Skip links

Privacy Notice

According to the Requirements of the General Data Protection Regulation (GDPR)

We wish to provide you with comprehensive information concerning the legal requirements and obligations governing the types of data we collect and how these are processed. In connection with presenting our products and services, we are informing you below of the policies and procedures we have in place for the handling your data.

I. Name and address of the controller
The controller, as defined in the GDPR and other national data protections laws of member states, as well as other data protection regulations is:

BUSE KSW GmbH & Co. KG (hereinafter: “BUSE”)
Sprudelstrasse 3
53557 Bad Hönningen
Germany
Telefon: +49 (0)2635 781-0
Telefax: +49 (0)2635 781-200
E-Mail: info@buse-group.com
Web: https://www.buse-group.com

Represented by the management board: Roland Bräkling.

II. Name and address of the of the data protection officer
The data protection officer acting for the controller can be contacted at: datenschutz@buse-group.com or at:

Dr. Dornbach Consulting GmbH
Mr. Michael Küster
Anton-Jordan-Strasse 1
56070 Koblenz

III. General information concerning data processing
1. Scope of personal data processing
In principle, we collect and use the personal data of our users only to the extent that this is necessary to provide a functional website together with its contents and our products and services including, in particular, our gas offering. At BUSE, we take the protection of personal data very seriously.

2. Legal basis for the processing of personal data
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and other applicable data protection regulations.

Where processing personal data is necessary for the performance of a contract to which the data subject is party, the legal basis for such processing is Art. 6 (1)(b) of the GDPR. The same applies to processing operations that are necessary in order to take steps prior to entering into a contract. In principle, the provision of gas solutions is based on a services contract. Processing is therefore carried out, in particular, to provide the services and other additional products you have selected in accordance with your orders and wishes, and includes the services, measures and activities that are necessary for this purpose. This essentially includes, contract-related communications, the traceability of transactions, orders and other agreements, as well as quality control by means of corresponding documentation, good-will measures, measures to control and optimize business processes and to comply with general duties of care, control and monitoring by affiliated companies (e.g. parent company); statistical evaluations for corporate management, cost accounting and controlling, reporting, internal and external communication, emergency management, accounting and tax evaluation in respect of operational services, risk management, enforcement of legal claims and conducting defense in the event of legal disputes; ensuring IT security (including system and plausibility tests) and general security, including building and plant security, to assure and safeguard our right to keep out trespassers (e.g. by means of access controls); ensuring the integrity, authenticity, and availability of data, to prevent and investigate criminal offenses; monitoring by supervisory boards or monitoring authorities (e.g. auditing).

If we obtain the data subject’s consent to the processing of personal data, the legal basis for such processing is Art. 6(1)(a) of the GDPR. An exception shall apply in cases where it is not possible, for practical reasons, to obtain consent in advance but where the processing of data is authorized by statutory provisions. If processing of personal data is based on Art. 6 (1)(a) of the GDPR, which will be the case if data subjects have given their consent to the processing of personal data concerning them for one or more specific purposes or if processing is based on Art. 9(2)(a) of the GDPR, which governs express consent to the processing of specified categories of personal data, the data subject shall have the right, under Art. 7(3), sentence 1 of the GDPR, to withdraw his or her consent at any time.

In accordance with Art. 7(3), sentence 2 of the GDPR, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In accordance with Art. 7(3), sentence 4 of the GDPR, it shall be as easy to withdraw as to give consent. Hence, consent can always be withdrawn by the same method that was used to give consent or by any other means considered to be easier by the data subject. If a data subject wishes to withdraw consent that has been given to us, it shall suffice to send a simple email to our data protection officer. Alternatively, data subjects may use any other method to inform us of the fact that they are withdrawing their consent.
Where processing of personal data is necessary for compliance with a legal obligation to which our company is subject, the legal basis for such processing is Art. 6 (1)(c) of the GDPR. In the case of statutory requirements, the legal basis shall include requirements issued by regulatory or other official bodies as well as other statutory reporting procedures (e.g. to the tax office, social insurance providers). Processing purposes include, where applicable, identity and age verification, fraud and money laundering prevention, the prevention, fighting and investigation of terrorist financing and criminal offenses giving rise to asset endangerment, checking European and international anti-terror lists, compliance with monitoring and reporting obligations specified under tax law as well as archiving data for the purposes of data protection and data security and for audits by tax and other authorities. It may also be necessary to disclose personal data in connection with official/court measures for the purposes of collecting evidence, conducting criminal prosecutions or enforcing civil claims.

