Data protection

1. general

The protection of your personal data is very important to us. That is why we want to offer you comprehensive transparency regarding the processing of your data on our website, our app and as part of our services.

The following information is intended to inform you about what we use your personal data for, what data is involved and what rights you have in relation to data processing. Personal data within the meaning of Art. 4 No. 1 GDPR (hereinafter referred to simply as „data“) is all information that at least indirectly allows the identification of a person or relates to an already identified person.

1.1 Responsibility

The responsibility within the meaning of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other data protection regulations depends on the specific data processing. Data is processed on the website, when using the app and on behalf of our customers to provide the service.

Responsible for the use of our website with the exception of the ProduQt portal is

WAPP GmbH
Jöllenbecker Str. 5
33613 Bielefeld

Represented by the managing directors:
Malte Burkert and Mirco Stickan


Hereinafter referred to as „WAPP“ or „we“.

When using the app without a link to a ProduQt account, the data is processed under the sole responsibility of WAPP GmbH. This applies in particular to the technical provision and assignment to a ProduQt account.

Data processing that takes place as part of the ProduQt service on behalf of our customers when using ProduQt via the app or in the web portal is part of an order processing contract that we have concluded with our customers. The responsible party is the customer/client to whose ProduQt account you are assigned.

If, in deviation from the above information, there is joint responsibility, we will inform you of this in these cases.

1.2 General information on data processing

We process personal data within the legally permissible limits. This means that data processing operations are based on a legal basis. These are standardized in Art. 6 para. 1 GDPR. Most data processing is based on a legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR), on processing operations necessary for the performance of a contract (Art. 6 para. 1 sentence 1 lit. b GDPR) or on the basis of your consent (Art. 6 para. 1 sentence 1 lit. a GDPR). In the latter case, you will be informed of the consent process, for example by a checkbox, a pop-up window or another request. Unless we have specified a different legal basis for the individual data processing operations (such as data processing based on legitimate interests), the respective data processing is necessary to initiate or fulfill a contract and is based on Art. 6 para. 1 sentence 1 lit. b GDPR.

Personal data will only be transferred in the cases described below. If we transfer your data to a third country that is not part of the European Economic Area (EEA), this is always done on the basis of a legal basis in accordance with Art. 44 et seq. GDPR. Data transfers to countries for which an effective adequacy decision exists (such as Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, Canada, New Zealand, Switzerland or Uruguay) are carried out on the same basis. If we have not received your express consent in accordance with Art. 45 GDPR to transfer data to other third countries (such as the USA), data is transferred to these third countries on the basis of Standard Contractual Clauses (SCC, standard data protection clauses) issued by the EU Commission in accordance with Art. 46 para. 2 lit. c) GDPR.

We only process personal data for clear purposes (Art. 5 para. 1 sentence 1 lit. b GDPR). As soon as the purpose of processing ceases to apply, your personal data will be deleted, unless we provide different information on the time of deletion for the individual processing operations.

The same applies to the expiry of a prescribed storage period, subject to cases in which further storage is necessary for other purposes. In addition, there may be a legal obligation to store the data for a longer period or to pass it on to third parties (in particular to law enforcement authorities). In other cases, the storage period and type of data collected as well as the type of data processing depend on which functions and services you use in the individual case. We will be happy to provide you with information on this in individual cases in accordance with Art. 15 GDPR.

We sometimes use external service providers to process your data. These service providers are carefully selected by us and commissioned in accordance with strict requirements pursuant to Art. 28 GDPR. They are bound by our instructions.

We would like to inform you that the provision of your data is neither required by law nor by a contract with us. However, if you do not provide your data, you will not be able to use the app and the ProduQt service, or only to a limited extent. The same applies to the display of the website.

Automated decisions in individual cases, including profiling, do not take place.

