The travel agency behind Seascanner.com is Kreuzfahrtberater GmbH, who serves as the entity processing the data and whose contact details you can find here.

In principle, we process personal data of our users only insofar as this is necessary to provide a functioning website, and our content and services. The processing of personal data of our users takes place regularly, only with the consent of the user. An exception applies to cases in which prior consent cannot be obtained for reasons of fact, and the processing of the data is permitted by law.

• For a consultation request, please provide your e-mail address or telephone number. We need this information in order to contact you.
• When making a booking request, we also need your address and the names and dates of birth of the travelers. These data are necessary for the proper processing of your booking. If the tour operator requires the nationality of the traveler to create an option booking, we will ask for it directly in the booking form.
• Depending on the payment method, your account number and bank code (if paying by direct debit) or your credit card details are required for a fixed booking. When paying by invoice, you do not have to submit any payment details to us.
• After a fixed booking and before departure, the tour operators require the entry of the passport details (name, nationality, passport number, date of issue, expiry date, issuing authority, place of issue) for the creation of the “on-board manifesto” which must be made available to the immigration authorities of the countries visited. These data can be sent by you directly to the tour operator, but we will also take over the forwarding of these data for you if you so wish.
• We process usage data (e.g. the visited web pages of our online offering, interest in the cruises and package tours offered) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile. We use this, for example, to display product information to the user based on the services the user has previously used.

Server log files

In addition, we log all accesses to our server for the purpose of fault diagnosis. This data is also used to optimize the website and to ensure the security of our information technology systems. For this purpose, the following data, which your Internet browser transmits to us or to our web hosting provider, is recorded:

• Browser type and version
• Operating system used
• Website from which you visit us (Referrer URL)
• Address of the website you visit
• Date and time of your access
• Your Internet Protocol (IP) address.

The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no right of objection to this on the part of the user.

Cookies

Like many other websites, we use so-called cookies on our site to recognize multiple uses of our offer by the same user / Internet browser. Cookies are small text files that your Internet browser stores and saves on your computer. They serve to optimize our website and our offers and to facilitate your access to our site. Cookies help us:

• To estimate our visitor numbers and to estimate the frequency of use of our offer,
• Store information about your preferences so that we can tailor the page to your needs and show you more relevant content,
• To process your search queries faster,
• To recognize when you return to our website.

You can prevent the storage of cookies by setting your browser accordingly. Already saved cookies can be deleted at any time. This can also be done automatically. We do need to point out to you, however, that you may not be able to use all the features of our website if you disable or delete cookies.

In order for us to be able to display the appropriate prices when you display a cruise or package tour detail page, the following information is stored in a cookie on your computer:

• Number of adults (1,2,3,4)
• Number of children (0,1,2,3)
• Currency

You can also use our website if you disable cookies. In this case, you only have to re-enter the number of adults / children and the currency when displaying each cruise or package tour detail page.

• Insofar as we obtain the consent of the data subject for processing of personal data, the legal basis is Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR).
• In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR is the legal basis. This also applies to processing operations required to carry out pre-contractual actions.
• Insofar as processing of personal data is required to fulfill a legal obligation that our company is subject to, the legal basis is Art. 6 para. 1 lit. c GDPR.
• In the event that the essential interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR is the legal basis.
• If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, Art. 6 para. 1 lit. f GDPR is the legal basis for processing.

If we pass on data to other persons and companies (processors or third parties), transmit them to them or otherwise grant them access to the data, this is done only on the basis of: a legal permission (eg if a transmission of data to third parties according to Art. 6 para 1 letter b GDPR is required to fulfill the contract), your consent, a legal obligation or on the basis of our legitimate interests (e.g. the use of agents, web hosting, etc.).

Insofar as we commission third parties to process data on the basis of a contract processing contract, this is done on the basis of Art. 28 GDPR.

When traveling to the United States, local authorities require that each passenger's flight and reservation details be inspected prior to entry. Without this data transmission by the tour operator an entry into the USA is not possible. Similar rules may apply to other states.

