not receive any further data from the use of advertising, nor in particular are we able to use this information to identify users.

4.3.4 The legal basis for processing your personal data as part of the ‘Google Adwords’ service is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR. Your personal data is deleted as soon as it is no longer required for the pur-pose for which it was processed or if you revoke your consent. As a general rule, the relevant cookies are deleted after 90 days.

4.3.5 You can find an overview of the advertising cookies used on our website for Google Adwords purposes at www.geberit.co.uk/cookie-policy. You may revoke your con-sent to the processing of your personal data for Google Adwords purposes at any time with future effect by opening our cookie banner via the footer on our home page and adjusting your settings.

4.4 DoubleClick by Google

4.4.1 Our websites use the tool DoubleClick by Google. DoubleClick uses cookies in order to show relevant advertisements to users, to improve reporting on campaign performance, and (if the frequency capping feature is enabled) to prevent users from seeing the same advertisements multiple times. Using a cookie ID, Google can register which advertisements have been shown in which browser, preventing users from seeing the same advertisement multiple times. Furthermore, DoubleClick can use cookie IDs to record what are known as conversions, which are related to ad requests. A conversion happens if, for example, a user sees a DoubleClick advertisement and then later visits the advertiser’s website and makes a purchase using the same browser. According to Google, DoubleClick cookies do not contain any personal information.

4.4.2 Due to the use of Google AdWords and DoubleClick by Google, your browser will automatically establish a direct connection to the Google server. We have no control over the scope and further use of data collected by Google through the use of these tools, so the information in this privacy policy reflects our current understanding of the matter. As DoubleClick has been integrated into our web services, Google will be notified when you visit the relevant part of our website or click on one of our advertisements. If you are registered with a Google service, Google may be able to attribute the visit to your individual account. Even if you are not registered with or logged into Google, it may be possible for Google to identify and save your IP address.

4.4.3 Further information on DoubleClick by Google can be found at: https://www.doubleclickbygoogle.com and on data protection at Google in general at: https://policies.google.com/privacy?hl=en.

4.4.4 The legal basis for processing your personal data as part of the ‘DoubleClick by Google’ service is your declaration of consent in accordance with point (a) of Article 6 (1) of the GDPR. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed or if you revoke your consent.

4.4.5 You can find an overview of the advertising cookies used on our website for purposes relating to the Google DoubleClick service at www.geberit.co.uk/cookie-policy. There are a number of ways in which you can opt out of participation in Google Ad-Words and DoubleClick:

You may revoke your consent to the processing of your personal data as part of the Google DoubleClick service at any time and with future effect by opening our cookie banner via the footer on our home page and adjusting your settings:

- by making the appropriate settings in your browser; in particular, suppressing third-party cookies means that you will not receive advertisements from third parties
- by disabling the cookies for conversion tracking by setting your browser to refuse cookies from the domain: www.googleadservices.com
– see https://www.google.co.uk/settings/ads. This setting will be undone once you delete your cookies
- by disabling interest-based advertising by providers that participate in the About Ads self-regulatory programme at http://www.aboutads.info/choices. This setting will be undone once you delete your cookies
- by permanently opting out at http://www.google.com/settings/ads/plugin when using Firefox, Internet Explorer or Google Chrome. Please note that you may not be able to use all of the functions on this website if you do this

4.5 AppNexus, Media Innovation Group, Adform, Plista, Sizmek

4.5.1 Our websites also use tools from AppNexus, Media Innovation Group, Adform, Plista and Sizmek.

4.5.2 These tools use cookies in order to show relevant advertisements to users, to improve reporting on campaign performance, and to prevent users from seeing the same ad-vertisements multiple times. Using a cookie ID, the tools can register which adver-tisements have been shown in which browser, and (if the frequency capping feature is enabled) prevent users from seeing the same advertisement multiple times. According to these third-party providers, the cookies used by the tools do not contain any per-sonal information.

4.5.3 Due to the use of these tools, your browser will automatically establish a direct con-nection to the server of the relevant third-party provider. We have no control over the scope and further use of data collected through the use of these tools, so the infor-mation in this privacy policy reflects our current understanding of the matter. As these tools have been integrated into our web services, the third-party providers will be noti-fied when you visit the relevant part of our website or click on one of our advertise-ments.

4.5.4 The legal basis for processing your personal data as part of the service is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR. Processing your personal data allows us to promote sales by selling goods or services. In this context, we use cookies that display adverts relevant to you and reports to improve campaign performance. Use of the relevant cookies also prevents you from seeing the same adverts multiple times. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed or if you revoke your consent.

4.5.5 Further information on the tools referred to in this section can be found at https://www.appnexus.com/en/company/platform-privacy-policy, http://www.themig.com/en-us/privacy.html, https://site.adform.com/privacy-policy-opt-out/, https://www.plista.com/about/privacy/ and https://www.sizmek.com/privacy-policy/.

