The controller within the meaning of data protection law is Rechtsanwalt Fabian Huber, Schenkendorfstraße 55, 86167 Augsburg; email: fabian@ra-huber.net
1. Purpose and Legal Basis of Data Processing
We process your personal data in accordance with applicable legal provisions, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Processing is carried out for the following purposes:
· Responding to inquiries (Art. 6 (1)(b) GDPR)
· Establishing, performing, and terminating client relationships (Art. 6 (1)(b) GDPR)
· Compliance with legal obligations (Art. 6 (1)(c) GDPR)
2. Contact
When an individual (the data subject) contacts the attorney, any personal data transmitted is stored. This data is processed solely for the purpose of responding to the inquiry. The legal basis for processing is Art. 6 (1)(f) GDPR, or Art. 6 (1)(b) GDPR if the inquiry is related to the conclusion of a contract. The data will be deleted once the purpose of the processing no longer applies, e.g., when the inquiry has been fully answered. If the inquiry leads to a client relationship, the data will be deleted no later than after expiry of the statutory retention periods, typically six years after the end of the calendar year in which the mandate was concluded.
3. Data Subject Rights
The data subject has the following rights in regarding the processing of their personal data:
3.1 Right of Access (Art. 15 GDPR)
The data subject has the right to obtain confirmation from the controller as to whether personal data concerning them is being processed. If this is the case, they are entitled to access this personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data processed;
c) the recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly in third countries or international organizations;
d) where possible, the intended period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to rectification, erasure, or restriction of processing or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data is not collected from the data subject, any available information as to its source;
h) the existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) GDPR, and, at least in those cases, meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.
If personal data is transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
3.2 Right to Rectification (Art. 16 GDPR)
The data subject has the right to request the immediate rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of a supplementary statement.
3.3 Right to Erasure (Art. 17 GDPR)
The data subject has the right to request the immediate deletion of personal data concerning them, and the controller is obliged to delete this data without undue delay where one of the following grounds applies:
a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b) the data subject withdraws their consent on which the processing was based, and there is no other legal basis for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes;
d) the personal data has been unlawfully processed;
e) the personal data must be deleted for compliance with a legal obligation under Union or Member State law to which the controller is subject;
f) the personal data was collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.
If the controller has made the personal data public and is obliged to erase it, they shall take reasonable steps, including technical measures, to inform other controllers processing the data that the data subject has requested the erasure of any links to, or copies or replications of, that data.
This right does not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where the right is likely to render the achievement of the objectives of that processing impossible or seriously impair it;
e) for the establishment, exercise or defense of legal claims.
3.4 Right to Restriction of Processing (Art. 18 GDPR)
The data subject has the right to request the restriction of processing where:
a) the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify it;
b) the processing is unlawful and the data subject opposes the erasure and requests restriction instead;
c) the controller no longer needs the personal data for the purposes of processing, but the data subject requires it for the establishment, exercise or defense of legal claims;
d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such data shall, with the exception of storage, only be processed with the data subject’s consent or for legal claims or to protect another person’s rights or for reasons of important public interest.
The data subject shall be informed before the restriction is lifted.
3.5 Right to Data Portability (Art. 20 GDPR)
The data subject has the right to receive personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format, and has the right to transmit that data to another controller without hindrance, where:
a) the processing is based on consent or a contract; and
b) the processing is carried out by automated means.
In exercising this right, the data subject may request that the data be transferred directly to another controller, where technically feasible.
This right does not apply where the processing is necessary for a task carried out in the public interest or in the exercise of official authority.
3.6 Right to Object (Art. 21 GDPR)
(1) The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them based on Art. 6 (1)(e) or (f) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
(2) Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to such processing, including profiling related to such marketing.
(3) If the data subject objects to processing for direct marketing, the personal data shall no longer be processed for such purposes.
(4) This right must be explicitly brought to the attention of the data subject no later than at the time of the first communication and must be presented clearly and separately from other information.
(5) In the context of information society services, the objection may also be exercised by automated means using technical specifications.
(6) The data subject also has the right to object, on grounds relating to their particular situation, to processing for scientific or historical research or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
3.7 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR
Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes this Regulation.