Data protection – important notes

Foreword: The Health Spa Krumbad takes the protection of personal data very seriously. Special observance of the privacy is an important issue when processing personal data. This privacy policy clarifies users about the nature, scope and purpose of the collection and use of personal data by the provider of this website. The legal foundations of data protection can be found in the GDPR (DSGVO), the BDSG (Bundesdatenschutzgesetz), the E-Privacy Regulation and the Telemediengesetz (TMG). It is important to us that you always know when we store which data and how we process it. We endeavor to comply with all statutory provisions of the GDPR and take reasonable steps to protect personal data processed by us as best as possible against unauthorized access or use, loss, deletion or disclosure. We process personal information in a manner that requires reasonable confidentiality and security in accordance with applicable law. We have no influence on the content of external links. If you have any concerns, please notify us promptly to take appropriate action.

  1. Person responsible within the meaning of the DSGVO and other national data protection laws of the member states as well as other data protection regulations is: Heilbad Krumbad GmbH, Managing Director: Peter Heinrich, Bischof-Sproll-Str. 1 86381 Krumbach (Schwaben) Germany, Phone: +49 (8282) 906 - 0, E - Mail: This email address is being protected from spambots. You need JavaScript enabled to view it., Website: www.krumbad.de.
  2. Data protection officer within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection regulations is: Stefan Schreiber, Klosterhof 2, 86513 Ursberg, Germany, Tel.: +49 8281 92-0, E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it., Website: www.drw.de.
  3. Consent: By using our web pages and the content and offers contained therein, you declare your consent that the personal data you have voluntarily submitted will be stored by us and processed in compliance with this privacy policy.

