Privacy notice for the website and games of Everbyte

Data protection

We take the protection of your personal data very seriously. We treat your personal data as confidential and in accordance with the statutory data protection regulations and this privacy notice. 

This privacy notice applies to our processing of personal data on our website (“Website”) and during use of our games (“Games”). It describes the type, purpose and scope of data processing in the context of the Website. 

Please note that the transmission of data over the internet always involves a security risk. It is not possible to fully protect data against access by third parties.

Controller

The “controller” is the natural person or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 

The controller responsible for processing data to provide the Website and the Games is:

Everbyte GmbH
Schloßstraße 7
88069 Tettnang
Website: https://www.everbytestudio.com
Email: contact@everbytestudio.com

General information on data processing

Scope of the processing of personal data

As a general rule, we only collect and use the personal data of our users to the extent necessary to provide our Website, our content and our services (in particular Games). We regularly only collect and use the personal data of our users after they have given their consent to such processing. An exception applies in cases where it is not possible to obtain consent in advance for factual reasons and processing is permitted by legal regulations.

Legal basis for the processing of personal data

Where we obtain the data subject’s consent to the processing of personal data, the legal basis for the processing of personal data is Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR).

For the processing of personal data which is necessary to perform a contract to which the data subject is a party, the legal basis is Art. 6(1)(b) GDPR. This also applies to processing operations that are necessary to take steps prior to entering into a contract.

Where personal data must be processed to comply with a legal obligation to which our company is subject, the legal basis for processing is Art. 6(1)(c) GDPR.

In the event that vital interests of the data subject or another natural person require the processing of personal data, the legal basis is Art. 6(1)(d) GDPR.

Where personal data must be processed to safeguard a legitimate interest of our company or a third party, and where the interests, fundamental rights and fundamental freedoms of the data subject do not override such legitimate interest, the legal basis for processing such data is Art. 6(1)(f) GDPR. 

Erasure of data and storage period

The personal data of data subjects is erased or blocked when the purpose for which it was stored no longer exists. The data may be stored beyond such time where the European or national legislator provided for this in Union law regulations, laws or other legal regulations to which the controller is subject. Data is also blocked or erased when a storage period required by the aforementioned legal norms expires unless we must continue to store the data for the execution or performance of a contract.

Provision of the Website and creation of logfiles

Every time our Website is accessed, our system automatically collects data and information from the system of the computer accessing our website. In this context, the following data is collected for a limited period of time:

User’s IP address
Date and time of access
Name of the file that was accessed and its URL
Status code of the access request
Size of the requested data in bytes
Referrer URL (website from which the access request originates)
Browser, operating system and interface of the visitor

The data is stored in the logfiles of our system. This data is only required for the analysis of any technical problems and will be erased within 14 days. The legal basis for the temporary storage of the data and the logfiles is Art. 6(1)(f) GDPR. The system must temporarily store the user’s IP address to enable the provision of the Website and the Games to the user’s devices. For this purpose, the user’s IP address must be stored for the duration of the session. Data is stored in logfiles to ensure the functionality of the Website and the Games. In addition, the data is used to optimise the Website and the Games and to ensure the security of our IT systems. In this context, data is not analysed for marketing purposes or used to identify a person. The aforementioned collection of data to provide the Website and the storage of data in logfiles are indispensable for the operation of the Website and the Games. Consequently users are not entitled to object to such collection or storage.

Contact us

You can contact us by using the contact form provided on our Website or by sending us an email or a letter. In this context, we only store the information provided by you in your inquiry, including the provided contact data, for the purpose of processing the inquiry and in the event of any follow-up questions. We do not disclose the data to third parties in this context. 

The legal basis for processing the data is Art. 6(1)(f) GDPR. Our interest in replying to your inquiry outweighs your interest. Given that you are writing to us, our replying to your inquiry is ultimately in your interest too, and you are aware that we need to process your data to reply to your inquiry. 

Where the purpose of contacting us by email is the execution of a contract, the legal basis for processing such data is Art. 6(1)(b) GDPR. 

The data will be erased when it is no longer needed for achieving the purpose for which it was collected. This applies when the relevant conversation with the user has been finished. The conversation shall be deemed finished when the circumstances show that the issue in question has been fully resolved.