4.5.6 You can prevent participation in the services from AppNexus, Media Innovation Group, Adform, Plista and Sizmek in a number of ways:

4.5.7 You can find an overview of the advertising cookies used on our website for the tools described above at www.geberit.co.uk/cookie-policy. You may revoke your consent to the processing of your personal data at any time and with future effect by opening our cookie banner via the footer on our home page and adjusting your settings:

- by making the appropriate settings in your browser; in particular, suppressing third-party cookies means that you will not receive advertisements from third parties
- by disabling the cookies used for conversion tracking. This is done by setting your browser to refuse cookies from the domains www.appnexus.com, www.themig.com, https://site.adform.com, www.plista.com and www.sizmek.com
- by disabling interest-based advertising by providers that participate in the About Ads self-regulatory programme at http://www.aboutads.info/choices. This setting will be undone once you delete your cookies
- by permanently opting out at http://www.google.com/settings/ads/plugin when using Firefox, Internet Explorer or Google Chrome. Please note that you may not be able to use all of the functions on this website if you do this.

4.6 Facebook Custom Audiences

4.6.1 Our websites also use the Custom Audiences remarketing feature from Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA. This allows users of our websites to receive interest-based advertising (known as Facebook ads) when visiting the social network Facebook or other websites that also use the feature. We use this tool to show you advertisements that might interest you and to personalise our websites to your interests.

4.6.2 Due to the use of this marketing tool, your browser will automatically establish a direct connection to the Facebook server. We have no control over the scope and further use of data collected by Facebook through the use of these tools, so the information in this privacy policy reflects our current understanding of the matter. As Facebook Custom Audiences has been integrated into our web services, Facebook will be notified when you visit the relevant part of our website or click on one of our advertisements. If you are registered with a Facebook service, Facebook will be able to attribute the visit to your individual account. Even if you are not registered with or logged into Face-book, it is possible for Facebook to identify and save your IP address as well as other identifying features.

4.6.3 The legal basis for processing your personal data for the ‘Custom Audiences’ re-marketing function provided by Facebook Inc. is your declaration of consent in ac-cordance with point (a) of Article 6(1) of the GDPR. Processing your personal data using the ‘Custom Audiences’ remarketing function allows us to boost sales by selling goods or services. We use this tool to show you advertisements that might interest you and to personalise our websites to your interests. The tool allows you to receive inter-est-based advertising (known as Facebook ads) when visiting the social network Fa-cebook or other websites that also use the feature.

4.6.4 Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed or if you revoke your consent.

4.6.5 You can find an overview of the advertising cookies used on our website for the Facebook Custom Audiences tool at www.geberit.co.uk/cookie-policy. You may revoke your consent to the processing of your personal data for use for the Facebook Custom Audiences function at any time and with future effect by opening our cookie banner via the footer on our home page and adjusting your settings.

4.6.6 The Facebook Custom Audiences feature can also be disabled by making the appropriate setting in your browser or – if you are logged into Facebook – at https://www.facebook.com/ads/preferences.

4.6.7 Further information on data processing by Facebook can be found at https://www.facebook.com/about/privacy.

4.7 Pinterest tag

4.7.1 Our website also uses the conversion-tracking Pinterest tag from Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. This allows users of our websites to receive interest-based advertising when visiting Pinterest or other websites that also use the feature. We use this tool to show you advertisements that might interest you and to personalise our website to your interests.

4.7.2 Due to the use of this marketing tool, your browser will automatically establish a direct connection to the Pinterest server. We have no control over the scope and further use of data collected by Pinterest through the use of these tools, so the information in this privacy policy reflects our current understanding of the matter: As the Pinterest tag has been integrated into our web services, Pinterest will be notified when you visit the relevant part of our website or click on one of our advertisements. If you are registered with a Pinterest service, Pinterest may be able to attribute the visit to your indi-vidual account. Even if you are not registered with or logged into Pinterest, it is possible for Pinterest to identify and save your IP address as well as other identifying features.

4.7.3 The legal basis for processing your personal data for conversion tracking using the ‘Pinterest tag’ is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR. Processing your personal data using the ‘Pinterest tag’ conversion tracking element allows us to boost sales by selling goods or services. We use con-version tracking to show you advertisements that might interest you and to personalise our websites to your interests. Conversion tracking allows you to receive interest-based advertising when visiting the social network Pinterest or other websites that also use the feature. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed or if you revoke your consent.

4.7.4 You can find an overview of the conversion tracking cookies used on our website using the Pinterest tag at www.geberit.co.uk/cookie-policy. You may revoke your consent to the processing of your personal data for conversion tracking purposes using the Pinterest tag function at any time and with future effect by opening our cookie banner via the footer on our home page and adjusting your settings.

4.7.5 The Pinterest tag feature can be disabled by making the appropriate setting in your browser or – if you are logged into Pinterest – at https://help.pinterest.com/en/article/personalized-ads-on-pinterest.

4.7.6 Further information on data processing by Pinterest can be found at https://policy.pinterest.com/en/privacy-policy.

4.8 LinkedIn Insight Tag

4.8.1 Our websites also use LinkedIn Conversion Tracking and Insight Tag feature from LinkedIn Corporation, Sunnyvale, CA 94085, USA. This allows users of our websites to receive interest-based advertising when visiting linkedIn.com or other websites that also use the feature. We use this tool to show you advertisements that might interest you and to personalise our websites to your interests.

