Privacy Policy OVB Holding AG

1. Definitions

The data protection declaration of OVB Holding AG is based on the terms used by the European Directive and Regulation (EC) No. 1/2006 when issuing the General Data Protection Regulation (GDPR). Our data protection statement shall be easy to read and understand for the public as well as for our clients and business partners. To ensure this, we would like to explain the terminology used in advance.

In this data protection declaration, we use the following terms, among others:

1. Personal data
   Personal data means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Data subject
   Data subject is any identified or identifiable natural person whose personal data are processed by the controller.
3. Processing
   Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Restriction of Processing
   Restriction of processing is the marking of stored personal data with the aim of restricting their future processing.
5. Profiling
   Profiling is any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
6. Pseudonymisation
   Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not associated with an identified or identifiable natural person.
7. Controller
   Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
8. Processor
   Processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
9. Recipient
   Recipient is a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the context of a specific investigation under Union or Member State law shall not be considered recipients.
10. Third Party
    Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
11. Consent
    Consent of the data subjectis any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and address of the controller

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

OVB Holding AG
Heumarkt 1
50667 Köln

Germany

Phone: +49 221 2015-0
E-Mail: info@ovb.eu
Website: www.ovb.eu

3. Name and address of the data protection officer

The data protection officer of the controller is:

Data protection officer Matthias Leidt

OVB Holding AG
Heumarkt 1, 50667 Köln
Germany

Phone: +49 221 2015-810
E-mail: datenschutz@ovb.eu
Website: www.ovb.eu

Any data subject can contact our data protection officer directly at any time with all questions and suggestions regarding data protection.

4. Legal basis of processing

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) - The data subject has given his or her consent to the processing of personal data concerning him or her for one or more specific purposes.
• Performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b. GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR) - Processing is necessary to safeguard the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

5. Existence of automated decision-making

As a responsible company, we do not use automatic decision-making or profiling.

6. Collection of general data and information

The website of the controller collects a series of general data and information when a data subject or automated system calls up the website. This general data and information is stored in the log files of the server. The (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address),  (7) the Internet service provider of the accessing system and (8) other similar data and information used to avert danger in the event of attacks on our information technology systems.

When using these general data and information, the controller does not draw any conclusions about the data subject. Rather, this information is required to (1) correctly deliver the content of our website, (2) optimize the content of our website and its advertising, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack. Therefore, the controller analyzes anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

The legal basis for the processing of personal data is the legitimate interest of the controller in the secure and efficient provision of our online offer in accordance with Art. 6 para. 1 lit. f GDPR.

7. Contact possibility via the website

The website of the OVB Holding AG contains information that enables a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the controller are stored for the purposes of processing or contacting the data subject. This personal data will not be passed on to third parties.

Contact requests are answered in the context of contractual or pre-contractual relationships in order to fulfil our contractual obligations or to answer (pre)contractual enquiries in accordance with Art. 6 para. 1 lit. b GDPR and otherwise on the basis of the legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in answering the inquiries.

8. Subscription to comments in the blog on the website

The comments made in the blog of the OVB Holding AG may be subscribed to by third parties. In particular, there is the possibility that a commenter subscribes to the comments following his comment on a particular blog post.

If a data subject chooses the option to subscribe to comments, the controller sends an automatic confirmation e-mail in order to check in the double opt-in procedure whether the owner of the e-mail address provided has really opted for this option. The option to subscribe to comments can be terminated at any time.

The legal basis for the processing of your data for the purpose of this subscription offer is your consent in accordance with Art. 6 para. 1 lit. a GDPR.

10. Plugins and embedded functions and content

We integrate functional and content elements into our online offer, which are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may be, for example, graphics, videos or social media buttons as well as contributions (hereinafter uniformly referred to as "Content").

The integration always requires that the third-party providers of this content process the IP address of the users, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required for the display of this content or functions. We endeavor to use only content whose respective providers only use the IP address to deliver the content. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, the time of visit and other information on the use of our online offer as well as be linked to such information from other sources.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for the processing of data is consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this data protection declaration.

• Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), inventory data (e.g. names, addresses), contact data (e.g.e-mail, telephone numbers), content data (e.g. text input, photographs, videos).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness, contractual services and service, security measures, administration and response to inquiries.
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)

Services and service providers used:

• YouTube: Videos; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Possibility of objection (opt-out): Opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://adssettings.google.com/authenticated.
• Google Maps: We integrate the maps of the service "Google Maps" of the provider Google. The processed data may include, in particular, IP addresses and location data of the users, which, however, are not collected without their consent (usually as part of the settings of their mobile devices). Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://maps.google.de Privacy Policy: https://policies.google.com/privacy; Settings for the display of advertisements: adssettings.google.com/authenticated.
• Facebook pixel: With the help of the Facebookpixel, Facebook is able to determine the visitors of our online offer as a target group for the presentation of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those users on Facebook and within the services of the partners cooperating with Facebook (so-called "Audience Network" https://www.facebook.com/audiencenetwork/) who have  also shown an interest in our online offer or who have certain characteristics (e.g. interest in certain topics or products that become apparent from the websites visited).  that we transmit to Facebook (so-called "Custom Audiences"). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and are not annoying. With the help of the Facebook pixel, we can also understand the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion measurement").
• JWPlayer: Display of video clips: Service providers: JWPlayer, LongTail Ad Solutions, Inc. d/b/a JW Player 2 Park Avenue, 10th Floor New York, NY 10016, USA .  Each time you visit a page that offers one or more JWPlayer video clips, a direct connection is established between your browser and a JW-Player server in the USA. Information about your visit and your IP address are stored there. Through interactions with the JW-Player plugins (e.g. clicking the start button), this information is also transmitted to JW-Player and stored there. The privacy policy for JWPlayer with more detailed information on the collection and use of your data by JWPlayer can be found under https://www.jwplayer.com/privacy. In addition, JWPlayer calls the tracker Google Analytics via an iFrame in which the video is accessed. This is JWPlayer's own tracking to which we have no access. You can prevent tracking by Google Analytics by using the deactivation tools that Google offers for some Internet browsers. Users can also prevent Google from collecting the data generated by Google Analytics and relating to their use of the website (including their IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link:
  http://tools.google.com/dlpage/gaoptout?hl=de

11. Data protection for applications and in the application process

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information provided therein.

Basically, the required information includes personal information, such as name, address, contact options and proof of the qualifications required for a job. On request, we will also be happy to inform you which information is required.

The controller collects and processes the personal data of applicants for the purpose of deciding on the establishment of an employment relationship pursuant to Art. 6 para. 1 sent. 1 lit. b GDPR, § 26 Abs. 1 BDSG (Bundesdatenschutzgesetz). If the controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of carrying out the employment relationship in compliance with the statutory provisions. Processing may also be carried out electronically. This is particularly the case if an applicant submits corresponding application documents to the controller electronically, for example by e-mail or via a web form on the website. If no employment contract is concluded with the applicant by the controller, the application documents shall be automatically deleted two months after notification of the rejection decision, provided that deletion does not conflict with any other legitimate interests of the controller. Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

12. Data protection provisions about the application and use of Google Analytics (with anonymization function)

On this website, the controller has integrated the component Google Analytics (with anonymization function). Google Analytics is a web analytics service. Web analysis is the collection, collection and evaluation of data about the behavior of visitors to websites. A web analysis service collects, among other things, data about the website from which a data subject came to a website (so-called referrer), which subpages of the website were accessed or how often and for how long a subpage was viewed. A web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.

The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The legal basis for the processing of personal data is the consent of the data subject pursuant to Art. 6 para. 1 lit. a GDPR. The controller uses the addition "_gat._anonymizeIp" for web analysis via Google Analytics. By means of this addition, the IP address of the Internet connection of the data subject will be shortened and anonymized by Google if our websites are accessed from a member state of the European Union or from another member state of the European Economic Area.

The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the data and information obtained, among other things, to evaluate the use of our website, to compile online reports for us that show the activities on our website, and to provide other services related to the use of our website.

Google Analytics places a cookie on the information technology system of the data subject. What cookies are has already been explained above. By setting the cookie, Google is able to analyze the use of our website. With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a Google Analytics component was integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. During the course of this technical procedure, Google gains knowledge of personal data, such as the IP address of the data subject, which Google uses, among other things, to trace the origin of visitors and clicks and subsequently to enable commission settlements.

The cookie is used to store personal information, such as the access time, the location from which access was made and the frequency of visits to our website by the data subject. Each time our website is visited, this personal data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical process to third parties. In the opinion of the EU Commission, the USA does not have a level of data protection comparable to that of the EU. It must be assumed that US authorities can gain access to the data of the data subject.

The data subject may refuse the setting of cookies by Google Analytics through our website via the cookie banner. Any consent given can be revoked at any time via the button "Edit cookie settings". In addition, it can prevent the setting of cookies, as already described above, at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the information technology system of the data subject. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.

Furthermore, the data subject has the possibility to object to the collection of data generated by Google Analytics relating to the use of this website and the processing of this data by Google and to prevent such collection. For this purpose, the data subject must download and install a browser add-on under the link tools.google.com/dlpage/gaoptout. This browser add-on tells Google Analytics via JavaScript that no data and information about visits to websites may be transmitted to Google Analytics. The installation of the browser add-on is considered by Google as an objection. If the information technology system of the data subject is deleted, formatted or reinstalled at a later date, the data subject must reinstall the browser add-on in order to deactivate Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or another person who is attributable to their sphere of influence, it is possible to reinstall or reactivate the browser add-on.