Transfers to other countries

If we process data in another country (ie outside the EU), or transmit data in the context of the use of third party services or disclosure, this is only done to fulfill our (pre) contractual obligations, on the basis of your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only in the presence of the special conditions of Art. 44 et seq. GDPR. The processing is on the basis of specific guarantees, such as the officially recognized level of data protection or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

Use of the "Like" or "Share" buttons

On our site you can share content directly on the respective social network (hereinafter: service) by clicking on the Facebook / Twitter / Google + Share button. You can recognize the share buttons by the logo of the respective service at the bottom of our page. When you visit our pages, no data is automatically transmitted to these services. Only when you click on a share button will the respective service receive the information that you have visited our site with your IP address. If you click the Share button while logged in to your Facebook / Twitter / Google account, you can link the contents of our pages to your profile. This allows the respective service to assign the visit to our pages to your user account. We point out that we as the provider of the pages are not aware of the content of the transmitted data and their use by the respective service. Further information can be found in the respective privacy policy:

• Facebook data policy
• Twitter privacy policy
• Google+ Privacy Policy

If you do not want one of these services to be able to associate the visit of our pages with your user account, it is sufficient not to click on the share buttons.

External hotel search

If you use the offers of the external provider hotel.de integrated on our website (click on "hotels before / after the cruise"), they may save their own cookies on your computer. The processing of your data with this external provider is based on their data protection regulations, which you can see here:

• Data privacy statement hotel.de

Website optimization using Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, in the event of activation of IP anonymisation on this website, your IP address will be shortened beforehand by Google, within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage to the website operator. You can prevent the storage of cookies by amending the relevant setting of your browser software. In addition, you may prevent the collection by Google of the data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google, by downloading the browser plug-in available under the following link and install: https://tools.google.com/dlpage/gaoptout?hl=en.

You can also prevent the collection of data by Google Analytics by clicking on the following link. An opt-out cookie will be set that will prevent the future collection of your data when you visit this website: disable Google Analytics

For more information about Terms of Use and Privacy, please visit https://www.google.de/analytics/terms/gb.html or https://policies.google.com/?hl=en. On this website Google Analytics is extended by the code "anonymizeIp", in order to ensure an anonymized collection of IP addresses (so-called IP-Masking).

Use of Google Remarketing

We use the Google Remarketing service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043 USA, hereinafter "Google", on our website. Google Remarketing can show ads to people who have already visited our website in the past. Within the Google ad network, advertisements tailored to their interests can be displayed on our site. Google Remarketing uses cookies for this evaluation. Cookies are small text files that are stored on your computer and allow an analysis of the use of the website. This will allow us to recognize our visitors as soon as they visit websites within Google's advertising network. In this way, within the Google ad network, advertisements may be presented that relate to content that the visitor previously viewed on Google Network websites that also use Google's remarketing feature. Google does not collect any personal data. You can disable this feature if you amend the appropriate settings at https://www.google.com/settings/ads.

Use of Google Adwords

We also use the Google advertising tool "Google Adwords" to promote our website. As part of this, we use the "Conversion Tracking" analysis tool from Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043 USA, "Google", on our website. If you have reached our website via a Google ad, a cookie will be stored on your computer. Cookies are small text files that your Internet browser stores and saves on your computer. These so-called "conversion cookies" lose their validity after 30 days and are not used for your personal identification. If you visit certain pages on our website and the cookie has not expired yet, we and Google may recognize that you, as a user, have clicked on one of our Google-placed ads and have been redirected to our site.

The information obtained through the "Conversion Cookies" is used by Google to create visitor statistics for our website. These statistics tell us the total number of users who clicked on our ad, and which pages on our site were subsequently accessed by their respective users. However, we or other advertisers do not receive any information through "Google Adwords" that personally identifies users.

You can prevent the installation of the "conversion cookies" by setting your browser accordingly, for example by setting a browser that generally deactivates the automatic setting of cookies or specifically blocks only cookies from the domain "googleadservices.com".

Google's privacy policy can be found at the following link: https://services.google.com/sitestats/en.html

Use of the Facebook Pixel

Our website uses the user interaction pixel from Facebook, Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”), in order to measure conversions and user interactions with the website.

With the help of the Facebook pixel, the behavior of website visitors can be tracked after they have clicked on a Facebook ad which links to our website. Thereby the efficacy of Facebook ads can be evaluated for statistical and marketing purposes, and future ads can be optimized.