4.8.2 Due to the use of this marketing tool, your browser will automatically establish a direct connection to the LinkedIn server. We have no control over the scope and further use of data collected by LinkedIn through the use of these tools, so the information in this privacy policy reflects our current understanding of the matter. As the LinkedIn Insight Tag has been integrated into our web services, LinkedIn will be notified when you visit the relevant part of our website or click on one of our advertisements. If you are registered with a LinkedIn service, LinkedIn will be able to attribute the visit to your individ-ual account. Even if you are not registered with or logged into LinkedIn, it is possible for LinkedIn to identify and save your IP address as well as other identifying features.

4.8.3 The legal basis for processing your personal data as part of the conversion tracking ‘Insight Tag’ is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR. Processing your personal data allows us to promote sales by selling goods or services. We use this tool to show you advertisements that might interest you and to personalise our websites to your interests. The tool allows you to receive inter-est-based advertising (known as LinkedIn ads) when visiting the social network LinkedIn or other websites that also use the feature.

4.8.4 You can find an overview of the conversion tracking cookies used on our website using the Insight tag at www.geberit.co.uk/cookie-policy. You may revoke your consent to the processing of your personal data for conversion tracking purposes using the Insight tag function at any time and with future effect by opening our cookie banner via the footer on our home page and adjusting your settings.

4.8.5 The LinkedIn Insight Tag feature can also be disabled by making the appropriate setting in your browser or – if you are logged into LinkedIn – at https://www.linkedin.com/psettings/advertising.

4.8.6 Further information on data processing by LinkedIn can be found at https://www.linkedin.com/legal/cookie-policy and https://www.linkedin.com/legal/privacy-policy.

4.9 Google Maps and Google Fonts

4.9.1 The legal basis for processing your personal data in relation to integrating Google Maps and Google Fonts is point (a) of Article 6(1) of the GDPR.

4.9.2 The processing of your personal data for the integration Google Maps and Google Fonts makes it easier for you to find our locations and ensures that texts appear in a uniform style on our website. Your personal data is deleted as soon as it is no longer necessary for the aforementioned purposes. In our case, this is as per 12 months.

4.9.3 If you do not want your personal data to be collected by Google Fonts, you can apply settings in your browser (for example by installing plug-ins or add-ons) to prevent your data from being transmitted to the Google servers. If your browser does not support Google Fonts, there is no access to the Google server and the texts on our website are displayed in your system’s standard font.

For more information on terms of use and data protection, please visit:

https://developers.google.com/fonts/faq or www.google.com/intl/en-GB/privacy/

4.10 Geberit AquaClean blog

4.10.1 The legal basis for processing your personal data in relation to the commenting and blog function on the Geberit AquaClean blog is established in point (a) of Article 6(1) of the GDPR. We process your personal data as part of the commenting and blog func-tion on the Geberit AquaClean blog to enable transparent and personalised communi-cation between us and you. We also process your personal data to protect ourselves from liability claims by third parties if illegal comments are published. Your personal data is deleted as soon as it is no longer required for the purpose for which it was pro-cessed. In our case, this is as per 10 years.

4.10.2 You can object to the processing of your personal data with regard to the commenting and blog function at any time with future effect. We will then delete the comment from our Geberit AquaClean blog or not publish it.

4.11 Geberit LiveChat

4.11.1 The legal basis for processing your personal data for provision of the “Geberit LiveChat” service is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR.

4.11.2 The Geberit LiveChat function should offer you the opportunity to contact us quickly and easily using our electronic chat service. If you would like to make use of this ser-vice, the purpose of processing your data is for us to make this function available to you. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. This usually occurs 3 years after processing your request.

4.11.3 You can revoke your consent for the purposes of using the Geberit LiveChat function at any time and with future effect. Doing so means you can no longer use the LiveChat function. All personal data that is saved when using the Chat function is de-leted in this case.

4.12 Geberit Chatbot

4.12.1 The legal basis for processing your personal data for provision of the ‘Chatbot’ service is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR.

4.12.2 The Chatbot function offers you the opportunity to have your questions answered quickly and easily via an automatic chat machine. However, if you would still like to contact our customer service team, you can click on ‘Continue chatting’ to be trans-ferred directly from the Chatbot to the LiveChat. Alternatively, you can choose to contact us by email or telephone.

Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. This usually occurs 90 days after processing your request.

4.12.3 You can revoke your consent to data processing for the purposes of using the Chatbot function at any time and with future effect. Doing so means you can no longer use the Chatbot function. All personal data that is saved when using the Chat function is deleted in this case.

4.13 Video centre

4.13.1 The legal basis for processing your personal data in relation to integrating our videos is established in point (f) of Article 6(1) of the GDPR.

4.13.2 We process your personal data for provision of the video centre in order to ensure that video content on our website is displayed in an appealing and uniform way, regardless of your end device.

4.13.3 Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. This is, at the latest, after you leave our website.

4.13.4 Processing your personal data is strictly necessary for integration of the video centre. It is therefore not possible for you to object to this.

4.14 You Tube

4.14.1 We use the video platform “YouTube“ of the company YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA (»YouTube«), a company of Google Inc. to ensure an appealing, consistent presentation of video content on our website that is independent of your terminal device. We do this in the Enhanced Privacy Mode. Unless you agree to the cookie when visiting the website, no data is collected by YouTube when you visit the website. Only when you want to play the video and agree to the cookie, your data is transmitted to YouTube (such as IP address, referring page, device information (browser, device type), retrieved video). We ourselves record and store whether and which YouTube video you have played in order to be able to offer you a customized service.