Use of cookies

We use what is referred to as “session cookies” or “flash cookies” on our Website. Cookies are text files that are stored in or by the browser on the user’s computer. When users visit a website, a cookie may be stored on their operating system. This cookie contains a characteristic string of characters that enables a website to unambiguously identify the browser the next time it accesses the website. Some features provided by our Website cannot be offered without the use of cookies. They require that the browser can also be recognised after navigating to another page. The user data collected using technically necessary cookies is not used to determine the user’s identity or to create user profiles. The legal basis for processing personal data using technically necessary cookies is Art. 6(1)(f) GDPR. Due to the fact that they are technically necessary, users are not entitled to object to the processing.

Google services

We use Google Fonts on this Website, i.e. the Google fonts provided by the company Google Inc. The company responsible for all Google services provided in the European region is Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland). When users visit our Website, the fonts are loaded afterwards using Google Fonts via a Google server. In the context of this external access, data such as the user’s IP address is sent to Google servers, including Google servers located in the USA. The legal basis for processing data in the context of the use of Google Fonts is our overriding legitimate interest in the appealing presentation and simple functionality of our Website in accordance with Art. 6(1)(f) GDPR. Google processes the data in the USA on the basis of EU standard contractual clauses and thereby offers sufficient safeguards as described in Art. 46 (1), (2)(c) GDPR. Further information regarding Google’s use of the data, as well as options for settings and objections, can be found on Google’s web pages available at: https://policies.google.com/technologies/partner-sites?hl=en.

Social media links

We maintain pages on social networks and platforms to communicate with customers, interested parties and users who are active on such networks and to be able to inform customers, interested parties and users about our services. 

Therefore our Website contains a link to the website of Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, for EU residents, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). We do not otherwise exchange data with Facebook through our website. 

Our website also refers to the website of Twitter, operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, or, for EU residents, by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland. 

Our Website also refers to the website of Instagram, operated by Instagram Inc., 1201 Willow Road, Menlo Park, CA, 94025, USA, or, for EU residents, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. 

When you access the aforementioned networks or platforms, the general terms and conditions and data processing policies of the companies operating such networks or platforms apply. Unless otherwise provided for in our privacy policy, we process data of users when they communicate with us via social networks or platforms, e.g. when they post something on our Facebook pages or send us messages.

Games

We process personal data when users use our Games. Aside from the processing operations relating to Games described above, in the following we will set out the additional features and services used in this context and will clarify the Games to which this applies specifically. 

Platform services and hosting

Our Games are made available for purchasing via the platforms provided by Google and the Google Play Store, as well as Apple and the Apple App Store. The data required for making the Games available is processed by the relevant platform operator as the controller under data protection law. The terms of use and privacy notice of the relevant platform operator apply.

The privacy notice of the Google Play Store is available at https://policies.google.com/privacy
The privacy notice of the Apple AppStore is available at https://support.apple.com/HT211970 

Payments

We offer users the opportunity to have payments for in-app purchases processed online by the payment service providers of the platforms. These service providers, as the relevant controller, process invoice data, such as card details, payment information, billing addresses, as well as other information required by law. We will never be able to view sensitive information, such as your full credit card or bank account number, held by any of the service providers, but merely receive the payment confirmation, with its allocation to the user (order ID), the country, the payment amount and the product, as well as the date of execution.

We have a legitimate interest in working with payment service providers and in redirecting you to them in the context of the payment process given that they facilitate payment processing for us and provide access to our services to a broader audience using such payment services and given that they also facilitate the payment process for you, as the user of such a payment service provider. The legal basis for redirecting users to such payment service providers is our legitimate interest in accordance with Art. 6(1)(f) GDPR.

The data processed by us for the purpose of confirming the payment will be erased when it is no longer needed for achieving the purpose for which it was collected. This applies when the verification of the relevant payment transaction has been completed and we were able to verify that the relevant payment transaction was authorised lawfully. The legal basis for such processing is Art. 6(1)(b) GDPR.

Where data we have a duty to retain or store based on tax law, commercial law or other regulations is generated in the context of payments, such data will only be erased upon the expiry of the relevant retention or storage periods specified by law (cf. III. no. 2). The legal basis for storing such data is Art. 6(1)(c) GDPR.

Processing carried out via Google Play: When you make a payment using Google Play, we disclose your payment data to Google Ireland Ltd. (hereinafter referred to as “Google”) in the context of payment processing. All data required for payment processing is transmitted securely using “SSL” technology. When you use Google for payments, you agree to Google’s terms of use. Further information on data protection can be found in Google’s privacy notice available at: https://policies.google.com/privacy.