Where processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis for such processing is Art. 6(1)( d) of the GDPR.

If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and these legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis for such processing is Art. 6(1) (f) of the GDPR. Possible purposes include: advertising or market and opinion research, provided that you have not objected to the use of your data; obtaining information from and exchanging data with credit agencies, where this goes beyond our economic risk; testing and optimizing requirements analysis procedures; the further development of services and products as well as existing systems and processes; the disclosure of personal data in connection with due diligence procedures associated with company sale negotiations; to enrich our data including; inter alia, through using or researching publicly accessible data; for statistical analyses or market analyses; for benchmarking; enforcement of legal claims and conducting defense in the case of legal disputes that cannot be directly attributed to the contractual relationship; storing data in restricted form if, owing to the specific means of storage, deletion is not possible or would be possible only by incurring unreasonably high costs; the development of scoring systems or automatic decision-making processes; building and plant security (e.g. by means of access controls and video surveillance), insofar as this exceeds general duties of care; internal and external investigations, security checks; possible listening in on or recording of telephone conversations for quality control and training purposes; obtaining and maintaining certifications of a private-law or official nature; ensuring and safeguarding our right to keep out trespassers by means of appropriate measures as well as through video surveillance to protect our customers and employees as well as to preserve evidence in the event of criminal offenses and to prevent the same.

If the processing of personal data is based on Art. 6(1) (f) of the GDPR, our legitimate interest consists of conducting our business activity to promote the well-being of all of our company stakeholders including, in particular, the shareholders and employees. In connection with provision of the website, the legitimate interest can include, in particular, a customer oriented presence of BUSE on the Internet including various contact options, as well as defending attacks against the website.

3. Erasure of data and duration of storage
In principle, the personal data relating to the data subject will be erased or made unavailable as soon as the purpose of storage lapses. Storage of data may also take place if this has been provided for by European or national legislators in EU Regulations, statutes or other regulations to which the controller is subject.
The legislator has enacted many retention obligations and periods. These include tax-law based retention obligations. Upon expiry of these periods, the corresponding data will be routinely erased:
• Compliance with retention obligations under commercial law and tax law: Particularly relevant laws include the Commercial Code (Handelsgesetzbuch, HGB), the Tax Code (Abgabenordnung, AO) and the Money Laundering Act (Geldwäschegesetz, GwG). The periods for retention and documentation specified therein range from two to ten years.
• Preservation of evidence in connection with statutory provisions on limitation periods: In accordance with sections 195 et seq. of the Civil Code (Bürgerliches Gesetzbuch, BGB) these limitation periods may last for up to 30 years, whereby the regular limitation period is 3 years.
Insofar as data are unaffected by such requirements they will be erased when the above-mentioned purposes cease to apply. If the data are no longer necessary in order to comply with contractual or statutory obligations, they will be routinely erased, unless their – time limited – .further processing is necessary to fulfill the above-mentioned purposes. In such cases, we are entitled to store and, where applicable, use your data, even after termination of our business relationship or our pre-contractual legal relationship, for a period that is compatible with the purposes.
Data will also be made unavailable or erased if a retention period stipulated in the specified rules expires, unless there is a need for continued storage of the data in order to conclude or perform a contract.

For specific retention periods or erasure deadlines relating to use of a contact form or for log files, see below:

4. The recipient or categories of recipients of personal data, if necessary for the performance of tasks
Your data will be passed only to the following external agencies:

  • Public bodies, if overriding legal provisions require this, and always in accordance with the legal confidentiality obligations;
  • e.g. to authorities, credit agencies, debt collection agencies, lawyers, courts, expert assessors, group companies, and supervisory boards and monitoring bodies etc., if there is a legitimate interest under Art. 6(1)(f) of the GDPR;
  • External agents, such as service providers/processors (Art. 28 of the GDPR), who are engaged to carry out normal business processing or to perform a contract, and are subject to the legal regulations in the case of cross-border engagements (e.g. external data centers, support/maintenance of computer/IT applications, archiving, document processing, call center services, compliance services, controlling, data screening for anti-money laundering purposes, data validation and plausibility assessments, data destruction, purchasing/procurement, customer management, letter-shops, marketing, media technology, research, risk control, billing, telephony, website management, audit services, credit institutes, printing companies or data disposal companies, courier services, logistics);
  • Third parties, where consent has been given for a transfer to the specific third parties;

Your personal data will be processed by employees of BUSE as well as at any existing home-based offices. This relates to internal departments involved in the execution of the relevant business processes. Where necessary, BUSE also uses freelancers, interns and guest students.

