Your data is in safe hands
Data protection is a matter of trust and your trust is important to us. To ensure that you feel safe when visiting our website, we strictly observe the legal provisions when processing your personal data and would like to inform you here about how we collect and use your data. The following data protection declaration explains which of your data is collected on our websites and which of these data we process and use in which way and to whom you can turn with concerns.
I. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:
TOWA GmbH
Brosswaldengasse 12
6900 Bregenz, Austria
Phone: +43 5574 22558
Email: office@towa.at
Website: www.towa-digital.com
Data protection inquiries: datenschutz@towa.at
II. Address of the data protection officer
DataCo GmbH
Dachauer Straße 65
80335 Munich
Germany
+49 89 7400 45840
III. General information on data processing
1. scope of the processing of personal data
We process personal data of our users only to the extent necessary to provide a functional website and to provide our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.
2. legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR serves as the legal basis for processing.
3. data deletion and storage duration
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage beyond this period is possible if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
Every time our website is accessed, our system automatically collects data and information from the accessing computer system.
The following data is collected:
Information about the browser type and version used
The user's operating system
The user's internet service provider
The user's IP address
Date and time of access
Websites from which the user's system accesses our website
Websites that are accessed by the user's system via our website
The data is also stored in our system's log files. This data is not stored together with other personal data of the user.
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
3. Purpose of data processing
The system needs to store the IP address temporarily to enable the website to be delivered to the user's computer. To do this, the user's IP address must be stored for the duration of the session.
The data is stored in log files to ensure the functionality of the website. We also use the data to optimize the website and to ensure the security of our information technology systems. The data is not analyzed for marketing purposes in this context.
These purposes also include our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collection for the provision of the website, this is the case when the respective session has ended.
If the data is stored in log files, this is the case after seven days at the latest. It is possible that the data will be stored for a longer period. In this case, the IP addresses of the users are deleted or anonymized so that it is no longer possible to identify the accessing client.
5. Right to object and to erasure
The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no right to object on the part of the user.
V. Use of cookies
a) Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is visited again.
We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change.
The following data is stored and transmitted in the cookies:
Language settings
Log-in information
We also use cookies on our website that enable an analysis of the surfing behavior of users.
In this way, the following data can be transmitted:
Search terms entered
Frequency of page views
Use of website functions
The user data collected in this way is pseudonymized by technical precautions. Therefore, it is no longer possible to assign the data to the accessing user. The data is not stored together with other personal data of the user.
When accessing our website, users are informed by an information banner about the use of cookies for analysis purposes and referred to this data protection declaration. In this context, there is also a note on how the storage of cookies can be prevented in the browser settings.
When accessing our website, the user is informed about the use of cookies for analysis purposes and his consent to the processing of personal data used in this context is obtained. In this context, there is also a reference to this data protection declaration.
b) Legal basis for data processing
The legal basis for the processing of personal data using technically necessary cookies is Article 6 (1) (f) of the GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes is Article 6 (1) (a) of the GDPR if the user has given his consent.
c) Purpose of data processing
The purpose of using technically necessary cookies is to make it easier for users to use websites. Some of our website's functions cannot be offered without the use of cookies. For these functions, it is necessary that the browser be recognized even after a page change.
We need cookies for the following applications:
Adopting language settings
Remembering search terms
The user data collected by technically necessary cookies are not used to create user profiles.
We use analysis cookies to improve the quality of our website and its content. Analysis cookies show us how the website is used, enabling us to constantly optimize our services.
These purposes also constitute our legitimate interest in the processing of personal data in accordance with Art. 6 (1) (f) GDPR.
d) Duration of storage, right to object and opt out
Cookies are stored on the user's computer and transmitted by it to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it is possible that not all of the website's functions can be used to their full extent.
The transmission of Flash cookies cannot be prevented by the browser settings, but by changing the Flash Player settings.
VI. Newsletter
1. Description and scope of data processing
On our website, you have the option to subscribe to a free newsletter. When registering for the newsletter, the data from the input mask is transmitted to us.
In addition, the following data is collected during registration:
IP address of the accessing computer
Date and time of registration
During the registration process, your consent to the processing of the data is obtained and reference is made to this data protection declaration.