Processing carried out via AppStore: When you make a payment using the Apple AppStore, we disclose your payment data to Apple Distribution International Ltd. (hereinafter referred to as “Apple”) in the context of payment processing. All data required for payment processing is transmitted securely using “SSL” technology. When you use Apple for payments, you agree to the terms of use of Sofortüberweisung. Further information on data protection can be found in Apple’s privacy notice available at: www.apple.com/de/privacy.

Given that payment service providers, as well as suppliers and providers of what is referred to as “gateways” for payment processing, have their own data protection provisions with respect to the data and information to be provided by us for the processing of payments, we recommend that users take note of the terms of the privacy notice of the relevant service provider or provider.

Sending of newsletters

Where you have opted to receive a newsletter, we process the following personal data:

Email address
Language
User’s IP address
Date and time of the registration for, and opening, of the newsletter

The legal basis for such processing is your consent in accordance with Art. 6(1)(a) GDPR. You can revoke this consent at any time. All newsletters sent contain a link for unsubscribing. In addition, you can revoke your consent by contacting us using one of the options provided under “Contact us”. The revocation does not affect the lawfulness of processing carried out prior to such revocation.

Your data will be processed for as long as we have the relevant consent and we offer the relevant newsletter unless there is a legal requirement to store data for an additional period. The data will not be transmitted to third countries.

Users’ support requests 

You can send support requests to support@everbytestudio.com. In this context we will only store the information provided by you in your support request, including the provided contact data, for the purpose of processing the support request and in the event of any follow-up questions. We do not disclose the data to third parties in this context. 

The legal basis for processing the data is Art. 6(1)(f) GDPR. Our interest in replying to your inquiry outweighs your interest. Given that you are writing to us, our replying to your inquiry is ultimately in your interest too, and you are aware that we need to process your data to reply to your inquiry. 

Where the purpose of contacting us by email is the execution of a contract, the legal basis for processing such data is Art. 6(1)(b) GDPR. 

The data will be erased when it is no longer needed for achieving the purpose for which it was collected. This applies when the relevant conversation with the user has been finished. The conversation shall be deemed finished when the circumstances show that the issue in question has been fully resolved.

Game analytics

For our Games

  • Duskwood
  • Moonvale
  • NOX
  • Dead City 
  • Sound of Magic
  • Sinister Edge

we use the Unity Analytics service provided by Unity Technologies ApS, Niels Hemmingsens Gade 24, 1 sal, DK-1153 Copenhagen, Denmark (“Unity”), to analyse game performance and player behaviour, to be able to display the player’s score in each new session, and to further develop the content and technology of our game. In this context, Unity processes the following categories of personal data:

A unique device identifier (e.g. IDFV for iOS devices and Android ID for Android devices); IP address; country of installation (as determined based on the IP address); device manufacturer and model; platform type (iOS, Android, Mac, Windows, etc.), as well as the operating system and version running on your system or device; language, CPU information such as model, number of available CPUs, frequency and support flags for command sets; graphics card type and manufacturer name; graphics card driver name and version (e.g. “nv4disp.dll 6.10.93.71”); graphics API used (e.g. “OpenGL 2.1” or “Direct3D 9.0c”); amount of system and video RAM available; current screen resolution; version of the Unity editor used to create the game; sensor flags (e.g. device support for gyroscope, contact pressure or accelerometer); application or bundle identification (“App ID”) of the installed game; unique advertising identifiers for iOS and Android devices (e.g. IDFA or Android Ad ID); the relevant checksum of all data sent in order to check if it was transmitted correctly, as well as events completed or actions performed in the game, including the level, number of credits, the time needed to earn them, meta data regarding communication in the game and the value and details of purchases.

The legal basis for processing is our overriding legitimate interest in the continuous further development of the content and technology of our Games (Art. 6(1)(f) GDPR). In addition, it is in the interest of each user to always have the current score or to be able to restore it. You can object to the processing of the personal data at any time by choosing the appropriate settings in the relevant game (see settings/menu) or by choosing the appropriate settings on your mobile end device.