Content relation to BUSE’s subsidiary companies and participations are integrated into its own website.

5. Recipients in a third country, appropriate or reasonable guarantees and the procedure for obtaining a copy of these, or where they are available.
In principle, your data will not be processed outside the EU or the EEA for the purposes of operating this website. The transmission of data to the USA is possible in connection with the deployment of cookies and the use of social media services. The relevant controllers within the meaning of data protection law, Google, twitter and Facebook, will also process your data in the USA and have agreed to be bound by the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.

We will not sell or otherwise market your personal data to third parties.

If data transmission is not based on the EU-US Privacy Shield:
According to Art. 46 (1) of the GDPR, a controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data-subject rights and effective legal remedies for data subjects are available. According to Art. 46 (2)(c) of the GDPR, the appropriate safeguards may be provided for, without requiring any specific authorization from a supervisory authority, by means of standard data protection clauses.

The EU standard data protection clauses must be agreed to by all recipients in third countries prior to the first transmission of personal data. This ensures that suitable guarantees, enforceable rights and effective legal remedies, as provided for in the EU standard data protection clauses, are available in respect of all personal data processing operations. Every affected party is entitled to receive a copy of the standard data protection clauses. The standard data protection clauses can also be found in the Official Journal of the European Union (OJ. 2010 / L 39, pp. 5-18).

Transmission of data to countries outside the EU is possible in connection with submission of the contact form. All inquiries submitted via the contact form will initially be sent to: info@buse-group.com. If your contact inquiry is directed to a location outside the EU (at present: Macedonia), your message, including the personal data contained within it, is transferred to the corresponding third country within the meaning of data protection law.

6. 6. Statutory or contractual regulations on the provision of personal data; Necessity for the conclusion of contracts; Data subject’s obligation to provide personal data; possible consequences of non-provision
We would like to point out that in some cases the provision of personal data is required by law (e.g. tax regulations, social security regulations) or may be a requirement under the terms of the contract (e.g. information on the contract partner).

In order to conclude a contract, it may sometimes be necessary for a data subject to provide us with personal data that we will then need to process. For example, the data subject is required to provide us with personal data if our company is concluding a contract with him/her. Not providing the personal data would therefore mean that the contract cannot be concluded with the data subject.

The data subject may contact the controller before providing personal data. The controller shall then clarify for the data subject, in relation to the individual case, whether provision of personal data is required by law or contract, or is necessary in order to conclude a contract, whether there is an obligation to provide personal data, and the consequences that would ensue in the event that the personal data is not provided.

7. 7. The existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
As a responsible company, we do not use automatic decision-making processes or profiling. If, in the future, we engage in such processes in individual cases, we will inform you of this separately, insofar as this is required by law.

In some circumstances, we will process your data partly in order to evaluate certain personal aspects (profiling). We may use analysis tools in order to provide you with targeted product information and advice. This enables products to be designed according to requirements, as well as communication and advertising, including market and opinion research.

Such processes may also be employed in order to assess your financial standing and credit-worthiness, as well as to fight money laundering and fraud. “Score values” may be used in order to assess your financial standing and creditworthiness. Scoring uses mathematical methods to calculate the probability that a customer will meet its payment obligations in accordance with the contract terms. Hence, by way of example, such score values can help us to assess your creditworthiness and take decisions during the process of closing product sales, and are also used to support our risk management operations. The calculation is based on mathematical-statistical, recognized and proven methods and is performed using your data including, in particular, income, expenditures, existing liabilities, profession, employer, duration of employment, experience from the business relationship to date, repayment of previous credit in accordance with the contract terms, as well as information from credit ratings agencies.

We will not process data concerning nationality or special categories of personal data according to Art. 9 of the GDPR.