For us as a website operator, the data is anonymized, and we cannot draw conclusions from it as to the identity of the users. However, the data is saved and processed by Facebook in a way that it can be linked to an individual user profile, and so that Facebook can use the data for their own advertising purposes according to their data processing guidelines. Thereby, Facebook can trigger advertisements on Facebook pages as well as outside of Facebook. This use of the collected data cannot be influenced by us as website operator.

You can find further information about the safeguarding of your privacy in the Facebook privacy statement: https://www.facebook.com/about/privacy/.

In addition, you can deactivate the remarking function "Custom Audiences" under the settings for ads section: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. You need to be logged in to Facebook for this.

If you don't have a Facebook account, you can deactivate behavior based advertising by Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

Alternatively, you can prevent the collection of your data on our website by the Facebook pixel by clicking on the following link. This will set an opt-out cookie in your web browser, which will prevent the collection of your data on future visits of our website with your current browser: Deactivate Facebook Pixel

Use of Google Optimize

Google Optimize is a testing tool from Google that can be used on our website to optimise pages and improve the user experience. Google Optimize makes it possible to test different variants of a webpage at the same time. This allows us to evaluate which variant best meets the needs and expectations of our users.

For this purpose, Google Optimize collects user data through the Google Analytics cookie, which is described in detail in the “Google Analytics” section above.

The collected personal data is processed by Google Optimize in the USA.

Further information can be found in Google’s privacy policy:

https://policies.google.com/privacy?hl=en

You can opt out of Google Optimize tracking at any time by following the link provided in the Google Analytics section of this privacy policy.

Third Party Tools for Ad Measurement and Optimization

We allow third parties such as Google to collect information about your online activity through cookies and other technologies. These third parties include ad networks that collect information about your interests when you view or interact with one of their advertisements posted on many websites. The information collected by these third parties will be used to make predictions about your characteristics, interests or preferences, and to display advertisements tailored to you.

Please note that we do not have access to or control over cookies or other technologies that these third parties use to collect information about you and that the information practices of such third parties are not covered by this Privacy Policy. Some of these companies are members of the Network Advertising Initiative, which makes it possible to refuse targeted advertising from member companies through a single agency. For more information and the ability to opt-out of interest-based advertising, please visit the Network Advertising Initiative link above.

Use of Novalnet

The controller has integrated components from Novalnet AG on this website. If the data subject selects a payment method during the ordering process in the online store, the data subject's data is automatically transmitted to Novalnet AG. By selecting a payment option, the data subject consents to this transmission of personal data for the purpose of processing the payment.The personal data transmitted to Novalnet are usually first name, last name, address, gender, e-mail address, IP address and, if applicable, date of birth, telephone number, cell phone number and other data necessary for processing a payment. For the processing of the purchase contract are also such personal data that are related to the respective order. In particular, there may be a mutual exchange of payment information, such as bank details, card number, expiration date and CVC code, data on goods and services, prices. The transmission of data is intended in particular for identity verification, payment administration and fraud prevention. The Controller will transmit Personal Data to Novalnet AG in particular if there is a legitimate interest for the transmission. The Personal Data exchanged between Novalnet AG and the Controller shall be transmitted by Novalnet AG to credit reporting agencies, if applicable. Novalnet AG also discloses the personal data to service providers or subcontractors to the extent that this is necessary for the fulfillment of contractual obligations or the data is to be processed. The data subject has the option to revoke the consent to the handling of personal data at any time to Novalnet AG. A revocation does not affect personal data that must be processed, used or transmitted for (contractual) payment processing.

On request, you can subscribe to our newsletter, which is sent a number of times per week. The data from the input mask are transmitted to us when registering for the newsletter. In addition, the following data is collected upon registration:

• IP address of the calling computer
• Date and time of registration

If you purchase goods or services on our website and deposit your e-mail address here, this can subsequently be used by us to send a newsletter. In such a case, the newsletter will only send direct mail for similar goods or services.

The newsletter can be unsubscribed at any time via a link in every newsletter broadcast.

We use the list provider MailChimp to send our newsletter. MailChimp is an offer from The Rocket Science Group, LLC, 512 Means Street, Ste 404 Atlanta, GA 30318, United States.