For providing its services, Unity uses servers located in the EU and in non-EU countries, in particular in the USA. In such third countries, Unity processes this data on the basis of appropriate safeguards, as described in Art. 46 GDPR (referred to as “EU Standard Contractual Clauses”, a copy of which can be requested by sending an email to DPO@unity3d.com).

Further information on the processing of personal data by Unity can be found in Unity’s privacy notice available at: https://unity.com/legal/game-player-and-app-user-privacy-policy

Advertising

Unity

For our Games

  • Duskwood
  • Moonvale
  • NOX
  • Dead City
  • Sinister Edge

we use the Unity Ads service provided by Unity Technologies ApS, Niels Hemmingsens Gade 24, 1 sal, DK-1153 Copenhagen, Denmark (“Unity”), to display advertising reflecting users’ interests. In this context, Unity processes the following categories of personal data:

A unique device identifier (e.g. IDFV for iOS devices and Android ID for Android devices); IP address; country of installation (as determined based on the IP address); device manufacturer and model; platform type (iOS, Android, Mac, Windows, etc.), as well as the operating system and version running on your system or device; language, CPU information such as model, number of available CPUs, frequency and support flags for command sets; graphics card type and manufacturer name; graphics card driver name and version (e. g. “nv4disp.dll 6.10.93.71”); graphics API used (e.g. “OpenGL 2.1” or “Direct3D 9.0c”); amount of system and video RAM available; current screen resolution; version of the Unity editor used to create the game; sensor flags (e.g. device support for gyroscope, contact pressure or accelerometer); application or bundle identification (“App ID”) of the installed game; unique advertising identifiers for iOS and Android devices (e.g. IDFA or Android Ad ID); the relevant checksum of all data sent in order to check if it was transmitted correctly.

In addition, Unity processes information regarding the delivery of advertising and the user’s interaction with such advertising all of which can be disclosed to advertising publishers and suppliers. For purposes of clarification: Unity collects the following data: whether you click on or tap an ad for a new game, whether you see the ad or frequently play a game, whether other persons who are playing a game that is similar to the one you are playing have downloaded a particular new game, and whether you download and install the new game for which you are seeing advertising. In addition, Unity Ads may also collect your session information and monetisation events. All of this is meant to predict the types of new Games you might want to download.

The legal basis for processing is the user’s consent (Art. 6(1)(a) GDPR). You can revoke your consent at any time by choosing the appropriate settings in the advertisement or on your mobile end device. The revocation of your consent does not affect any data processing operations carried out prior to the revocation of your consent.

 

For providing its services, Unity uses servers located in the EU and in non-EU countries, in particular in the USA. In such third countries, Unity processes this data on the basis of appropriate safeguards, as described in Art. 46 GDPR (referred to as “EU Standard Contractual Clauses”, a copy of which can be requested by sending an email to DPO@unity3d.com).

Further information on the processing of personal data by Unity can be found in Unity’s privacy notice available at: https://unity.com/legal/game-player-and-app-user-privacy-policy

Tapjoy

For our Games

  • Duskwood
  • Moonvale

we use the Tapjoy service provided by Tapjoy Inc., 353 Sacramento St 6th Floor, San Francisco, CA 94111, USA (“Tapjoy”) to display advertising reflecting users’ interests. In this context, Unity processes the following categories of personal data:

Device identifiers (a device identifier is a unique sequence of numbers and letters allocated to your smartphone or tablet by the manufacturer or platform provider), e.g. 

  • An advertising identifier which is a resettable identifier for advertising purposes, e.g. the Google Android Advertising ID (GAAID) for Android devices and the ID for Advertisers (IDFA) for iOS devices
  • Other identifiers, such as the Google Android ID or the MAC address, which can be used as a substitute identifier or for analyses
  • Our user ID 

Information on the device itself, including:

  • Device type (smartphone, tablet and similar devices)
  • Operating system and version
  • Device settings with respect to advertising 
  • Model and manufacturer (example: Apple iPhone X, Samsung Galaxy S8)
  • Screen size, screen density and other information that is relevant to the formatting and display of advertisements

Information on the internet connection used to access our services, including

  • Mobile provider
  • Network provider
  • Network type (WiFi or mobile network) 
  • IP address
  • Time stamp and duration

Information regarding the app used to access our services and regarding your use of the app, as well as regarding our SDK, including 