IV. Provision of the website and the creation of log files
1. Description and scope of data processing
For each request to our website, our system automatically collects data and information from the computer system of the requesting computer.
In this respect, the following data will be collected:

  • information about the browser type and the version used (e.g. Mozilla Firefox, Google Chrome or Microsoft Internet Explorer, Apple Safari, Opera etc.);
  • the user’s operating system;
  • the user’s internet service provider;
  • the user’s IP address;
  • the date and time of access (the “time stamp”);
  • websites that the user’s system accesses via our website;
  • the page from which the file was requested (known as the referrer URL);
  • the name of the file;
  • the transferred data volumes;
  • the access status (data transferred, data not found etc.);
  • username (if logged in to the website);
  • HTTP status code request;
  • HTTP status code reply;
  • the size of the reply in bytes.

The data will also be saved in our systems’ log files. This does not include the user’s IP address or other data that enables the data to be matched with a user. Such data will not be stored together with other personal data of the user. The data will not be passed to third parties for either commercial or non-commercial purposes.

2. Legal basis for the data processing
The legal basis for the temporary storage of data is Art. 6(1)(f) of the GDPR.

3. Purpose of data processing
It is necessary for the system to store the IP address temporarily to enable the website to be rendered on the user’s computer. In this respect, the user’s IP address must remain stored for the duration of the session.

For these purposes, our legitimate interest in the data processing is also based on Art. 6(1)(f) of the GDPR.

4. Duration of storage
The data will be deleted as soon as their retention is no longer necessary in order to achieve the purpose. Where data are collected in order to enable rendering of the website, this will be the case when the respective session is terminated. Where personal data are collected for the purposes of contractual relationship, or to take pre-contractual measures, the necessity shall end at the same time as the period necessary for the contractual relationship.

5. Options to object or request erasure
The collection of data for the purposes of providing the website and the storage of data in log files is absolutely essential for the purposes of operating the Internet site. Consequently, there is no possibility for the user to object to this.

V. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are small text files that are stored in your web browser, or placed on the user’s computer system by the web browser. When a user visits a website, a cookie can be stored on the user’s operating system. Data are stored in the cookie and kept in readiness for a subsequent visit. This cookie contains a distinctive character string that enables the browser to be definitively identified during a new visit to the website.

This website uses the following types of cookies, whose scope and functionality is set out below:

  • Transient cookies (see: a)
  • Persistent cookies (see: b).

a) Transient cookies are deleted automatically when you close the browser. These include session cookies in particular. These store a “session ID”, which is used to enable different requests from your browser to be assigned to the common session. This enables your computer to be recognized again if you return to our website. Session cookies are deleted when you log out or close your browser
b) Persistent cookies are deleted after a specified time, which can vary depending on the cookie. You can delete the cookies at any time via the security settings of your browser.
User data collected in this way will be pseudonymiszed by means of technical measures. Hence, it will no longer be possible for the data to be matched with the requesting user. The data will not be stored together with other personal data of the user.

You can prevent cookies from being saved by adjusting the settings on your browser application; however, please note that in this case you may be unable to use all of the functions on this website to their full extent.

2. Legal basis for the data processing
The legal basis for the processing of personal data through the use of cookies is Art. 6(1) (f) of the GDPR.

3. Purpose of data processing
The analysis cookies are used for the purposes of improving the quality of our website and its contents. The analysis cookies enable us to understand how the website is used and hence to continuously optimize our offering.
Use of Google Analytics: This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses “cookies”, i.e. text files that are saved on your computer and enable analysis of your use of the website. Information on your use of this website that is generated by the cookie is usually transferred to a Google server in the USA and saved there. If IP anonymization is activated on this website, your IP address will first be truncated by Google within a member state of the European Union or other contracting state parties to the Agreement on the European Economic Area. Only in exceptional cases will a full IP address be transmitted to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website to analyze your use of the website, compile reports on website activities and to provide additional services to the website operator in connection with use of the website and the Internet.
The IP address that your browser transmits in connection with Google Analytics will not be pooled with other Google data.

