8. Rights of data subjects
a) Right of confirmation
Each data subject has the right, granted under EU legislation, to request confirmation from the controller of whether the controller is processing relevant personal data. If a data subject wishes to exercise this right of confirmation, they may contact our data protection officer or another employee of the controller at any time for this purpose.
b) Right of access to information
You may request confirmation from the controller of whether we are processing personal data concerning you.
If such processing is taking place, you may request information from the controller about the following aspects:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal data that is being processed;
(3) the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
(4) the envisaged period for which the personal data concerning you will be stored or, if no specific information can be provided in this respect, criteria used to determine the storage duration;
(5) the existence of the right to rectification or erasure of personal data concerning the data subject or a right to restriction of processing of personal data by the controller or a right to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) where the personal data is not collected from the data subject, any available information as to its source;
(8) the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information about whether the personal data concerning you is transferred to a third country or an international organisation. In this context you can ask to be informed about the appropriate safeguards under Art. 46 GDPR relating to the transfer.
If a data subject wishes to exercise this right of access to information, they may contact our data protection officer or another employee of the controller at any time for this purpose.
c) Right to rectification
Each data subject whose personal data is processed has the right granted under EU legislation to obtain the rectification of inaccurate personal data without undue delay. Further, the data subject also has the right to request the completion of incomplete personal data, taking the purposes of the processing into account, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right of rectification, they may contact our data protection officer or another employee of the controller at any time for this purpose.
d) Right to erasure (‘right to be forgotten’)
Each data subject whose personal data is processed has the right granted under EU legislation to request from the controller the erasure of the personal data concerning them without undue delay, provided that one of the following grounds applies and the processing is not necessary:
(1) The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
(2) The data subject withdraws their consent on which the processing is based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR and there is no other legal basis for the processing.
(3) The data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2).
(4) The personal data has been unlawfully processed.
(5) The personal data has to be erased for compliance with a legal obligation in European Union or Member State law to which the controller is subject.
(6) The personal data has been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
If one of the above-mentioned reasons applies and a data subject wishes to effect the erasure of personal data stored by energenta AG, they may contact our data protection officer or another employee of the controller at any time for this purpose. The data protection officer of energenta AG or another employee will see to it that the erasure request is dealt with without undue delay.
If the personal data has been made public by energenta AG and if our company as the controller is under an obligation to erase the personal data pursuant to Art. 17(1) GDPR, energenta AG shall, taking account of the available technology and the implementation costs, implement appropriate measures, including of a technical nature, to notify other controllers who are processing the published personal data that the data subject has demanded that this other controller erase all links to this personal data or copies or replications of this personal data, unless the processing is necessary. The data protection officer of energenta AG or another employee will see to it that the necessary processes are initiated in the individual case.
e) Right to restriction of processing
Each data subject whose personal data is processed has the right granted under EU legislation to request the restriction of processing from the controller where one of the following grounds applies:
(1) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
(2) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of the use of the personal data instead.
(3) The controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
(4) The data subject has objected to processing pursuant to Art. 21(1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.
If one of the above-mentioned preconditions applies and a data subject wishes to effect the restriction of the processing of personal data stored by energenta AG, they may contact our data protection officer or another employee of the controller at any time for this purpose. The data protection officer of energenta AG or another employee will see to it that the restriction of the processing is initiated.
f) Right to data portability
Each data subject whose personal data is processed has the right granted under EU legislation to receive the personal data concerning them that they have provided to a controller in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been supplied, provided that the processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Additionally, in asserting their right to data portability pursuant to Art. 20(1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, provided this is technically feasible and this does not adversely affect the rights and freedoms of other persons.
To assert the right to data portability, the data subject may contact the data protection officer appointed by energenta AG or another employee at any time.
g) Right to object
Each data subject whose personal data is processed has the right granted under EU legislation to raise an objection to the processing of their personal data at any time on the basis of Art. 6(1)(e) or (f) GDPR on grounds relating to their specific situation. This also applies to profiling based on these provisions.
If an objection is raised, energenta AG will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or the processing is for the purposes of the establishment, exercise or defence of legal claims.
If energenta AG processes personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for such marketing. This includes profiling to the extent that it is related to such direct marketing. If the data subject objects to the processing by energenta AG for purposes of direct marketing, energenta AG shall no longer process the personal data for these purposes.
Additionally, where personal data is processed by energenta AG for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, the data subject has the right to object to the processing of personal data concerning them on grounds relating to their particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject may assert the right to object by directly contacting the data protection officer of energenta AG or another employee at any time. In terms of the use of information society services, the data subject further has the option of exercising their right to object by automated means using technical specifications, notwithstanding Directive 2002/58/EC.
h) Right to revoke consent under data protection law
Each data subject whose personal data is processed has the right granted under EU legislation to revoke consent to the processing of personal data at any time.
If a data subject wishes to exercise their right to revoke consent, they may contact our data protection officer or another employee of the controller at any time for this purpose.