MailChimp offers extensive analysis of how our newsletters are opened and used. This analysis is group-related and are not used by us for individual evaluation. For more information about MailChimp and privacy at MailChimp, please visit: mailchimp.com/legal/privacy/

Subscribing to this newsletter and consenting to the storage of your data may be terminated or revoked at any time in the future. Details can be found in the confirm e-mail as well as in each individual newsletter.

Newsletter tracking

Our newsletters contain so-called "web bugs", which allow us to detect if and when an email was opened and which links in the email were followed by the personalized recipient.

This data is stored by us, so that we can optimally align our newsletters to the wishes and interests of our subscribers. Accordingly, the data thus collected are used to send personalized newsletters to the respective recipient.

By revoking the consent to receive the newsletter, the consent to the aforementioned tracking is revoked.

Legal Basis

The legal basis for the processing of the data after the user has registered for the newsletter is the consent of the user Art. 6 para. 1 lit. a GDPR. The legal basis for sending the newsletter as a result of the sale of goods or services (due to sending the booking form) is § 7 Abs. 3 UWG.

On our website a contact form is available, which can be used for electronic contact. If you use this form, the data entered in the input mask will be transmitted to us and saved. These data are:

• IP address of the calling computer
• Date and time of registration

User information can be stored in a Customer Relationship Management System ("CRM System") or comparable system of organizing requests. We delete the requests, if they are no longer required. We check this necessity every two years; furthermore, the legal archiving obligations apply.

In addition to newsletters, we also send non-advertising, so-called transactional emails that are directly related to the use of Cruiseberater.de (e.g. when registering, forgetting your password, etc.).

We use Mailjet for this.

These transactional emails are absolutely necessary for the implementation of the business relationship. Unlike newsletters, they therefore do not contain a link to unsubscribe.

For the purpose of analysis, emails sent with Mailjet contain a so-called “tracking pixel” that connects to Mailjet’s servers when the email is opened. In this way it can be determined whether a transactional email has been opened.

We can also use Mailjet to determine whether and which links in the transactional email are clicked. Some links in the email are so-called tracking links that can be used to count your clicks.

Data processing is based on your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time. The legality of the data processing operations that have already taken place remains unaffected by the revocation.

We process the data of our customers in the course of the booking processes on our website, on the phone and in our shop, in order to enable them to select and book the relevant travel services, as well as their payment and supply.

The processed data includes inventory data, communication data, contract data, and payment data. People affected by the processing include our customers, prospects and other business partners. Processing is for the purpose of providing contractual services in the context of the operation of an online travel agency, billing, delivery and customer service.

Processing is based on Art. 6 para. 1 lit. b (execution of order transactions) and c (legally required archiving) GDPR. The necessary information for the establishment and fulfillment of the contract is required. We disclose the data to third parties only in the context of delivery, payment or in the context of legal permissions and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfillment of the contract (for example, at the customer's request upon delivery or payment) and in the cases specified in this privacy policy.

Data is deleted after the expiry of legal obligations, and the necessity of storage of the data is checked every three years; in the case of legal archiving obligations, deletion takes place after expiry, ie after the end of the commercial law (6 years) and tax (10 years) storage obligations.

In order to conduct our business economically and identify market trends and customer and user needs, we analyze the data we have available for business transactions, contracts, enquiries, etc. We process this inventory data, communication data, contract data, payment data, usage data and metadata on the basis of Art. 6 para. 1 lit. f. GDPR, whereby the persons affected include customers, prospects, business partners, visitors and users of the online offer.

The analysis is carried out for the purpose of business analysis, marketing and market research. In doing so, we can better define the profiles of registered users, e.g. by taking into account the services used. The analysis allows us to increase the user-friendliness of the site, to optimize our offer and the business economics. This analysis is solely for our use and will not be disclosed externally unless they are anonymous, aggregated value analyses.

If the analysis or profiles are personal, they will be deleted or anonymised upon cancellation by the users, otherwise after two years from the conclusion of the contract. The overall business and trend analyses are initially created anonymously wherever possible.

Your personal data is encrypted during transmission with SSL according to the current technical state of the art.

On request you can also pay by credit card. For the transmission of the card data, we will then provide you with a link to an SSL-encrypted form. For your own protection, you should never send credit card details by e-mail.