Further information and Google's applicable privacy policy can be found at www.google.de/intl/de/policies/privacy/ and www.google.com/analytics/terms/de.html  . Google Analytics is www.google.com/intl/de_de/analytics/ explained in more detail under this link.

13. Information on data protection and legally required information when using the "Zoom" service for video conferencing at OVB Holding AG

In the following, we would like to inform you about the processing of personal data in connection with the use of "Zoom".

Purpose of processing

We use the "Zoom" tool to conduct online meetings, video conferences and/or online training (hereinafter: "Online Meetings"). "Zoom" is a service of Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, United States of America.

Controller

OVB Holding AG is responsible for data processing in direct connection with the conduct of "online meetings".

Note: If you access the website of "Zoom", the provider of "Zoom" is responsible for the data processing.

What data is processed?

When using "Zoom", different types of data are processed. These are in particular the information about the user (surname, first name, e-mail, optional: telephone, photo) as well as the text, audio and video data in the course of the "online meeting". You can switch off or mute the camera or microphone yourself at any time via the "Zoom" applications. In addition, meeting metadata is created and used (details: https://zoom.us/privacy#_Toc44414846).

Scope of processing

We use "Zoom" to conduct "online meetings". If we want to record "online meetings", we will inform you transparently in advance and ask for your consent. In the case of online training, we may make this recording available to a selected group of participants via a link. This will be communicated to you before recording.

Legal basis of data processing

Insofar as the use of "Zoom" processes personal data for the establishment, implementation or termination of the employment relationship, Art. 6 para. 1 sent. 1 lit. b GDPR, § 26 Abs. 1 BDSG is the legal basis for the processing.

Insofar as meetings are held within the framework of other contractual relationships, the legal basis for data processing when conducting "online meetings" is Art. 6 para. 1 lit. b) GDPR

In other cases, the processing of personal data when using "Zoom" is based on Art. 6 para. 1 lit. f) GDPR as the legal basis for data processing. In these cases, our legitimate interest lies in the effective conduct of "online meetings".

Recipients / Disclosure of data

Personal data processed in connection with participation in "online meetings" will not be passed on to third parties, unless they are intended for disclosure.

Other recipients: The provider of "Zoom" necessarily receives knowledge of the above-mentioned data, insofar as this is provided for in our data processing agreement with "Zoom".

Further data protection information from Zoom Inc. can be found at:

https://Zoom.us/de-de/privacy.html

https://Zoom.us/de-de/gdpr.html

Data processing outside the European Union

Zoom is based in the USA. Processing of personal data thus also takes place in a third country. We have concluded a data processing agreement with the provider of "Zoom" on the basis of the EU standard contractual clauses. Following the invalidation of the EU-US Privacy Shield, there is currently no adequate level of protection for the transfer of personal data to the USA. For example, data subjects' rights with respect to their personal data are restricted in the United States. As a supplementary protective measure, we have also made our Zoom configuration so that only data centers in the EU, the EEA, are used to conduct "online meetings". Recordings are only stored on Zoom's servers for a limited period of time and thereafter on servers in the EU in accordance with retention obligations.

14. Presence in social networks

We maintain online presences within social networks in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This can result in risks for users, e.g. because the enforcement of users' rights could be made more difficult. With regard to US providers who offer guarantees of a secure level of data protection, we would like to point out that they thereby undertake to comply with the data protection standards of the EU.

Furthermore, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of the usage behavior and the resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computers, in which the usage behavior and interests of the users are stored. Furthermore, data may also be stored in the usage profiles independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and the possibilities of objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

Also, in the case of requests for information and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, you can contact us.

• Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, photographs, videos), usage data (e.g . websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: contact requests and communication, tracking (e.g. interest/behavioural profiling, use of cookies), remarketing, range measurement (e.g. access statistics, recognition of returning visitors).
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Services and service providers used:

• Instagram : Social network; Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.
• Facebook: Social network; Service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Opt-out: Settings for advertisements: www.facebook.com/settings; Additional information on data protection: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum, data protection information for Facebook pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.
• LinkedIn: Social Network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy;  Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• Twitter: Social network; Service provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Privacy Policy: https://twitter.com/de/privacy, (Settings) https://twitter.com/personalization;

• YouTube: Social network; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy Policy: https://policies.google.com/privacy; Possibility of objection (opt-out): https://adssettings.google.com/authenticated.

15. Deletion of data

The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data has ceased to exist or it is not necessary for the purpose).