  4. Data processing:
    1. Scope of the processing of personal data: We only process personal data of our users, insofar as this is necessary to provide a functional website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies to cases in which prior consent can not be obtained for reasons of fact and the processing of the data is permitted by law.
    2. Legal basis for the processing of personal data: Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) as legal basis. In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b DSGVO as legal basis. This also applies to processing operations required to carry out pre-contractual actions. Insofar as processing of personal data is required to fulfill a legal obligation that is subject to our company, Art. 6 para. 1 lit. c DSGVO as legal basis. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d DSGVO as legal basis. If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, Art. 6 para. 1 lit. f DSGVO as legal basis for processing.
    3. Data deletion and storage period: The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage is omitted. In addition, such storage may be provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for conclusion of a contract or fulfillment of the contract.
  5. Provision of the website and creation of log files
    1. Description and scope of data processing: each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer. A storage of this data together with other personal data of the user does not take place. The following data is collected and stored in the log files of our system: information about the browser type and the version used, the user's operating system, the user's Internet service provider, the user's IP address, the date and time of access, websites from which the system of the user comes to our website, websites accessed by the user's system via our website, the content retrieved, the access status (file transfer, file not found, possibly error code). The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f DSGVO.
    2. Purpose of the data processing: The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session. For these purposes, our legitimate interest in the processing of data according to Art. 6 para. 1 lit. f DSGVO.
    3. Duration of storage: the data will be deleted as soon as they are no longer necessary for the purpose of their collection. In the case of collecting the data for providing the website, this is the case when the respective session is completed. In the case of storing the data in log files, this is the case after no more than seven days. An additional storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
    4. Contradiction and elimination: The collection of data for the provision of the website and the storage of data in log files is imperative for the operation of the website. There is consequently no contradiction on the part of the user.
  6. Use of cookies
    1. Description and scope of data processing: Our website uses technically necessary cookies. Cookies are text files that are stored in the Internet browser or the Internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened. We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser be identified even after a page break. The cookies will contain language settings and log-in information. In addition, we use cookies that allow an analysis of the surfing behavior of users. In this way, the following data can be transmitted: entered search terms, frequency of page views, use of website functions. The data of the users collected in this way are pseudonymized by technical precautions. Therefore, an assignment of the data to the calling user is no longer possible. The data will not be stored together with other personal data of the users. When accessing our website, users are informed by an information banner about the use of cookies for analysis purposes and referred to this privacy policy. In this context, there is also an indication of how the storage of cookies in the browser settings can be prevented. The legal basis for the processing of personal data using cookies is Article 6 (1) lit. f DSGVO.
    2. Purpose of data processing: the purpose of using technically necessary cookies is to facilitate the use of websites for users. Some features of our website can not be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page break. We need cookies to accept language settings and to remember search terms. The user data collected through technically necessary cookies will not be used to create user profiles. The use of the analysis cookies is for the purpose of improving the quality of our website and its contents. The analysis cookies tell us how the website is being used so that we can continuously optimize our content. For these purposes, our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 lit. f DSGVO.
    3. Duration of storage, objection and elimination: Cookies are stored on the computer of the user and transmitted by this on our side. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to use all the functions of the website to the full.
  7. Contact form, table reservation form and e-mail contact
    1. Description and scope of data processing: on our website a contact form is available, which can be used for electronic contact. If a user realizes this option, the data entered in the input mask will be transmitted to us and saved. These data are: company, salutation, first name, name, e-mail, telephone, how did you find out about us ?, your message text, number of persons, time and date, detail selection of option fields in the e-mail form. At the time of sending the message, the following data is also stored: the IP address of the user, date and time of registration, browser used, operating system. For the processing of the data in the context of the sending process your consent is obtained and referred to this privacy statement. Alternatively, contact via the provided e-mail address is possible. In this case, the user's personal data transmitted by e-mail will be stored. In this context, there is no disclosure of the data to third parties. The data is used exclusively for processing the conversation. Legal basis for the processing of the data is in the presence of the consent of the user Art. 6 para. 1 lit. a GDPR.
    2. Purpose of the data processing: the processing of the personal data from the input mask serves us only for the processing of the contact. In the case of contact via e-mail, this also includes the required legitimate interest in the processing of the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
    3. Duration of storage: the data will be deleted as soon as they are no longer necessary for the purpose of their collection. For the personal data from the input form of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the relevant facts have been finally clarified. The additional personal data collected during the sending process will be deleted at regular intervals. In particular, when the facts are finally clarified.
    4. Opposition and elimination: The user has the option at any time to revoke his consent to the processing of personal data. If the user contacts us by e-mail, he may object to the storage of his personal data at any time. In such a case, the conversation can not continue. All personal data stored in the course of contacting will be deleted in this case.
  8. Hotel room booking online
    1. Description and scope of data processing: on our website is an online booking form available, which can be used for the electronic room reservation. If a user realizes this option, the data entered in the input mask will be transmitted to us and saved. These dates are: arrival, departure, room type, number of persons, adults, children, booking code, salutation, name of the guest (first name, last name), name of the customer (first name, last name, address, zip code, city / town, country, e-mail , Telephone, fax, credit card number, credit card valid until, special requests, notification to the hotel), or detail selection of option fields in the form. If necessary, these fields are protected by our interface service provider GMS (GMS Central Austria, Schillerstraße 25 5020 Salzburg, Tel +43 4734 627 40, Fax +43 4734 627 51, E-Mail This email address is being protected from spambots. You need JavaScript enabled to view it., Website www.gms.info ). At the time of sending the message necessary data for the booking will be transferred and stored: These are in particular your name, your address, your telephone number, your e-mail address and the date of your stay and the type of your booked room. For the processing of the data, your consent to the terms and conditions will be obtained as part of the sender process and reference is made to the privacy policy. When you make a booking, your booking details will only be forwarded to the booked hotel to make your reservation possible. In addition, your data will not be disclosed to third parties. Under no circumstances will your data be sold or lent. Due to legal regulations and corresponding legal or official orders, we are obliged in exceptional cases to provide data to the ordering authorities or courts. This will only happen within the scope of our legal obligations.
    2. Information about data security: Every data transfer in the context of an ordering process runs using the encryption method Secure Socket Layer (SSL) with up to 256 bits. SSL is a proven and globally-related encryption system that automatically encrypts your data before sending it. These can only be decrypted by our server. They are thus deprived of any external access. Additional security measures for credit card details: If you provide your credit card details to secure your booking, this information will not be forwarded directly to the hotel. The hotel initially receives only a random number code. This allows the hotel to access your data once, also using the SSL procedure. Calling the credit card data again is generally not possible, even if the correct code is specified.
    3. Purpose of data processing: Booking a hotel room, your stay at the hotel.