If you purchase goods or services on our website and provide your e-mail address in the process, we may subsequently use this to send you a newsletter. In such a case, the newsletter will only be used to send direct advertising for our own similar goods or services.
No data is passed on to third parties in connection with data processing for sending newsletters. The data is used exclusively for sending the newsletter.
The newsletter service MailChimp is used to send the newsletter. This tool only provides us with the email address that you type into the dialog box, but we do not collect any other personal data. If you no longer wish to receive the newsletter, you can unsubscribe via the “Unsubscribe” link in the newsletter. The data will be used exclusively for sending the newsletter.
2. Legal basis for data processing
The legal basis for the processing of data after the user has registered for the newsletter is the consent of the user in accordance with Article 6 (1) (a) of the GDPR.
The legal basis for sending the newsletter as a result of the sale of goods or services is Section 7 (3) of the German Unfair Competition Act (UWG).
3. Purpose of data processing
The user's email address is collected for the purpose of delivering the newsletter.
The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used.
4. Duration of storage
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. Accordingly, the user's email address will be stored for as long as the newsletter subscription is active.
The other personal data collected during the registration process are usually deleted after a period of seven days.
5. Objection and removal option
The subscription to the newsletter can be terminated by the user at any time. For this purpose, there is a corresponding link in each newsletter.
This also allows a revocation of the consent to the storage of personal data collected during the registration process.
VII. Contact form and e-mail contact
1. Description and scope of data processing
Our website includes a contact form that can be used to contact us electronically. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored.
These data are:
Your name
Your company
Your e-mail address
Your company
At the time of sending the message, the following data are also stored:
The user's IP address
Date and time of registration
Your consent to the processing of the data is obtained as part of the sending process and reference is made to this data protection declaration.
Alternatively, it is possible to contact us via the email address provided. In this case, the user's personal data transmitted by email will be stored.
The data will not be passed on to third parties in this context. The data will be used exclusively for the purpose of processing the conversation.
2. Legal basis for data processing
The legal basis for the processing of the data is the consent of the user in accordance with Article 6 (1) (a) of the GDPR.
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) point f GDPR. If the purpose of the e-mail contact is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) point b GDPR.
3. Purpose of the data processing
We process the personal data from the input mask solely for the purpose of establishing contact. If contact is established by email, this also constitutes the necessary legitimate interest in processing the data.
The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
4. Duration of storage
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. For the personal data from the input mask of the contact form and the data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.
The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.
5. Right to object and right to erasure
The user has the right to withdraw their consent to the processing of personal data at any time. If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.
The following is a description of how to withdraw consent and object to storage.
All personal data stored in the course of establishing contact will be deleted in this case.
VIII. Web analysis
1. Scope of personal data processing
We use the web analysis service Matomo from InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, on our website. This is an open-source software that we use to analyze your use of our website. Matomo is only activated on the basis of your prior active consent through your interaction with the cookie banner on our website.
The following data is collected by Matomo: your IP address, date and time of your visit, usage data, usage behavior, technical information about your browser and device information, downloads, referrer URL (via which website/advertising medium you came to this website) and location information. The software runs exclusively on the servers of our Austrian data center. The personal data of users is only stored there. The data will not be passed on to third parties. It is not possible to draw any conclusions about a specific person, as your IP address is anonymized immediately after processing and before storage.
This website uses Matomo with the extension “AnonymizeIP”. This means that IP addresses are further processed in a shortened form, thus excluding the possibility of direct personal reference. The IP address transmitted by your browser using Matomo is not merged with other data collected by us.
You can object to the processing of your data by rejecting tracking by Matomo in the cookie preferences. You can find out more about the data processed by using Matomo in the privacy policy at https://matomo.org/privacy-policy/.
2. Legal basis for the processing of personal data
The legal basis for the processing of users' personal data is Art. 6 para. 1 lit. f GDPR.
3. Purpose of data processing
Processing users' personal data enables us to analyze our users' surfing behavior. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes also constitute our legitimate interest in processing the data in accordance with Article 6(1)(f) of the GDPR. The anonymization of the IP address sufficiently takes into account the interest of users in the protection of their personal data.