If the data are not deleted because they are necessary for other and legally permissible purposes, their processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

In principle, we delete personal data if there is no need for further storage. A requirement may exist in particular if the data is still required to fulfill contractual services, to check warranty and, if applicable, to grant or defend warranty claims. In the case of statutory retention obligations, deletion is only considered after expiry of the respective retention obligation. For example, according to § 23 FinVermV, consultations that fall under the Financial Investment Brokerage Ordinance (FinVermV) are subject to a retention obligation of 10 years.

Even after termination of the contractual relationship, OVB Holding AG retains the data to the extent that it needs it in order to be accountable to you or third parties if necessary, to comply with statutory storage periods or to exercise or assert its own rights or claims. All further recorded "online meetings" will be deleted after three months at the latest. If OVB Holding AG processes the data on the basis of your consent, the data will be deleted immediately after your revocation. Further information on the deletion of personal data can also be provided within the scope of the individual data protection notices of this data protection declaration.

16. Rights of the data subject

1. Right to confirmation
   Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact the company under No. 2 of the data protection declaration.
2. Right of access
   Each data subject shall have the right granted by the European legislator to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European legislator has granted the data subject access to the following information: Furthermore, the data subject has a right of access as to whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to obtain information about the appropriate guarantees in connection with the transmission.
   
   If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact the company under No. 2 of the data protection declaration.
   • the purposes of processing
   • the categories of personal data being processed
   • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
   • if possible, the intended duration, for which the personal data are stored or, if that is not possible, the criteria used to determine that period
   • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning him or her or to object to such processing
   • the existence of a right of appeal to a supervisory authority
   • if the personal data are not stored by the data subject.  The following are collected: All available information as to the origin of the data.
   • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
3. Right to rectification
   Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
   
   If a data subject wishes to avail himself of this right to rectification, he or she may, at any time, contact the company under No. 2 of the data protection declaration.
4. Right to erasure (right to be forgotten)
   Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies, as long as processing is not required: Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to protect other controllers processing the personal data, inform that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. The controller will arrange the necessary measures in individual cases.
   • The personal data have been collected for such purposes or otherwise for which they are no longer necessary.
   • The data subject withdraws consent on which the processing is based pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
   • The data subject objects to the processing pursuant to Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
   • The personal data have been unlawfully processed.
   • The personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject.
   • The personal data have been processed in relation to Information society services pursuant to Article 8 (1) GDPR. If one of the afore mentioned reasons applies, and a data subject wishes to request the erasure of personal data stored by the OVB Holding AG, he or she may, at any time, contact the company under No. 2 of the data protection declaration. The controller shall promptly ensure that the erasure request is complied with immediately.
5. Right to restriction of processing
   Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
   • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
   • The processing is unlawful, the data subject opposes the erasure of the personal data and instead requests the restriction of the use of the personal data.
   • The controller no longer needs the personal data for the purposes of the processing, but they are necessary for the establishment, exercise or defence of legal claims.
   • The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
   If one of the afore mentioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by the controller, he or she may at any time contact the company under No. 2 of the data protection declaration. The controller will arrange the restriction of the processing.
6. Right to data portability
   Each data subject shall have the right granted by the European legislator to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided that the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR and the processing is carried out by automated means, where processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
   
   Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.
   
   In order to assert the right to data portability, the data subject may at any time contact any of the companies listed under No. 2 of the data protection declaration.
7. Right to object
   Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.
   
   The controller shall no longer process the personal data in the event of the objection, unless he can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
   
   If the controller processes personal data, for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This also applies to profiling to the extent that it is associated with such direct marketing. If the data subject objects to the controller to the processing for direct marketing purposes, the controller will no longer process the personal data for these purposes.
   
   In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by the controller for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
   In order to exercise the right to object, the data subject may contact the company under No. 2 of the data protection declaration. In addition, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject is free to exercise his or her right to object by automated means using technical specifications.
8. Automated individual decision-making, including profiling
   Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, provided that the decision (1) is not responsible for the  is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (3) is not based on the data subject's explicit consent.
   
   If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject's explicit consent, the controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller,  to state its own point of view and to contest the decision.
   
   If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact the company under No. 2 of the data protection declaration.
9. Right to revoke consent under data protection law
   Each data subject shall have the right granted by the European legislator to revoke consent to the processing of personal data at any time.
   
   If the data subject wishes to exercise the right to revoke the consent, he or she may, at any time, contact any employee of the controller. The legality of the processing carried out until the revocation is not affected by this.
10. Right to lodge a complaint with the supervisory authority
    Any person affected by the processing of personal data also has the right, in accordance with the statutory provisions, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR, lodge a complaint.