You can prevent cookies from being saved by adjusting the settings on your browser application; however, please note that in this case you may be unable to use all of the functions on this website to their full extent.
In addition, you can prevent Google from collecting and processing the data relating to your use of the website that has been generated by the cookie (including your IP address) by downloading and installing the browser plugin which is available via the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
This website uses Google Analytics with the extension “_anonymizeIp()”. In this way, truncated IP addresses can be subjected to further processing but a direct link to a particular individual is thus excluded.
The use of Google Analytics is carried out in compliance with the conditions communicated to Google by the German Data Protection Authorities. Information concerning the third-party provider:
Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. User conditions: http://www.google.com/analytics/terms/de.html,
Data protection summary: http://www.google.com/intl/de/analytics/learn/privacy.html,

And the privacy notice: http://www.google.de/intl/de/policies/privacy.

This website reserves the right to use Google Analytics also for cross-device analysis of the flow of visits made with a given user ID. You can deactivate cross-device analysis of your usage in your customer account under “My Data”, “Personal Data”.

For these purposes, our legitimate interest in the processing of personal data is also based on Art. 6(1)(f) of the GDPR. Our legitimate interest is based on optimization of our online offering and our web presence.

4. Duration of storage, options to object or request erasure
Cookies are stored on the user’s computer, which transmits these to our site. Hence, you, as the user, are in full control of the use of cookies. You can deactivate or limit the transmission of cookies by adjusting the settings in your web browser. Any cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible for all of the website’s functions to be used to their full extent.
For individual details on the duration of storage and on the option to object or request erasure of the cookies concerned: see items 1 and 3 above. Stimmt hier die Zuordnung aus dem Deutschen???

VI. Links to other websites
1. Links
The on-line offering contains links to other websites (so-called external links). We have no influence over whether the operates of other websites are complying with data protection regulations.
As a provider, BUSE is responsible for its own content in accordance with general legislation. A distinction is to be drawn between this internal content and, inter alia, “links” to other content made available by other providers. BUSE accepts no liability for external content that is made available for use via links and identified accordingly, nor does it adopt such content as its own. The provider of the website referred to shall be solely liable for illegal, erroneous or incomplete content, as well as for losses or damage resulting from use or non-use of the information. The editorial department shall be responsible for third-party information only if they are positively aware of it, including any unlawful or criminal content, and it is technically possible and reasonable to prevent its use.

2. Integration of Google Maps
We use the Google Maps service on this site. This enables us to display interactive maps to you directly on the website and facilitates your straight-forward use of the map functions.
By visiting the website, Google will be informed that you have invoked the relevant sub-page on the website. In addition, the data specified under section IV, item 1 of this declaration will be transmitted, irrespective of whether Google has provided a user account, to which you are logged in, or if there is no user account. If you are logged in to Google, your data will be matched directly to your account. If you do not wish Google to match the data to your profile, you will need to log-out before clicking on the button. Google will save your data as a user profile and use this for the purposes of advertising, market research and/or for designing its website in accordance with requirements. Such an assessment will be carried out, in particular (even for users who are not logged in) to provide appropriate advertising and to inform other users of the social network about your activities on our website. You have the right to object to the formation of this user profile; to exercise this right, you will need to contact Google.
Additional information on the purpose and scope of the data collection and processing by the plug-in provider can be found in the provider’s privacy notices. These also contain further information about your rights in this regard and the options to configure your settings in order to protect your privacy: http://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and has agreed to be bound by the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

VII. Contact form and email contact
1. Description and scope of data processing
Our website contains a contact form which can be used for electronic communications with us. If a user avails him/herself of this option, the data entered into the input form will be transmitted to us and stored. These data consist of:

  • your name;
  • your email address and;
  • the message.

At the time of submitting the message, the following data will also be stored:

  • the date and time of submission,

No log files will be saved. Nor will your inquiries be stored in an special (oder eigene: internal???) inquiries database. Insofar as the web offering contains an option to enter additional personal or business data, the provision of such data by user is done on an expressly voluntary basis. Even in this case, your data will be handled confidentially and will not be passed to third parties. Nor will these data be linked to the above-mentioned access data.

Alternatively, it is also possible to contact us at the following email address: info@buse-group.com. In this case, the user’s personal data submitted with the email will be stored.

If you contact us by email or via a contact form, we will store the data you have provided in order to respond to your queries. We will delete the data we receive in this connection once their storage is no longer necessary or, if statutory retention obligations apply, restrict their processing. No data will be passed to third parties in connection with this. The data will be used solely for the purposes of processing the communications.