4. Duration of storage
The data is deleted as soon as it is no longer needed for our recording purposes. In our case, this is after 26 months.
5. Objection and removal options
Cookies are stored on the user's computer and transmitted by it to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it is possible that not all of the website's functions can be used to their full extent.
We offer our users the option of opting out of the analysis process on our website. To do this, you must follow the corresponding link. This sets another cookie on your system that signals our system not to store the user's data. If the user deletes the corresponding cookie from their own system in the meantime, they must set the opt-out cookie again.
IX. Retargeting and data collection by third parties
In the context of retargeting and banner advertising, we use the services of third parties who set cookies on our site. These are the following providers:
Doubleclick by Google, Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;
Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA;
Linkedin Inc., 222 Scond Street San Francisco, CA 94105, USA;
Salesforce Inc., Suite 300 San Francisco, CA 94105;
Pinterest Inc., 808 Brannan St San Francisco, CA 94103-4904;
1. Leadfeeder
Our website uses the Leadfeeder service, which is operated by Liidio Oy / Leadfeeder, Mikonkatu 17 C, 00100 Helsinki, Finland. Leadfeeder accesses the list of website visitor IP addresses provided by Google Analytics for analysis and links the list of IP addresses with information about the companies that can be found online at these IP addresses. Due to the fact that the IP addresses of website visitors are already shortened when using Google Analytics, a direct personal reference is not established. A personal reference can arise on suspicion when reviewing the linked company information. For more information about Leadfeeder and the data collected, please refer to: , information about Leadfeeder and compliance with the General Data Protection Regulation: help.leadfeeder.com/faqs-and-troubleshooting/is-leadfeeder-ready-for-gdpr
2. Google Ads Remarketing
We use Ads Dynamic Remarketing on our website, a web analytics service provided by Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin 4, Ireland (“Google”). Ads Dynamic Remarketing uses cookies to analyze your use of our website and subsequently display personalized advertising to you. Google Remarketing is only activated on the basis of your prior active consent through your interaction with the cookie banner on our website.
The following data is collected by Ads Dynamic Remarketing when you visit our website:
Information about your browser and device, unique device ID,
web queries, the pages you visit, phone number, usage data, date and time of
your visit to our website and your IP address. The recipients of the data are Google Ireland Limited, Google LLC, Alphabet Inc.
The collected data will be deleted after one year.
Below you will find the e-mail address of the data protection officer of the processing company:
Click here to read the data protection regulations of the data processor:
Click here to read the data processor's cookie policy:
Click here to revoke consent on all domains of the data processor:
The information collected by cookies about your use of this website may be transmitted to a Google server in a country outside the European Union that does not provide an adequate level of data protection (e.g. the United States) and stored or processed there. The European Commission has not issued an adequacy decision under data protection law for the United States and a number of other countries outside the European Union/European Economic Area. There is therefore a risk for users that state agencies may access and process personal data for control and monitoring purposes without us and/or the users being informed or being entitled to legal remedies.
3. LinkedIn
We use “LinkedIn Advertising” from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland for our website to show personalized ads to people who visit our website while they are logged into LinkedIn. LinkedIn is only activated on the basis of your prior active consent through your interaction with the cookie banner on our website. LinkedIn uses cookies to record your use of our website and to subsequently position better advertisements. If you are registered with the corresponding social network platform, it can assign your visit to our website to your user account.
For this purpose, your anonymized IP address and the user agent data are collected.
The collected data will be deleted after 180 days.
The LinkedIn privacy policy can be found at www.linkedin.com/legal/privacy-policy and .
Click here to revoke on all domains of the processing company
https://www.linkedin.com/help/linkedin/answer/62931/manage-advertising-preferences?lang=en
Click here to view the data processor's cookie policy:
https://www.linkedin.com/legal/cookie_policy
The information collected by means of cookies about your use of this website may be transferred to a LinkedIn server in a country outside the European Union that does not offer an adequate level of data protection (e.g. the United States) and stored or processed there. The European Commission has not issued an adequacy decision under data protection law for the United States and a number of other countries outside the European Union/European Economic Area. There is therefore a risk for users that state agencies may access and process personal data for control and monitoring purposes without us and/or the users being informed or having any legal recourse.