4.14.2 Your personal data is therefore deleted as soon as it is no longer required to achieve the purpose of its processing.

4.14.3 The legal basis for the processing of your personal data is your consent according to point (a) of Article 6(1) GDPR. You have the right to withdraw your consent at any time. If you wish to do this, please contact us via the details specified above. The withdrawal of consent does not affect the lawfulness of any data processing that was carried out based on consent being obtained.

4.14.4 We have no influence on the data processing by YouTube. Further information on data processing by You Tube can be found at https://policies.google.com/privacy?hl=en-GB.

4.15 Vimeo

4.15.1 We use the Vimeo video platform from Vimeo Inc., 555 West 18th Street, New York, NY 10011, USA (hereafter: ‘Vimeo’), to ensure that video content on our website is displayed in an appealing and uniform way, regardless of your end device. Unless you have already agreed to the cookie when visiting the website, no data is collected by Vimeo through your visit to the website. Your data (such as your IP address, device in-formation – including browser and device type – and retrieved video) is only shared with Vimeo when you want to play the video and agree to the cookie. For our part, we record and store information on whether you have played a Vimeo video – and if so, which one – to offer you a more personalised service.

4.15.2 We delete your personal data as soon as it is no longer required for the purpose for which it was processed.

4.15.3 The legal basis for processing your personal data is established by your consent in accordance with point (a) of Article 6(1) of the GDPR. You have the right to withdraw your consent at any time. Please contact us via the details provided above if you would like to do so. The withdrawal of consent does not affect the lawfulness of any data processing that was carried out based on consent being obtained.

4.15.4 We have no influence on how data is processed by Vimeo. Further information on data processing by Vimeo can be found at https://vimeo.com/privacy.

4.16 Technically necessary Cookies

4.16.1 Our websites use technically necessary cookies besides the ones outlined in Sections 4.4 to 4.15. Cookies are small text files that are saved on a local cache in your browser. The cookies specified below are used by us exclusively to ensure that we are able to implement or provide the service that you are using. This is based on point (f) of Article 6(1) of the GDPR. Some of our website functions cannot be provided without the use of cookies. For these functions, your browser needs to be identified again even af-ter changing pages. Your personal data is not processed further. The legitimate interest that we pursue when processing data is to optimise the website settings for the device you are using and to adapt the user interface accordingly. If you require further information about the balancing of interests that must be carried out in accordance with point (f) of Article 6(1) of the GDPR, please contact us using the details provided above. The following types of cookies (the scope and functionality of which are de-tailed below) are used on our websites:

– transient cookies (see Section 4.16.2)

– persistent cookies (see Section 4.16.3).

4.16.2 Transient cookies are automatically deleted once you close your browser. These in-clude session cookies in particular. These save a session ID that makes it possible to attribute various request from your browser to a common session, allowing your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close your browser.

4.16.3 Persistent cookies are automatically deleted after a specified amount of time, which can vary depending on the cookie. You can delete the cookies at any time in your browser’s security settings.

4.16.4 You can find an overview of the technically necessary cookies used on our website at www.geberit.co.uk/cookie-policy. If permitted, cookies are saved on your computer and transferred from there to our website. This allows you full control over the use of cookies. You can change settings in your browser to deactivate or limit the transfer of cookies. You can delete saved cookies at any time. This process can also be auto-mated. If cookies are disabled on our website, it may cause certain functions to cease, or may stop you from fully utilising all functions on our website.

5 Collection and processing of voluntarily provided data

5.1 We collect and process personal data that has been shared with us voluntarily during the course of interacting with customers, suppliers and other business partners (for ex-ample, via email, telephone or our websites)

We process the data for the following purposes:

5.1.1 Online catalogue

The legal basis for processing your personal data for the online catalogue is estab-lished in point (b) of Article 6(1) of the GDPR. The purpose of processing your per-sonal data for the online catalogue is to fulfil a contract between you and us. Your per-sonal data is deleted as soon as it is no longer required for the purpose for which it was processed. In the case of data processing for the online catalogue, this is when the contract has been fulfilled and all claims from the contract relationship lapse or legal retention periods have expired. The purpose of processing your personal data within the online shop is to fulfil a contract between you and us and is strictly necessary. It is therefore not possible for you to object to this.

5.1.2 Account registration / Creating a new Geberit ID

The legal basis for processing your personal data for customer account registration is established in point (b) of Article 6(1) of the GDPR. Registering or creating a Geberit ID allows, in particular, the conclusion of contracts as well as a customer service rela-tionship. While creating your Geberit ID, we validate your telephone number by send-ing a confirmation SMS. Processing your personal data as part of the registration process is therefore necessary to fulfil a contract, carry out pre-contractual measures and maintain our customer relationship. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. This is, at the latest, when your customer account is terminated. You may terminate the registration of your cus-tomer account at any time. If you do so, your personal data is deleted, provided that no legally binding retention periods apply.