2. Legal basis for the data processing
The legal basis for processing the data transmitted in the course of sending an email is Art. 6(1)(f) of the GDPR. If the email is sent with a view to concluding a contract, or in connection with the performance of a contract, an additional legal basis for the processing is Art. 6(1)(b) of the GDPR.

3. Purpose of data processing
We will process personal data from the entry form for the sole purpose of responding to the received communication. If contact is made by email, there will also be a necessary legitimate interest in processing the data.
The other data that are processed during the submission process are used to prevent misuse of the contact form and to ensure the security of our technical information systems.

4. Duration of storage
The data will be deleted as soon as their collection is no longer necessary in order to achieve the purpose. With respect to personal data from the entry form’s input screen and data sent by email, this will be the case when the respective conversation with the user is terminated. The correspondence shall be regarded as terminated if the circumstances indicate that the issue concerned has been fully resolved.

5. Options to object or request erasure
If the user makes contact with us by email, he/she can object to the storage of his/her personal data. In such case, it will not be possible to continue with the correspondence.

An objection to the storage may be made by either email, post or fax.

In such case, all personal data that have been stored in connection with the received communication shall be erased.

VIII. Rights of the data subject
If your personal data are being processed, you are the data subject within the meaning of the GDPR and you have the following rights against the controller:

1. Right of access
You are entitled to request confirmation from the controller as to whether we are processing personal data concerning you.
If such processing is taking place, you are entitled to request the following information from the controller:
(1) the purposes for which the personal data are being processed;
(2) the categories of personal data that are being processed;
(3) the recipients, or categories of recipients, to whom the personal data concerning you have been, or will be, disclosed;
(4) the envisaged period for which the personal data concerning you will be stored or, if specific information on this cannot be provided, the criteria used to determine that period;
(5) the existence of a right to rectification or erasure of the personal data concerning you, or a right to restriction of processing by the controller or a right to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data are not collected from the data subject, any available information as to their source;
(8) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You shall have the right to be informed whether personal data concerning you are being transferred to a third country or an international organization. In this respect, you shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

2. Right to rectification
If processed personal data concerning you are incorrect or incomplete, you have the right to demand their rectification or completion by the controller. The controller must perform the rectification without undue delay.

3. Right to restriction of processing
You shall have the right to demand restriction of processing of the personal data concerning you where one of the following applies:

(1) if you contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you opposes the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or;
(4) if you have objected to processing pursuant to Article 21(1) of the GDPR, pending the verification whether the legitimate grounds of the controller override your grounds.

Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

4. Right to erasure
a) Duty of erasure
You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase such data without undue delay where one of the following grounds applies:

(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw your consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;
(4) the personal data concerning you have been unlawfully processed;
(5) the personal data concerning you have to be erased for compliance with a legal obligation under European Union or Member State law to which the controller is subject;
(6) the personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Provision of information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, as the data subject, have requested the erasure by such controllers of any links to, or copies or replications of, those personal data.

Exceptions
The right to erasure shall not apply to the extent that the processing is necessary:

(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation that requires processing, under European Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR insofar as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defense of legal claims.

5. Right to notification
If you have exercised your right to rectification or erasure of personal data or restriction of processing against the controller, it shall communicate such rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to request the controller to inform you about these recipients.

6. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(1) the processing is based on consent pursuant to point (a) of Art. 6(1) of the GDPR or point (a) of Art. 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and
(2) the processing is carried out by automated means.

In exercising this right, you shall have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others.
The exercise of the right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.
The controller no longer process your personal data, unless we can demonstrate compelling legitimate reasons for such processing, which outweigh your interests, rights and freedoms, or if such processing assists in the enforcement, exercise or defense of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to withdraw a declaration of consent given in accordance with data protection law
You have the right to withdraw your declaration of consent given in accordance with data protection law at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy under Article 78 of the GDPR.

You can contact the competent supervisory authority for BUSE as follows:

Landesbeauftragte für den Datenschutz und die Informationsfreiheit (The Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information)
Postfach 30 40
55020 Mainz
Telephone: +49 (0)6131 20824-49
Fax: +49 (0)6131 20824-97
poststelle@datenschutz.rlp.de

Return to top of page