2. storage of and access to data on your end device

Unless we obtain your consent, the storage of or access to information on your end device is carried out in accordance with Section 25 (2) No. 2 of the Act on Data Protection and Privacy in Telecommunications and Digital Services (TDDDG), as the storage of this information is absolutely necessary to provide the desired functions.

2.1 App

Information that is entered into or shared with the app is first stored in the app and then transmitted to our servers. In addition, data about your orders may be stored in the app on your end device. Further retrieval and storage of data is described below in the appropriate place.

2.2 Website and cookies

Our website uses cookies. By using cookies, users of the website can be provided with more user-friendly services that would not be possible without the use of cookies. Cookies can also be used to optimize the information and offers on our website for the benefit of users.

Cookies are text files that are stored on your end device and can be read by website operators and providers of analytics services when you visit the website. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters that can be used to assign websites and servers to the specific internet browser in which the cookie was stored. This enables the operators of websites and analysis services to identify the user and distinguish them from others. Together with other data stored on the cookie, it is thus possible, for example, to make websites more user-friendly, to maintain order processes and entries in forms on subsequent page views and to design advertisements in line with interests.

3. data processing in connection with the use of our website and communication with you

The use of our website with all its functions requires the processing of certain personal data. We would like to inform you that the provision of your data is neither legally nor contractually required. However, if you do not provide your data, you may only be able to use the website to a limited extent.

3.1 Hosting and Contend Delivery Network

All personal data that you enter via our website is stored securely on the servers of our service provider Amazon Web Services EMEA SARL (38 Avenue John F. Kennedy, L-1855 Luxembourg) in Germany as standard. The transmission takes place exclusively via a secure connection with TLS encryption (https).

In order to ensure fast loading times and smooth use of our website, we use the Amazon CloudFront content delivery network (CDN) from the service provider Amazon Web Services EMEA SARL (38 Avenue John F. Kennedy, L-1855 Luxembourg). The content is provided on several regionally distributed servers connected via the internet, which are specifically selected on request according to criteria such as geographical distance, latency or transmission rate in order to provide you with the desired content as quickly as possible.

For this purpose, your IP address is transmitted to the selecting server and the servers used. This transmission serves our legitimate interest in providing you with short loading times and protecting us from DDoS attacks. The legal basis for data processing is Art. 6 para. 1 lit. f GDPR.

3.2 Log files

The purely informational access to the website and subpages requires the processing of the following personal data and information: Browser type and browser version, operating system used, address of previously visited websites, address of the end device you use to access the website (IP address) and the time the website was accessed. All this information is automatically transmitted by your browser if you have not configured it to suppress the transmission of this information.

This personal data is processed to ensure the security of our information technology systems. These purposes are also legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, so the processing is carried out on a legal basis.

Your personal data will be stored for a maximum of 7 days. This personal data is not merged with other data sources. Data will only be passed on to third parties in the cases mentioned, except in the case of a legal, judicial or official obligation. Data will only be transferred to third countries or international organizations in the cases specified in the privacy policy.

3.2 Cookie banner

We give you the opportunity to select your cookie preferences when you first visit our website and at any time thereafter by means of a cookie banner. In order to ensure that the setting you have selected can be maintained on our subpages and that no data is processed against your will, it is necessary for your decision to be recorded in a machine-readable form. This is done by a cookie that is set by our cookie banner. The legal basis for this data processing is § 25 para. 2 no. 2 TDDDG, as well as Art. 6 para. 1 lit. c) in conjunction with Art. 5 para. 2 and Art. 7 para. 1 GDPR. You can delete cookies that have already been set at any time via an Internet browser or adjust your cookie settings at the bottom of the website.

3.3 Website analysis

We use Google Analytics together with Google Tag Manager on our website. This is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA, hereinafter referred to only as „Google“.

The service uses cookies to store information about the use of the website on your computer. The information generated by the cookies about the use of our website is usually transmitted to a Google server and stored there. The Google Analytics service is used to analyze user behavior and improve our website. We also use Google Tag Manager to simplify the management of Google Analytics.