5.1.3 Contact form and email contact

The legal basis for processing your personal data that is transferred during customer contact interactions is established in point (f) of Article 6(1) of the GDPR. If the aim of the contact is to conclude a contract, then point (b) of Article 6(1) of the GDPR is an additional legal basis for processing your personal data. For customer communica-tions, we only process your personal data to handle your issues. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. For personal data that is sent during customer communications, this is when your is-sues are fully processed and there is no legal retention period in effect. You can object to the processing of your personal data with regard to customer communications at any time with future effect. However, if you do so, we cannot continue to process your issues. All personal data that was saved during the interaction is deleted unless there is a legal retention period that prevents deletion.

5.1.4 Technik-Telefon

The legal basis for processing your personal data that is transferred during customer interactions via the Technik-Telefon is established in point (f) of Article 6(1) of the GDPR. If the aim of the contact is to conclude a contract or continue with the fulfil-ment of a contract, then point (b) of Article 6(1) of the GDPR is an additional legal ba-sis for processing your personal data. For customer interactions via the Technik-Telefon, we only process your personal data to handle your issues. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. For personal data that is sent during customer communications, this is when your issues are fully processed and there is no legal retention period in effect. You can object to the processing of your personal data with regard to customer communications at any time with future effect. However, if you do so, we cannot continue to process your issues. All personal data that was saved during the interaction is deleted unless there is a legal retention period that prevents deletion.

For customer interactions via telephone, some telephone conversations may be recorded in individual circumstances. You will be informed of this before the start of the conversation. As a general rule, the legal basis for processing your data in these cases is point (a) of Article 6(1) of the GDPR. If the legal system of a European member state provides for express consent, the legal basis is point (f) of Article 6(1) of the GDPR.

5.1.5 Geberit customer bathroom consultation

The legal basis for processing the personal data that you transfer as part of the bath-room consultation service is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR. If the aim of the contact as part of the consultation is to initiate, conclude or continue with the fulfilment of a contract, then point (b) of Article 6(1) of the GDPR is an additional legal basis for processing your personal data. Your data is processed for the purpose of handling your issues as well as providing a timely and competent consultation regarding our products. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. For per-sonal data that is sent as part of your request, this is when your issues are fully processed and there is no legal retention period in effect. You can revoke your consent to the processing of your personal data with regard to the requested consultation service at any time with future effect. However, if you do so, we cannot continue to process your issues. All personal data that was saved during the interaction is deleted unless there is a legal retention period that prevents deletion.

5.1.6 Service & customer service

The legal basis for processing your personal data that is transferred during the requested service and customer service interaction is generally established in point (b) of Article 6(1) of the GDPR. If you transfer additional information to us as part of your issue, your consent in accordance with point (a) of Article 6(1) of the GDPR is an ad-ditional legal basis for processing your personal data. Your personal data is processed for purposes of handling your service or customer service request and therefore serves to settle potential service and customer service requests. It is therefore neces-sary to process your personal data within the scope of handling your issues to ensure we provide the best possible service. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. For personal data that is sent as part of your request, this is when your issues are fully processed and there is no legal retention period in effect. You can object to the processing of your personal data with regard to settling your service or customer service request at any time with future effect. However, if you do so, we cannot continue to process your issues. All personal data that was saved during your service or customer service request is deleted unless there is a legal retention period that prevents deletion.

For customer interactions via telephone, some telephone conversations may be recorded in individual circumstances. You will be informed of this before the start of the conversation. As a general rule, the legal basis for processing your data in these cases is point (a) of Article 6(1) of the GDPR. If the legal system of a European member state provides for express consent, the legal basis is point (f) of Article 6(1) of the GDPR.

5.1.7 Download Centre

The legal basis for processing your personal data within the Download Centre is estab-lished in point (a) of Article 6(1) of the GDPR. If the aim of the contact within the scope of the Download Centre is to conclude a contract, then point (b) of Article 6(1) of the GDPR forms an additional legal basis for processing your personal data. Your data is processed for the purposes of providing and sending documentation you have requested via our website. Processing your personal data in the Download Centre is therefore necessary to process your request or to supply documents you have requested. Your personal data is deleted as soon as it is no longer required for the pur-pose for which it was processed. For personal data that is sent as part of the order request, this is when your order is fully processed and there is no legal retention period in effect. You can object to the processing of your personal data with regard to the order process at any time with future effect. However, if you do so, we cannot continue to process your issues. All personal data that was saved during the order process is deleted unless there is a legal retention period that prevents deletion.

5.1.8 Energy label

The legal basis for processing your personal data as part of the request for an energy label is established in point (a) of Article 6(1) of the GDPR. If the aim of the contact as part of ordering an energy label is to conclude a contract, then point (b) of Article 6(1) of the GDPR forms an additional legal basis for processing your personal data. Your personal data is processed for the purposes of sending the energy label you have requested. Processing your personal data is therefore necessary to process and handle the transfer requested by you. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. For personal data that is sent as part of your request, this is when your request is fully processed and there is no legal retention period in effect. You can object to the processing of your personal data with regard to the request at any time with future effect. However, if you do so, we cannot continue to process your issues. All personal data that was saved as part of the re-quest is deleted unless there is a legal retention period that prevents deletion.