4. Facebook
We use the “Facebook” service for our website. This is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin, Ireland. Through Facebook, we can send advertisements to its members via the Facebook social network. Facebook uses various parameters to determine which users might be interested in an advertisement for our products. Facebook uses cookies to analyze your use of our website. Facebook is only activated on the basis of your prior active consent through corresponding interaction with the cookie banner on our website.
The following data is collected by Facebook when you visit our website: the advertisements and content you view, information about your browser, information about the device you are using, geographical location, interactions with advertisements, services and products, marketing information, non-confidential user-defined data, pixel ID, referrer URL, usage data, user behavior, Facebook user ID. The collected data will be deleted as soon as it is no longer needed for the stated processing purposes. The maximum storage period is one year.
You can find Facebook's privacy policy at the following link:
https://www.facebook.com/privacy/explanation
The information collected by cookies about your use of this website may be transferred to a Facebook server in a country outside the European Union that does not provide an adequate level of data protection (e.g. the United States) and stored or processed there. The European Commission has not issued an adequacy decision under data protection law for the USA and a number of other countries outside the European Union/European Economic Area. There is therefore a risk for users that state agencies may access and process personal data for control and monitoring purposes without us and/or the users being informed or being entitled to legal remedies.
5. Salesviewer
Use of SalesViewer® technology:This website uses SalesViewer® technology from SalesViewer® GmbH on the basis of the website operator’s legitimate interests (Section 6 paragraph 1 lit.f GDPR) in order to collect and save data on marketing, market research and optimisation purposes.In order to do this, a javascript based code, which serves to capture company-related data and according website usage. The data captured using this technology are encrypted in a non-retrievable one-way function (so-called hashing). The data is immediately pseudonymised and is not used to identify website visitors personallyThe data stored by SalesViewer® will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them.The data recording and storage can be repealed at any time with immediate effect for the future, by clicking on Opt out in order to prevent SalesViewer® from recording your data. In this case, an opt-out cookie for this website is saved on your device. If you delete the cookies in the browser, you will need to click on this link again.
X. Rights of the data subject
The following list includes all the rights of data subjects under the GDPR. Rights that are not relevant for your own website do not have to be mentioned. In this respect, the list can be shortened.
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to the controller:
1. right of access
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you is being processed by us. Where that is the case, you have the right to request access to the following information from the controller:
the purposes of the processing;
the categories of personal data being processed;
the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the duration of storage;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information about whether your personal data is transferred to a third country or to an international organization. In this context, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
2. Right to rectification
You have the right to obtain from the controller the rectification and/or completion of inaccurate or incomplete personal data concerning you. The controller must carry out the rectification without undue delay.
3. Right to restriction of processing
You have the right to request that the processing of your personal data be restricted under the following conditions:
if you dispute the accuracy of your personal data for a period of time that enables the data controller to verify the accuracy of your personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or
you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override yours.
Where processing of the personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing in accordance with the above conditions, you shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
You withdraw your consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
You object to the processing in accordance with Article 21(1) of the GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing in accordance with Article 21(2) of the GDPR.
The personal data concerning you has been processed unlawfully.
The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union or national law to which the controller is subject.
The personal data concerning you has been collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.
b) Information to third parties
If the controller has made the personal data concerning you public and is obliged to delete it in accordance with Art. 17 Para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you, as the data subject, have requested the deletion of all links to this personal data or of copies or replications of this personal data.
c) Exceptions
The right to erasure does not apply to the extent that processing is necessary
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with Art. 9 (2) lit. h and i as well as Art. 9 (3) GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defense of legal claims.
5. Right to notification
If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to request the data controller to be informed about these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the data controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where
the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR and
the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another, insofar as this is technically feasible. The freedoms and rights of other persons must not be adversely affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the option, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise your right to object by automated means using technical specifications.
8. Right to revoke the data protection declaration of consent
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
9. automated decision in an individual case including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
is necessary for entering into, or performance of, a contract between you and the data controller,
is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
is based on your explicit consent.
However, these decisions must not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) of the GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to lodge a complaint with a data protection authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.