Usage and user-related information, such as IP address, location, time or frequency of visits to our website may also be transferred to a Google server in the USA and stored there in individual cases. Further information on the transfer of data to non-EU countries can be found below in section 1.2 „General information on data processing„.

We use Google Analytics with the so-called anonymization function. This function allows Google to shorten the IP address within the EU or EEA before it is transmitted to a server in the USA.

The data collected in this way is in turn used by Google to provide us with an analysis of the visit to our website and the usage activities there.

In addition, this data may be used by Google to provide other services related to the use of our website and the use of the Internet. Google states that it will not associate your IP address with any other data. Google provides further data protection information on its use at

https://www.google.com/intl/de/policies/privacy/partners

. Google also offers a so-called deactivation add-on at

https://tools.google.com/dlpage/gaoptout?hl=de

. This add-on can be installed with the most common Internet browsers and offers you further control over the data that Google collects when you visit our website. The add-on informs the JavaScript (ga.js) of Google Analytics that information about your visit to our website should not be transmitted to Google Analytics.

There is joint responsibility with Google for processing.

Data will only be transmitted to Google after your consent has been obtained. Your consent or refusal is stored in a cookie set by us. You can revoke your selection at any time via „Cookie settings„ at the bottom of our website.

If you consent to this, the following cookies will be stored in connection with the website analysis:

Google Analytics with Google Tag Manager

_ga (Google Analytics)
_gat (Google)
_gid (Google) googletagmanager.com (Google)

The legal basis for the storage of third-party cookies in your terminal equipment or access to information already stored in the terminal equipment is Section 25 (1) TDDDG. The legal basis for further data processing in connection with Google Analytics is Art. 6 para. 1 sentence 1 letter a) GDPR. The storage period for user and event data collected by Google Analytics is 14 months.

3.3 Contact form

We process the data you provide when you contact us via the contact form for the purpose of responding to your inquiry. We use the service provider SendinBlue (Köpenicker Straße 126, 10179 Berlin) for this purpose. Depending on your details, the categories of data processed are your name, your contact details (e-mail address), content data, your callback request, connection data and other data that you provide to us. Your personal data will be deleted at the latest after the communication process with you has ended.

The data processing is based on our legitimate interest in offering you a pleasant contact option. The legal basis is Art. 6 para. 1 lit. f GDPR.

3.4 Support requests

If you submit personal support requests, we process the data you provide to us in this context for the purpose of responding to your request. We use the service provider Atlassian Pty Ltd (Level 6, 341 George Street, Sydney NSW 2000, Australia) for this purpose. Depending on your details, the categories of data processed are your name, your contact details (e-mail address), content data, your callback request, connection data and other data that you provide to us. The data processing is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to be able to offer you personal and fast support.

3.5 Sending emails

If you are specified as the contact person of one of our customers with your email address or have been assigned to an account of the customer, we may send you emails to inform you about customer-related content. This primarily includes notifications about the status of platform use (e.g. registration completed, privacy policy provided, first task created, first task completed, trial period expired, license purchased, etc.). We use the service provider SendinBlue (Köpenicker Straße 126, 10179 Berlin) for this purpose.

When sending these transactional emails, we process your name, your email address and the company assigned to you as a customer in addition to the content. The data processing is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to be able to offer you the best possible support in setting up and using our services.

If we also collect your read status (e-mail opened (yes/no)) in order to improve our e-mail communication, this is done solely on the basis of your previously granted consent in accordance with Art. 6 para. 1 lit. a GDPR.

3.6 Login to the ProduQt portal

In order to access the customer-specific ProduQt portal and view the customer dashboard, you need to log in. We process your access data, the assignment to a customer and the times of login and logout. The legal basis for data processing is the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to protect the data of our customers and their employees from misuse.