5.1.9 Streaming services

You can register for and take part in our digital events (known as streaming services) via our home page. The legal basis for processing your personal data for streaming services, for example in the context of the ‘Geberit NeuheitenTreff’ innovation meet-ing, is established in point (a) of Article 6(1) of the GDPR. The registration process relating to this and the processing of your personal data is necessary to enable you to use the digital streaming services. Your personal data is processed for the purposes of providing and carrying out the streaming services you have requested. Your personal data is deleted as soon as it is no longer required for the purpose for which it was pro-cessed. For personal data that is processed as part of the streaming service, this is when the digital event ends and there are no legal retention periods preventing deletion. You can object to the processing of your personal data with regard to our streaming service at any time with future effect. However, if you do so, you can no longer take part in the digital event All personal data that was saved during your registration for or participation in our digital streaming services is deleted unless there is a legal re-tention period that prevents deletion.

5.1.10 Geberit Fire Test Laboratory

The legal basis for processing your personal data for registration, logging into and participating in the ‘Geberit Fire Test Laboratory’ event is established in point (a) of Article 6(1) of the GDPR. The registration process relating to this and the processing of your personal data is necessary to enable you to take part in the Geberit Fire Test Laborato-ry. Your personal data is processed for the purposes of registering for and participating in the Geberit Fire Test Laboratory service. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. For personal data that is required for registration for and signing in to the Geberit Fire Test Laboratory, this is when the event is finished and there is no legal retention period in effect. You can ob-ject to the processing of your personal data with regard to participating in the Geberit Fire Test Laboratory at any time with future effect. However, if you do so, you can no longer take part in the Geberit Fire Test Laboratory event All personal data that was saved during your registration for or participation in the ‘Geberit Fire Test Laboratory’ event is deleted unless there is a legal retention period that prevents deletion.

5.1.11 Geberit Pro planner and Revit® plug-in

The legal basis for processing your personal data for installation and use of the sani-tary planning tool is established in point (a) of Article 6(1) of the GDPR. This processing is necessary to enable you to use the sanitary planning tool. Your personal da-ta is deleted as soon as it is no longer required for the purpose for which it was processed. For personal data that is required for installation and use of the sanitary planning tool, this is when the tool is deleted and there is no legal retention period in effect. You can object to the processing of your personal data with regard to the use of the sanitary planning tool at any time with future effect. If you do so, you can no longer use the sanitary planning tool. All personal data that was saved during the installation and use of the tool is deleted unless there is a legal retention period that prevents dele-tion.

5.1.12 Geberit press mailing list

The legal basis for processing your personal data when subscribing to our press mailing list is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR. The purpose of processing your personal data is to send you mailshots as part of the press mailing list. The purpose of processing your personal data for sending mailshots as part of the press mailing list is to send you information and offers and, where applicable, to promote sales through the sale of goods or services. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. Your data is therefore saved until you unsubscribe from our press mailing list. You can revoke your consent to receive mailshots as part of the press mailing list at any time or click on the unsubscribe link within the mailshot to unsubscribe from further mailshots.

5.1.13 Geberit Useletter

The legal basis for processing your personal data to send you the Geberit Useletter is your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR. Your personal data is processed so that we can send the Geberit Useletter to you. The purpose of processing your personal data for sending the Geberit Useletter is to send information and offers and, where applicable, to promote sales through the sale of goods or services. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. Your data is therefore saved until you unsub-scribe from our Geberit Useletter. You can revoke your consent to receive the Geberit Useletter at any time or click on the unsubscribe link within the Useletter to unsub-scribe from further newsletters.

5.1.14 Direct marketing

The legal basis for processing your personal data for direct marketing measures is ei-ther your declaration of consent in accordance with point (a) of Article 6(1) of the GDPR or the legal permission according to point (f) Article 6(1) of the GDPR or the respective regulation of Unfair Competition Law. The purpose of processing your personal data for direct marketing measures is to send information and offers and, where applicable, to promote sales through the sale of goods or services. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed and especially if we receive a withdrawal of consent or objection to its processing. You can revoke your consent with future effect at any time and/or may object to the pro-cessing of your data for direct marketing measuring at any time, also with future effect.

5.1.15 Competitions

The legal basis for processing your personal data for competitions is established in point (b) of Article 6(1) of the GDPR. The purpose of processing your personal data for competitions is to fulfil a contract for participation in the competition between you and us. Your personal data is deleted as soon as it is no longer required for the pur-pose for which it was processed. For personal data processing within the scope of competitions, this is when the competition is completely finished. You can object to the processing of your personal data with regard to competition participation at any time with future effect. Doing so means you can no longer take part in the competition. All personal data that is saved during the competition is deleted in this case.

5.1.16 Cashback offers and warranty extension

The legal basis for processing your personal data for cashback offers and warranty extensions is established in point (b) of Article 6(1) of the GDPR. The purpose of processing your personal data for cashback offers or warranty extensions is to fulfil a contract between you and us. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. In the case of data processing for cashback offers and warranty extensions, this is when the cashback offer is fully completed or the warranty period has expired. You can object to the processing of your personal data with regard to cashback offers or warranty extensions at any time with future effect. If you do so, you can no longer participate in the cashback offer or benefit from warranty extensions. All personal data that is saved in relation to cash-back offers and warranty extensions is deleted in this case.