    4. Opposition and elimination: You can always get information about the data you have stored with us. You have the right to correct, delete and block incorrect data. The deletion of data, however, may conflict with contractual and / or statutory requirements, in particular those for the execution of the booking. If you have questions about our Privacy Policy, please contact GMS (GMS Zentrale Österreich, Schillerstraße 25 5020 Salzburg,Tel +43 4734 627 40, Fax +43 4734 627 51, E-Mail This email address is being protected from spambots. You need JavaScript enabled to view it., Website www.gms.info).
  9. Newsletter
    1. Description and scope of data processing: on our website you can subscribe to a free newsletter. When you sign up for the newsletter, the data from the input mask are transmitted to us and stored. These data are: Title, first name, name, e-mail, At the time of sending the message, the following data is also stored: The IP address of the user, date and time of registration, browser used, operating system. In connection with the processing of data for the sending of newsletters, there is no disclosure of the data to third parties. The data will be used exclusively for sending the newsletter. The legal basis for the processing of the data after the user has registered for the newsletter is the consent of the user Art. 6 para. 1 lit. a DSGVO or § 7 Abs. 3 UWG.
    2. Purpose of the data processing: the collection of the e-mail address of the user serves to deliver the newsletter.
    3. Duration of storage: The data will be deleted as soon as they are no longer necessary for the purpose of their collection. The e-mail address of the user is therefore stored as long as the subscription to the newsletter is active.
    4. Opposition and elimination: subscription to the newsletter may be terminated at any time by the user concerned. For this purpose, there is a corresponding link in each newsletter.
  10. Google Maps
    1. Description and scope of data processing: We use Google Maps, Inc. (1600 Amphitheater Parkway, Mountain View, CA 94043, USA, hereafter "Google") on this website. A map excerpt is displayed. By calling up the page with the map section, Google creates a so-called cookie, a text file that stores data. Which data Google collects in detail is unknown to us. According to Google, this process is DSGVO compliant. Via the button "Navigation or Route Planning" on the map you can open a new window in your browser and plan your journey to our address with Google Maps. By clicking on this button you leave our website. Please note the Google Maps Terms of Service and Google's Privacy Policy .
    2. The purpose of the data processing is the presentation of a site plan and the facilitation of navigation to us. Activation of a link causes this action to be stored in the log files of the server (see 4.). The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session. For these purposes, our legitimate interest in the processing of data according to Art. 6 para. 1 lit. f DSGVO.
    3. Duration of storage: Each time the page is integrated with Google Maps, Google sets a cookie to process user preferences and data. This cookie usually expires after a certain period of time and is not automatically deleted by closing the browser.
    4. Opposition and removal option: it is possible to manually remove this cookie by deleting cookies in your browser. Opposition and elimination: If you disagree with the processing and transmission of your data, you can disable the service of "Google Maps" by disabling Java Script in your browser. We point out that Javascript is used by many websites and it can lead to a significant reduction in the functionality of your browser. By using this site, you consent to the collection, processing and use by Google of data collected and personally entered by you, in accordance with Google Maps Terms of Service and Google's Privacy Policy.
  11. Link to Google+ / Google My Business
    1. Description and scope of the data processing: we put on our side a link by a button to the networks Google+ and Google my business of the Google Inc., (1600 Amphitheater Parkway, mountain view, CA 94043, the USA, in the following "Google"). The link is included as either text "Google+" or "Google my business" or logo icon. He leads to our profile at the respective Google service. By clicking on this button you leave our website. Follow Google's privacy policy .
    2. Purpose of data processing on our website: the activation of a link means that this action is stored in the log files of the server (see 4.). The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session. For these purposes, our legitimate interest in the processing of data according to Art. 6 para. 1 lit. f DSGVO.
    3. Duration of storage: to the best of our knowledge, no IP address and no personal data of the user are stored on our website prior to calling the link to Google+ / Google my business and no evaluation of the user behavior takes place.
    4. Contradiction and elimination: The collection of data for the provision of the website and the storage of data in log files is imperative for the operation of the website. There is consequently no contradiction on the part of the user. You can prevent data transmission to Google by not clicking on the link (see 1.). By clicking on the link, you are leaving our website. Google may link your visit to our profile with your profile when you are logged in to Google. If you want to prevent this, you should log out of Google+ / Google my business before clicking the link. For more information, see the Google Privacy Policy .
  12. Link to Facebook
    1. Description and scope of the data processing: we put on our side a link by a button to the network Facebook. The linked logo icon opens in a new window of your browser on our profile on the website of facebook inc., 1601 p. California Ave, Palo Alto, CA 94304, USA; in the following Facebook). If you are logged in to Facebook, a link between your profile and our profile can be made on the Facebook website. For our part, only the activation of the link is stored in our server log files.
    2. Purpose of data processing on our website: the activation of a link means that this action is stored in the log files of the server (see 4.). The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session. For these purposes, our legitimate interest in the processing of data according to Art. 6 para. 1 lit. f DSGVO.
    3. Duration of storage: to the best of our knowledge, no IP address and no personal data of the user are saved on our website before the link to Facebook is called up and no evaluation of the user behavior takes place.
    4. Contradiction and elimination: The collection of data for the provision of the website and the storage of data in log files is imperative for the operation of the website. There is consequently no contradiction on the part of the user. You can prevent data transmission to Facebook by not clicking on the Facebook button. By clicking on the link, you are leaving our website. Facebook can associate the visit of our profile with your profile, if you are logged in to Facebook. If you want to prevent this, you should log out of Facebook before clicking the link. For more information, see the Facebook Privacy Notice https://www.facebook.com/policy.php .
  13. Link to external websites, linking to social networks
    1. The basic idea of ​​the Internet is networking. Our website is linked to external websites and social networks. Social networks include, for example, Facebook, Instagram, Google My Business, Google+, Twitter, Xing, Linked In, Google Maps and others, not listed here by name. You will recognize the link to the button, a logo and / or a text that indicates the social network in question. These links will only become active once you have clicked them. Here you leave our website, usually in a new browser window. The operator of the linked website, the social network receives your personal user data, including your IP address. If you are simultaneously logged into the social network whose plug-in you have activated on this website, information from your visit to this website may be associated with your account (user account) on this social network, processed and used , It is not excluded that the operator of the social network also tries to save a cookie on your computer, which is usually deleted when closing the Internet browser. The storage of cookies can be prevented differently depending on the browser, but this can lead to disruptions when visiting many websites. If you want to avoid that after activation information about your visit to this website is associated with your user account in the social network concerned, you must log out of the relevant social network before activating the link. Otherwise, when activating the link, the corresponding information is transmitted from your Internet browser to the operator of the relevant social network or website operator and possibly stored or further processed by this, which we have no influence. If you have any questions, please contact the privacy officer of the linked website, the social network.
    2. Purpose of the data processing: The activation of a link has the consequence that this action is stored in the log files of the server (see 4.). Further processing after activation does not take place on our website. The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session. For these purposes, our legitimate interest in the processing of data according to Art. 6 para. 1 lit. f DSGVO.
    3. Duration of storage: the data will be deleted as soon as they are no longer necessary for the purpose of their collection. In the case of collecting the data for providing the website, this is the case when the respective session is completed. In the case of storing the data in log files, this is the case after no more than seven days. An additional storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
    4. Contradiction and elimination: The collection of data for the provision of the website and the storage of data in log files is imperative for the operation of the website. There is consequently no contradiction on the part of the user.
  14. Purpose of data processing