4. data processing when using our social media pages

4.1 General information

We maintain pages in social networks that serve us for communication and external presentation. Social networks such as Facebook, Instagram, YouTube and X can generally comprehensively analyze the user behavior of visitors when they visit their websites or a website with integrated social media content (e.g. like buttons or advertising banners). When you visit our social media sites or interact with them, data protection-relevant processing is generally carried out.

If you are logged into your social media account of the respective provider and visit our social media page, the operator of the social media platform can assign this visit to your user account. Your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies that are stored on your device or by recording your IP address.

The operators of the social media portals can use the data collected in this way to create user profiles. This allows the operator to show you interest-based advertising inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or were logged in.

We have no influence on the data and data processing procedures collected by the operator, nor are we aware of the full extent of the data collection or the purposes of the processing. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

We would like to point out that your data collected on the social media presence may be processed outside the European Union. We will inform you about the cooperation with the respective social media platform providers in the following sections. We also inform you in the following sections about the extent to which a corresponding contract on joint responsibility has been concluded with the respective providers, insofar as corresponding analysis data (so-called page insights) is made available to us by the provider.

The legal basis for the data processing for which we are responsible on our social media sites is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR in ensuring the most comprehensive and up-to-date presence possible with corresponding interaction options on the Internet. The analysis processes initiated by the social networks may be based on different legal bases.

4.2 Responsibility and assertion of rights

When you visit one of our social media presences, the providers provide us with statistics and analyses in anonymized form about the use of our social media presences. This gives us an insight into the use of our sites (so-called page insights). The statistics provided to us do not allow any conclusions to be drawn about individual profiles. In these cases, we are jointly responsible with the respective social media provider for the processing of the personal data (Art. 26 GDPR) that is used to compile the aforementioned statistics and analyses. Insofar as there is joint responsibility with the respective platform provider, we will inform you in the following sections about the details of the cooperation available to us.
We use the statistics and analyses provided to improve our social media presence and to gain knowledge about its distribution. Please note that, despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the company policy of the respective provider.

In order to enable rapid implementation of your rights as a data subject, please direct any requests to assert your rights in relation to our social media pages initially to the respective platform provider. However, you can also continue to assert your rights against us.

4.3 Social media pages

4.3.1 Facebook and Instagram

We operate pages on Facebook and Instagram. The provider of both social networks is Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland, a subsidiary of Meta Platforms Inc., 1601 Willow Rd, Menlo Park CA 94025, United States), hereinafter referred to as „Meta„.

There is an agreement with Meta on joint responsibility for the processing of data (Controller Addendum). This agreement specifies which data processing operations we or Meta are responsible for when you visit our Facebook or Instagram page.


For more details on data processing, please refer to Meta's privacy policy on Facebook and Instagram and the Controller Addendum:

https://www.facebook.com/about/privacy/
https://help.instagram.com/519522125107875
https://www.facebook.com/legal/terms/page_controller_addendum

4.3.2 YouTube

We maintain a channel on the video platform YouTube, through which we provide video content. YouTube is a service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, United States), which we use as part of a data processing agreement.


For more details on data processing, please refer to YouTube's privacy policy and the data processing agreement:


https://www.youtube.com/intl/ALL_de/howyoutubeworks/user-settings/privacy/
https://www.youtube.com/t/terms_dataprocessing

4.3.3 X (formerly Twitter)

We have a channel on the short message service X. X is a service provided by Twitter International Company. X is an offer of Twitter International Company (One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland, a subsidiary of X Corp., 1355 Market Street 900, San Francisco, California 94103, United States) hereinafter referred to as „X“.

There is an agreement with X on joint responsibility for the processing of data (Controller to Controller Data Protection Addendum). This specifies which data processing operations we or X are responsible for when you visit our X site. The Controller to Controller Data Protection Addendum can be viewed at the following link

https://gdpr.twitter.com/en/controller-to-controller-transfers.html

For more details on data processing, please refer to X's privacy policy:

https://twitter.com/de/privacy

4.3.4 LinkedIn

We have a profile on the social network LinkedIn. LinkedIn is a service provided by LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place, Dublin 2, Ireland, a subsidiary of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, United States).