  • App version and SDK version
  • API key (identifier for the application) 
  • Duration of the app use, information regarding the game level and your in-app purchases 
  • Where agency services are used: to connect to advertising networks, parameters relating to agency services may be sent or their collection may be facilitated 
  • Indications regarding suitability for behavioural advertising

Geolocalisation data based on the perceived general location of the device based on:

  • The IP address used to access our services
  • Device settings specific to the location, e.g. the country code of the device, the language setting and the time zone

Information with respect to campaign content viewed, e.g. : 

  • What the campaign content is about
  • What kind of campaign content it is (example: video)
  • The reward offered for your engaging with the campaign content
  • What kind of placement it is (i.e. where and how the campaign content is displayed in the mobile app you used to access it)
  • Whether you reacted to the request for action presented in the campaign content (e.g. did you click on it to get to the advertiser’s website?) or whether you comply with the requirements (examples: watch a 30-second video; make a purchase)

Market research information – responses to market research surveys accessed via our platform are voluntary and are given in accordance with the opt-in principle. The responses you voluntarily provide may include the following:

  • Demographic information (e.g. age, household income, gender, highest completed level of education, household composition)
  • General location (e.g. postal code or city and state)
  • Other information voluntarily provided by you, e.g. product preferences and opinions on products, employment status, marital status, veteran status, health information, race or ethnic origin, political views, membership information, sexual orientation, religious beliefs – always subject to the applicable laws.

The legal basis for processing is the user’s consent (Art. 6(1)(a) GDPR). You can revoke your consent at any time by choosing the appropriate settings in the advertisement or on your mobile end device. The revocation of your consent does not affect any data processing operations carried out prior to the revocation of your consent.

For providing its services, Tapjoy uses servers located in non-EU countries, in particular in the USA. In such third countries, Tapjoy processes this data on the basis of appropriate safeguards, as described in Art. 46 GDPR (referred to as “EU Standard Contractual Clauses”).

Further information on the processing of personal data by Tapjoy can be found in Tapjoy’s privacy notice available at: https://www.tapjoy.com/legal/general/privacy-policy/ 

External links

Our Games may contain links to external websites or services provided by third parties. We have no control over the content, data protection or security standards of such websites or services. Please review the websites or services of such providers with respect to the privacy notices provided there.

The linked pages were reviewed with respect to potential legal violations at the time when the link was created. We did not notice any apparent unlawful content at that time. If we become aware of any infringements, we will promptly remove the relevant link.

These external links are only provided for entertainment purposes and visiting such websites is not required to complete the game.

Rights

Where we process personal data concerning you, you are a “data subject”, as defined in the GDPR, and you are entitled to the following rights vis-à-vis the controller:

Right of access

You may ask the controller to confirm whether we are processing personal data concerning you. 

Where such processing is occurring, you may ask the controller to provide information on the following:

(1) The purposes for which the personal data is being processed;
(2) The categories of personal data being processed;
(3) The recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
(4) The intended period for which the personal data concerning you will be stored, or, if is not possible to provide specific information on this, the criteria used to determine the storage period;
(5) The existence of the right to rectify or erase the personal data concerning you, the right to restrict its processing by the controller or the right to object to such processing;
(6) The existence of the right to lodge a complaint with a supervisory authority;
(7) All available information relating to the origin of the data where the personal data is not collected from the data subject directly;
(8) The existence of automated decision making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information on the logic involved, as well as the significance and the intended consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transmitted to a third country or an international organisation. In this context you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR relating to the transmission.

Right to rectification 

You have the right to request that the controller rectify and/or complete personal data concerning you being processed where such data is inaccurate or incomplete. The controller must rectify such data without undue delay.

Right to restriction of processing

Where one of the following applies, you have the right to request that the controller restrict the processing of the personal data concerning you:

(1) Where you contest the accuracy of the personal data concerning you during a period that allows the controller to verify the accuracy of the personal data;
(2) Where the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of its use;
(3) Where the controller no longer needs the personal data for the purposes of the processing, but you need it to assert, exercise or defend legal claims; or
(4) Where you have objected to the processing in accordance with Art. 21(1) GDPR and it has not yet been decided whether the legitimate grounds of the controller override yours.

Where the processing of the personal data concerning you has been restricted, such data (aside from its storage) may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of other natural persons or legal entities or for reasons of important public interest of the Union or of a Member State.

Where the processing was restricted under the conditions set out above, the controller will notify you before the restriction is lifted.