The personal data of the relevant person will be deleted or blocked as soon as the purpose of the storage no longer exists. In addition, storage requirements may be provided for by the European or national legislator in EU regulations, laws or other regulations to which the responsible company is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for the conclusion or fulfillment of the contract.

If we process your personal data, you are protected by GDPR and have the following rights in respect to us:

Information Rights

You may ask the person in charge to confirm if personal information concerning you is being processed. If such processing is happening, you can request information from the person responsible about the following information:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
• the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• all available information on the source of the data if the personal data are not collected from you;
• the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on you.
• You have the right to request information about whether your personal information has been transmitted to a third country or an international organization. In this case, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transfer.

Right to rectification

You have a right to rectification and / or completion by us if the personal data we process is incorrect or incomplete. We must make the correction without delay.

Right to restriction of processing

You may request the restriction of the processing of your personal data under the following conditions:

• if you contest the accuracy of your personal information, restriction for a period of time that enables us to verify the accuracy of your personal information;
• the processing is unlawful and you refuse to allow the deletion of your personal data and instead request the restriction of the use of the personal data;
• we no longer require your personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
• if you objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether our legitimate grounds prevail over your rights.

If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest oft he EU or a Member State.

If processing of your data has been limited according to the above conditions, you will be informed by the person in charge before the restriction is lifted.

Right to delete

Obligation to delete: You may require the responsible person to delete the personal data concerning you without delay, and we are obliged to delete this data immediately if one of the following reasons applies:

• Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
• You revoke your consent to the processing according to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. GDPR and there is no other legal basis for processing.
• You object to the processing according to Art. 21 para. 1 GDPR and there are no higher priority justifiable reasons for the processing, or you object to processing according to Art. 21 para. 2 GDPR.
• Your personal data has been processed unlawfully.
• The deletion of personal data concerning you is required to fulfill a legal obligation under EU law or the law of the Member States to which we are subject.
• The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

Information to third parties: If the person in charge has made the personal data concerning you public and he is required to delete it according to Article 17 (1) of the GDPR, he shall take appropriate measures – taking into account available technology, implementation costs - including technical means, to inform data controllers who process the personal data that you have been identified as being affected, requesting deletion of all links to such personal data or of copies of such personal data.

Exceptions: The right to delete does not exist if the processing is required:

• to exercise the right to freedom of expression and information;
• to fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task of public interest or in the exercise of official authority conferred on the controller;
• for reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;
• for archival purposes of public interest, scientific or historical research purposes or for statistical purposes according to Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
• to assert, exercise or defend legal claims.

Right to information

If you have the right of rectification, deletion or restriction of processing, we are obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing, unless: this proves to be impossible or involves a disproportionate effort. You have a right to be informed about these recipients.

Right to data portability

You have the right to receive personally identifiable information you provide to us in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another person without hindrance by the person responsible for providing the personal data, provided that the processing is based on a consent in accordance with Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract according to Art. 6 para. 1 lit. b GDPR and processing is done using automated procedures.

In exercising this right, you also have the right to require that your personal data are transmitted directly from one person to another, insofar as this is technically feasible. Freedoms and rights of other persons cannot be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

Right to object

You have the right at any time, for reasons that arise from your particular situation, to object against the processing of your personal data pursuant to Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.

The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, exercising or defending legal claims.

If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct mail.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Regardless of Directive 2002/58 / EC, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.

Right to revoke the data protection consent declaration

You have the right to revoke your data protection declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Automated decision on an individual basis including profiling

You have the right not to be subjected to a decision based solely on automated processing - including profiling - that will have legal effect or will affect you in a similar manner. This does not apply if the decision:

1. is required for the conclusion or performance of a contract between you and the controller,
2. is permissible on the basis of Union or Member State legislation to which the controller is subject, and that legislation contains adequate measures to safeguard your rights and freedoms and your legitimate interests, or
3. with your express consent.

However, these decisions must not be applied to special categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g GDPR applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in paragraphs 1 and 3 above, the person responsible shall take reasonable steps to uphold your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person from the controller, to express your own position and to challenge the decision.

Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or the place of alleged infringement, if you believe that the processing of the personal data concerning you violates GDPR.

The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.