We have an agreement with LinkedIn on joint responsibility for the processing of data (Page Insights Joint Controller Addendum). This specifies which data processing operations we or LinkedIn are responsible for when you visit our LinkedIn page. The agreement can be viewed at the following link

https://legal.linkedin.com/pages-joint-controller-addendum

For more details on data processing, please refer to LinkedIn's privacy policy:
https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy

5. Data processing when using the app without linking to a ProduQt account

5.1 Hosting

All personal data transmitted to us by the app is stored securely on servers of our service provider Amazon Webservices EMEA SARL (38 Avenue John F. Kennedy, L-1855 Luxembourg) in Germany by default. The legal basis for this data processing is our legitimate interest in providing the functions of the app in accordance with Art. 6 para. 1 lit. f GDPR and, from an assignment to a ProduQt account, also the fulfillment of the contract with our customers.

5.2 Informational use of the app

The purely informational provision of the app also requires the processing of various personal data and information such as the device type, the operating system used, the IP address of the end device and the time the app was accessed. Furthermore, the app automatically creates an individual user ID for your device. All this information is automatically collected by the app and stored on our servers in accordance with section 5.1.

This personal data is processed for the purpose of ensuring the functionality and optimization of the app and to ensure the security of our information technology systems. The legal basis for this data processing is our legitimate interest in providing the functions of the app in accordance with Art. 6 para. 1 lit. f GDPR and, from an assignment to a ProduQt account, also the fulfillment of the contract with our customers.

5.3 Assignment to the client

We process the initial assignment of access data that you have received from your client. If these match the information we have, we link your app to the client's account. After successful assignment, it is possible to log in using the single sign-on (SSO) procedure. The legal basis for this data processing is our legitimate interest in fulfilling the contract with our customer in accordance with Art. 6 para. 1 lit. f GDPR.

5.4 Crash reports

We use Google Firebase Crashlytics to determine the causes of errors or crashes of the app. If the app crashes, device information (operating system, version of the operating system, device type, device status information), information about our app (version of the app), your location data (country), the time of the crash, your user ID or alternatively the device ID (IMEI).

The recipient of the data is Google Ireland Ltd, Gordon House, Barrow Street Dublin 4 Ireland. A list of the service providers used by Google Firebase can be found here:

https://firebase.google.com/terms/subprocessors

Unless we have requested your consent for use in accordance with Art. 6 para. 1 lit. a GDPR, the legal basis for processing the data is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to improve the reliability of our app and to be able to guarantee a constant service.

We would like to point out that, regardless of the collection of analytics data by us in the event of crashes, further analytics data may be collected by Google (Android devices) and Apple (iOS devices), which also includes the use of our app. We have no influence on this data collection.

5.5 Push notifications

We use push notifications to inform you about content. We use the service provider OneSignal Inc (201 S B St, San Mateo, CA 94401, United States) for this purpose. This is subject to your express consent in accordance with Art. 6 para. 1 lit. a GDPR. You can give us this authorization voluntarily when you download the app to an Android device or when you open the app for the first time on an iOS device.

You can withdraw your consent to receive push notifications at any time in the respective menu item in the settings of your device.

If you wish to be informed by push notifications, an individual identification number is created in relation to your device ID and our app and stored with the push notification services of Apple (iOS devices) and Google (Android devices), which cannot be traced back by the services. On the basis of this code, it is possible to send you notifications via the push notification services, even if you have not opened our app at that moment. We also store your client as the sender of the message, its content and the time it was sent.