Right to erasure

  • Duty to erase data

You may request that the controller erase the personal data concerning you without undue delay, and the controller has a duty to erase such data where one of the following reasons applies:

(a) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
(b) You revoke your consent on which the processing was based in accordance with Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for processing the data.
(c) You object to the processing in accordance with Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Art. 21(2) GDPR.
(d) The personal data concerning you was processed unlawfully.
(e) The erasure of the personal data concerning you is required to comply with a legal obligation under Union law or the law of Member States to which the controller is subject.
(f) The personal data concerning you was collected in the context of the offer of information society services, as referred to in Art. 8(1) GDPR.

  • Information provided to third parties

Where the controller has published the personal data concerning you and where it has a duty to erase such data in accordance with Art. 17(1) GDPR, it shall take appropriate measures, including technical measures, considering the available technology and the cost of implementation, to inform controllers processing such personal data that you, as the data subject, have requested that they erase all links to such personal data or copies or replications of such personal data. 

  • Exceptions

The right to erasure does not exist where the processing is necessary:

(a) To exercise the right of freedom of expression and information;
(b) To comply with a legal obligation which requires processing of the relevant data under the law of the Union or of Member States to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) For reasons in the public interest in the area of public health in accordance with Art. 9(2) (h) and (i), as well as Art. 9(3) GDPR;
(d) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR to the extent the right referred to in subsection (a) is likely to render impossible or seriously impair the achievement of the objectives of this processing; or
(e) For the assertion, exercise or defence or legal claims.

Right of information

Where you have asserted the right of rectification, erasure or restriction of processing vis-à-vis the controller, the controller has a duty to notify all recipients to whom the personal data concerning you was disclosed of such rectification or erasure of the data or the restriction of processing unless this turns out to be impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the controller.

Right to data portability

You have the right to receive the personal data concerning you which you provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit such data to another controller without hindrance from the controller to which the personal data was provided as long as:

(1) The processing is based on a consent in accordance with Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract in accordance with Art. 6(1)(b) GDPR; and
(2) The processing is carried out using automated means.

In the exercise of this right you also have the right to procure that the personal data concerning you be directly transmitted from one controller to another controller where this is technically feasible. This must not adversely affect the freedoms and rights of other individuals.

The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object

You have the right to object, on grounds relating to your personal situation, at any time to processing of the personal data concerning you which is carried out on the basis of Art. 6(1) (e) or (f) GDPR; this also applies to any profiling based on these provisions. 

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms or the data is processed for the assertion, exercise or defence of legal claims.

Where the personal data concerning you is processed for direct marketing purposes, you have the right to object to the processing of the personal data concerning you for the purpose of such marketing at any time; this also applies to any profiling related to such direct marketing.

Where you object to the processing for purposes of direct marketing, the personal data concerning you will no longer be processed for such purposes.

 

In the context of the use of information society services, notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

Right to revoke the consent required under data protection law

You have the right to revoke your consent required under data protection law at any time. The revocation does not affect the lawfulness of the processing carried out based on the consent prior to such revocation.

Automated individual decision-making, including profiling

You have the right not to be subjected to a decision that is solely based on automated processing, including profiling, which has legal consequences for you or significantly adversely affects you in a similar way.

This does not apply where the decision: 

(1) Is necessary for the execution or performance of a contract between you and the controller;
(2) Is permissible based on legal regulations of the Union or Member States to which the controller is subject and such legal regulations contain appropriate measures to safeguard your rights and freedoms, as well as your legitimate interests; or
(3) Is made with your express consent.

Nevertheless, such decisions must not be based on special categories of personal data, as described in Art. 9(1) GDPR, unless Art. 9(2) (a) or (g) apply and appropriate measures to safeguard the rights and freedoms, as well as your legitimate interests, are in place.

With respect to the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard the rights and freedoms, as well as your legitimate interests, which, as a minimum, shall include the right to procure the intervention of a natural person on the part of the controller, the data subject’s right to present his/her own point of view and the right to contest the decision.

Right to lodge a complaint with a supervisory authority

Notwithstanding any other remedy under administrative law or the right to apply to the courts, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged violation, if you believe that the personal data concerning you is processed in violation of the GDPR. 

The supervisory authority to which the complaint was submitted will notify the complainant of the status and the outcome of the complaint, including the option to apply to the courts pursuant to Art. 78 GDPR.

February 2024