If your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the data controller. You can assert your rights by email to This email address is being protected from spambots. You need JavaScript enabled to view it. or by post to the address given under the I.
- Information Right
You can request confirmation from Heinrich & Coll. as to whether personal data concerning you is being processed by us. If such processing is available, you can request the following information from Heinrich & Coll.:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data which are processed;
(3) the recipients and/or the categories of recipients to whom the personal data have been or will be disclosed the categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the envisaged duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to correct or delete the personal data regarding you, a right to have the processing restricted by the controller or a right to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) any available information on the origin of the data if the personal data are not collected from the data subject;
(8) the existence of automated decision-making including profiling according to the section 22 paragraph1 and 4 of the GDPR and – at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing regarding the data subject.
You have the right to be informed as to whether your personal data will be transmitted to a third country or an international organisation. In this regard, you can request to be informed about the appropriate guarantees in accordance with the section 46 of the GDPR in connection with the transmission.
- Right to Rectification
You have the right to rectification and/or completion by the data controller if the personal data processed concerning you is either incorrect or incomplete. The data controller is required to make the correction immediately.
- Right to Restriction of Processing
You may ask for the processing of your personal data to be restricted under the following conditions:
(1) You contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you object to the deletion of the personal data and request instead the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of the processing but you need them for the establishment, exercise or defence of legal claims; or
(4) you object to the processing according to the section 21 paragraph1 of the GDPR and it is not yet clear whether the data controller's legitimate reasons for processing your data outweigh your interests.
If the processing of personal data concerning you has been restricted, then – apart from its storage – this data may only be processed with your consent or for the purposes of asserting, exercising or defending legal claims or protecting the rights of another natural or a legal person, or for reasons of an important public interest of the Union or a Member State.
If the processing restriction has been done in accordance with the above conditions, you will be informed by the data controller before the restriction is lifted.
- Right to Deletion
You have the right to demand that the data controller deletes your personal data immediately, and the data controller must do so without any delay if any of the following reasons applies:
(1) The personal data concerning you is no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent, upon which the processing was based in accordance with the section 6 paragraph1 lit.a or the section 9 paragraph2 lit. a of the GDPR and there's no other legal basis for the processing.
(3) You object to its processing in accordance with the section 21 paragraph1 of the GDPR, and there are no overriding legitimate reasons for its continued processing, or you submit an objection to its processing in accordance with the section 21 paragraph2 of the GDPR.
(4) The personal data concerning you have been processed unlawfully.
(5) Your personal data must be deleted in order to comply with a legal obligation under Union or Member State law to which the data controller is subject.
6) The personal data concerning you have been processed in relation to information society services offered in accordance with the section 8 paragraph1 of the GDPR.
If the data controller has made your personal data public and is required to delete it in accordance with the section 17 paragraph1 of the GDPR, it shall take reasonable steps, including technical measures, to inform data controllers processing the personal data that you, as the data subject, have requested the deletion of all links to, or copies or replications of, those personal data, by taking into account the available technology and the cost of implementation.
The right to deletion doesn't exist if processing is necessary
(1) for the exercise of the right to freedom of expression and information;
(2) for the compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the field of public health in accordance with the section 9 paragraph2 lit. h and i, as well as in accordance with the section 9 paragraph3 of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes according to the section 89 paragraph1 of the GDPR, insofar as the right referred to under item a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
(5) for the establishment, exercise or defence of any legal claims of any kind.
- Right to Information
If you have asserted the right to rectification, deletion, or restriction of processing against the data controller, the data controller will be obliged to communicate this rectification or deletion of the data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or requires a disproportionate effort.
You have the right against the data controller to be informed about who these recipients are.
- Right to Data Portability
You have the right to obtain a copy of the personal data you have put at disposal of the data controller in a structured, commonly used, machine-readable format. Moreover, you have the right to transmit this data to another data controller without any obstruction from the data controller to whom the personal data has been given, if
(1) the processing is based on consent given in accordance with the section 6 paragraph1 lit. a of the GDPR or in accordance with the section 9 paragraph2 lit. a of the GDPR or on a contract according to the section 6 paragraph1 lit. b of the GDPR and
(2) the processing is carried out with the aid of using automated procedures.
In exercising this right, you also have the right to have the data controller transfer your personal data directly to another data controller if this is technically feasible. This action must not affect the freedoms and rights of other persons.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the data controller.
- Right to Object
You have the right, for reasons arising from your specific situation to object to the processing of personal data concerning you at any time carried out in accordance with the section 6 paragraph1 lit. e or f of the GDPR; this also applies to profiling based on these provisions.
The data controller will no longer process the personal data relating to you unless they can prove a compelling, legitimate reason for this which outweighs your interests, rights, and freedoms or the processing serves to assert, exercise, or defend any legal claims.
You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures by using technical specifications.
- The right to revoke the declaration of consent under data protection law
You have the right to revoke a declaration of consent granted under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent prior to its withdrawal.
- Right to file a legal complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes the principles of the GDPR.
The supervisory authority to which the complaint has been lodged shall inform you of the status and outcome of the complaint, including the possibility of a judicial remedy according to the section 78 of the GDPR.