6. Data processing when using the app after linking to a ProduQt account

If you use the app after linking to a ProduQt account of your client, we process further data on behalf of the client in addition to our own data processing in accordance with section 5. The data processing listed under this point takes place on behalf of our customers/clients. This means that the client whose account you are assigned to decides solely on the purposes and means of data processing and is responsible under data protection law. The following data processing takes place regularly in accordance with the instructions of the client when using ProduQt. The legal basis for the processing is determined by the client whose account you are assigned to.

6.1 Registration

Registration takes place via an OauthOut login. You will be redirected from the app to the client's website, where you authenticate yourself. After authentication, an individual token is created and sent to the app. You are then logged in and assigned to the client's account with the app.

6.2 Execution of tasks

In order to document the execution of tasks, we regularly process the time, duration, names of the employees performing the task and the input data and content that you release in the app during the execution of the task. These are transmitted by the app to our servers and linked there with other order data. This information can be accessed by the client via a dashboard.

6.3 Access authorizations

In order to enrich the entries with further information on the task documentation, additional access authorizations are usually required, which must be released via your smartphone for system-related reasons. This data is processed after approval and entry as described above for the execution of tasks. The following access permissions are usually required for this:

  • Location data (GPS)
  • Pictures
  • Media
  • Files
  • Camera
  • Microphone

6.4 Profile management

After you have logged in, you can customize your own profile on the app. In addition to your name, you can enter your email address and telephone number in your profile and upload a picture. This profile is stored on our servers and is visible to your client and other colleagues who are assigned to the client's account.

6.5 Chat function

You can also use the app to send messages to your client and to colleagues who are assigned to your client's account. To do this, we process the names of the sender and recipient, the message text including the media content sent and the time at which the message is sent and make this information available to both communication partners. The communication histories are generally stored until the order is completed or the assignment to a client account expires.

6.6 Push notifications from your client

Your client has the opportunity to send you order-related push notifications. We use the service provider OneSignal Inc (201 S B St, San Mateo, CA 94401, United States) for this purpose. In order to receive push notifications, the system requires that you grant permission for this on your smartphone. You can revoke your permission to receive push notifications at any time in the respective menu item in the settings of your device.

If you wish to be informed by push notifications, an individual identification number is created in relation to your device ID and our app and stored with the push notification services of Apple (iOS devices) and Google (Android devices), which cannot be traced back by the services. On the basis of this code, it is possible to send you notifications via the push notification services, even if you have not opened our app at that moment. We also store your client as the sender of the message, its content and the time it was sent.

7. rights of data subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR and as a user you have the following rights vis-à-vis the controller:

7.1 Right to information

You have the right to request information from us about the processing of data concerning you. In addition to a copy of the data, this right to information also includes the purposes of the data processing, the data recipients and the storage period.

7.2 Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must make the rectification without undue delay.

7.3 Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of personal data concerning you:

  • if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or
  • you have objected to processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the controller outweigh your reasons.
  • Where the processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction of processing is lifted.

7.4 Right to erasure

7.4.1 You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • You withdraw your consent on which the processing was based according to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing.
  • You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
  • The personal data concerning you have been processed unlawfully.
  • The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  • The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

7.4.2 If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

7.4.3 The right to erasure shall not apply to the extent that processing is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in para. 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  • for the establishment, exercise or defense of legal claims.

7.5 Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the controller.

7.6 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to Art. 6 para. 1 lit. f GDPR. Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the freedoms and rights of other persons.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.7 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

7.8 Right to withdraw your declaration of consent under data protection law

You have the right to withdraw your declaration of consent at any time and without giving reasons. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The processing is lawful until your withdrawal - the withdrawal therefore only affects the processing after receipt of your withdrawal. You can declare your revocation informally by post or e-mail. Your personal data will then no longer be processed, unless otherwise permitted by law. If this is not the case, your data must be deleted immediately after revocation in accordance with Art. 17 para. 2 GDPR.

Your revocation should be addressed to:

WAPP GmbH
Jöllenbecker Str. 5
33613 Bielefeld

7.9 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Data protection