5.1.17 Virtual events

The legal basis for processing your personal data for holding digital or virtual events is established in point (b) of Article 6(1) of the GDPR. The purpose of processing your personal data for virtual events is to fulfil a contract for holding the event between you and us. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. For personal data processing regarding virtual events, this is when the event is completely finished. You can object to the processing of your personal data with regard to virtual events at any time with future effect. Doing so means you can no longer take part in the virtual event. All personal data that is saved for the virtual event is deleted.

5.1.18 Data collection related to Covid-19 for in-person events/training

The legal basis for processing your personal data for in-person events/training is established in point (c) of Article 6(1) of the GDPR in connection with the current regulations of the Infection Prevention Act and the infection prevention measures that can be derived from this, as well as other Covid regulations. The purpose of processing your personal data for in-person events and training is to comply with the legal regulations for infection prevention. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed.

Your personal data is processed when holding in-person events or training to comply with legal obligations. It is therefore not possible for you to object to this besides not participating in the in-person event or training.

6 Further data processing besides our website

6.1.1 Facebook Insights (Facebook fan page)

We operate our Facebook fan page together with Facebook Ireland Ltd. (hereafter ‘Facebook’). For this purpose, we have concluded an agreement with Facebook regarding which party has which obligations concerning the GDPR. You can view the essential content of this agreement at https://www.facebook.com/legal/terms/page_controller_addendum. Information about how Facebook processes your personal data can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. The le-gal basis for processing your personal data is established in point (f) of Article 6(1) of the GDPR. By processing your personal data using Facebook Insights, we can ana-lyse your user behaviour. We evaluate the captured data and use it to collate information about our Facebook fan page activity. This helps us to design our Facebook fan page in a more user-friendly way that meets the needs of our target audience. The personal data that is collected from our Facebook fan page is provided to us by Facebook. Your personal data is deleted as soon as it is no longer necessary for the afore-mentioned purposes. If you do not want your data to be collected by Facebook Insights, you can object to the processing of your personal data by Facebook Insights at any time and with future effect. If you do so, we refer your objection to Facebook.

6.1.2 Instagram

Instagram is a product belonging to Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (hereafter ‘Facebook’). We run our Instagram page together with Facebook. For this purpose, we have concluded an agreement with Facebook regarding which party has which obligations concerning the GDPR. You can find the detailed information on the processing of your personal data by the Insta-gram service at: https://help.instagram.com/519522125107875. Information about how Facebook processes your personal data can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. The le-gal basis for processing your personal data is established in point (f) of Article 6(1) of the GDPR. The processing of your personal data by Facebook via the Instagram ser-vice helps us analyse your user behaviour. We evaluate the captured data and use it to collate information about activity on our Instagram page. This helps us to design our Instagram page in a more user-friendly way that appeals to our target audience. The personal data that is collected from our Instagram page is provided to us by Facebook. Your personal data is deleted as soon as it is no longer necessary for the aforemen-tioned purposes. If you do not want your data to be collected by Facebook, you can object to the processing of your personal data by Instagram/Facebook at any time and with future effect. If you do so, we refer your objection to Facebook.

6.1.3 YouTube channel

To ensure we design our social media offering to meet customers’ needs, we use a YouTube channel which is operated by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (hereafter ‘Google’). YouTube is a video platform that enables users to upload and publish their videos for public viewing. You can find more information on how Google processes your personal data at https://policies.google.com/privacy?hl=en&gl=en#infocollect. If you wish to use our YouTube channel, we remind you that you use this service at your own risk. This ap-plies especially to the features offered within the YouTube platform, such as the comment, like and share features under each video. We have no influence over the type and scope of the data processed by Google in relation to the YouTube channel. By using the YouTube channel, your personal data is processed by Google and, in do-ing so, will be transferred to the United States, Ireland and any other country in which Google does business, regardless of your place of residence, and may be further pro-cessed there. The legal basis for processing your personal data is established in point (f) of Article 6(1) of the GDPR. Your personal data is processed for the purposes of designing an appealing and user-friendly YouTube channel that meets the needs of our viewers. In this context, we only process your personal data within the YouTube channel insofar as it is necessary for providing information on our offers and services. We also process personal data in relation to this YouTube channel for the purposes of communicating with users and potential interested parties. The personal data that is collected from our YouTube channel is provided to us by Google. Your personal data is deleted as soon as it is no longer necessary for the aforementioned purposes. If you do not want your data to be collected by Google, you can object to the processing of your personal data in relation to this YouTube channel at any time. If you do so, we re-fer your objection to Google.

7 Data subject information in accordance with Article 12 ff. of the GDPR

The legal basis for processing your personal data as part of processing your data pro-tection enquiries (data-subject information) is established in point (c) of Article 6(1) of the GDPR in connection with Article 12 ff. of the GDPR. The legal basis for the subse-quent documentation of the legally compliant processing of the data-subject information is established in point (f) of Article 6(1) of the GDPR. The purpose of processing your personal data for processing the data-subject information is to answer your data protec-tion enquiry. The legally compliant processing of the relevant data-subject information is subsequently documented to fulfil legal obligations regarding accountability according to Article 5(2) of the GDPR. Your personal data is deleted as soon as it is no longer re-quired for the purpose for which it was processed. In the case of processing data-subject information, this is three years after the end of the process. You can object to the processing of your personal data with regard to processing data-subject information at any time with future effect. However, if you do so, we cannot continue to process your data-protection enquiry. It is strictly necessary to document the legally compliant processing of the affected data-subject information. It is therefore not possible for you to object to this.

8 Legal defence and enforcement

The legal basis for processing your personal data for legal defence and enforcement is established in point (f) of Article 6(1) of the GDPR. The purpose of processing your per-sonal data for legal defence and enforcement is to prevent unjustified claims and the le-gal enforcement and assertion of claims and rights. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. It is strictly necessary to process your personal data for legal defence and enforcement. It is therefore not possible for you to object to this.

9 Sharing your data with third parties

Personal data is provided within our company to the appropriate positions and depart-ments which require it for fulfilling the previously mentioned purposes. We also some-times use various service providers and transfer your personal data to other trustworthy recipients. These may include:

- other Geberit companies for the purpose of centralised customer administration and order processing

- other Geberit companies for the purpose of providing centralised IT and other ser-vices

- logistics providers

- banks and other payment service providers for the purpose of processing any pay-ments

- service providers for the purpose of organising, carrying out and handling of possible installation work and after-sales services

- scanning services

- printers

- IT service providers

- lawyers and courts

10 Transfer to third countries

10.1.1 In the course of processing your personal data, we may transfer your personal data to trusted service providers in third countries. Third countries are countries that are out-side the European Union (EU) or the European Economic Area (EEA). We only work with service providers who can provide us with suitable guarantees for the security of your personal data and who can guarantee that your personal data will be processed in accordance with strict European data protection standards. A copy of these suitable guarantees can be inspected at our premises.

10.1.2 If we transfer personal data to third countries, this will be done on the basis of a so-called adequacy decision of the European Commission, or, in the absence of such a decision, on the basis of so-called standard contractual clauses, which have also been issued by the European Commission. In the present case, it cannot be ruled out that we transfer personal data to service providers in the USA.

11 Your rights

11.1 As regards your personal data processed by us, you are entitled to the rights outlined below. In order to exercise any of these rights, please send us a written request using the contact details specified above or send an email to the following address: datapro-tection@geberit.com.

11.2 Right to access

You have the right to request that we provide access to the personal data concerning you that we have processed. You may exercise this right within the scope outlined in Article 15 of the GDPR.

11.3 Right to rectification or erasure

Subject to the prerequisites specified in Article 17 of the GDPR, you have the right to request from us the erasure of personal data concerning you. The prerequisites provide for a right to erasure in particular where the personal data is no longer necessary for the purposes for which it was collected or otherwise processed. The ability to exercise this right is restricted in accordance with Article 17(3) of the GDPR, particularly in cases where we require your data in order to meet a legal obligation or to process legal claims.

11.4 Right to restriction of processing

You have the right to request from us restriction of processing under the terms specified in Article 18 of the GDPR. This right exists in particular (a) where the accuracy of personal data is contested by you, for a period enabling us to verify the accuracy of the personal data, (b) where you oppose the erasure of the personal data (in cases where the right to erasure applies) and request the restriction of its use instead, (c) where we no longer need the personal data for the purposes for which it was being processing, but it is required by you for the establishment, exercise or defence of legal claims, and (d) where the successful exercise of an objection is still contested between you and us. If the processing of your data has been restricted on any of these bases, such data may only be processed in exceptional cases; for example, where you have given your con-sent to this or where such processing is necessary for the enforcement of legal claims.

11.5 Right to object to processing

In accordance with Article 21 of the GDPR, you have the right to object, on grounds relating to your particular situation and at any time, to the processing of personal data concerning you on the basis of point (e) or (f) of Article 6(1) of the GDPR. We will no longer process your personal data unless we can demon-strate compelling legitimate grounds for processing that override your inter-ests, rights and freedoms, or unless the circumstances involve the establish-ment, exercise or defence of legal claims.

11.6 Right to data portability

You have the right to receive the personal data concerning you, which you have provid-ed to us, in a structured, commonly used and machine-readable format under the terms specified in Article 20 of the GDPR. This requires that the data processing has been based on you having given your consent and has been carried out by automated means.

11.7 Right to lodge a complaint with the relevant data protection supervisory authority.

You have the right to lodge a complaint with a supervisory authority – in particular, within the EU member state of your habitual residence, your place of work or the location of the alleged infringement – if you believe that the processing of personal data relating to you infringes the applicable data protection legislation.

12 Erasure of your data

Generally speaking, we erase or anonymise your personal data as soon as it is no longer needed for the purposes for which we collected or used it in accordance with the sections above. If data needs to be retained for legal reasons, it will be blocked. This means that it will no longer be available for further processing. If you require further information regarding our erasure and retention periods, please contact the controller specified in Section 2 using the relevant contact data.

13 Changes of purpose

Your personal data will only be processed for purposes other than those described if a legal provision requires this course of action or if you have given your consent to the changed purpose of the data processing. In cases of further processing for purposes other than those for which we originally collected the data, we will notify you of these other purposes prior to the data being processed further, and will provide you with all other information that relates to this.

14 Automated individual decision-making or profiling

We do not use any automated processing systems for coming to specific decisions – including profiling.

Version: July 2021