    The processing of users' personal data enables us to analyze the surfing behavior of our users. By analyzing the obtained data, we are able to compile information about the use of the individual components of our website. This helps us to constantly improve our website and its user-friendliness. For these purposes, our legitimate interest lies in the processing of the data according to Art. 6 para. 1 lit. f DSGVO. The anonymisation of the IP address sufficiently takes into account the interest of users in their protection of personal data.

  15. Rights of the person concerned
    1. Right to information: You can ask the person in charge to confirm if personal data concerning you is processed by us. If such processing is available, you can request information from the person responsible about the following information:

      - the purposes for which the personal data are processed;
      - the categories of personal data that are processed;
      - the recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
      - the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
      - the right of rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
      - the existence of a right of appeal to a supervisory authority;
      - all available information on the origin of the data, if the personal data are not collected from the data subject;
      - the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended impact of such processing on the data subject Is entitled to request information on whether the personal data concerning you are transferred to a third country or to an international organization. In this connection, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transfer.

    2. Right to rectification: You have the right to rectification and / or completion to the person responsible, provided that the personal data you process is incorrect or incomplete. The responsible person must make the correction without delay.
    3. Right to restriction of processing: You may request the restriction of the processing of your personal data when:
      - You deny the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal information.
      - the processing is unlawful and you refuse the deletion of personal data and instead demand the restriction of the use of personal data.
      - the person responsible no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defense of legal claims, or
      - if you objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh your reasons.

      If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest Union or a Member State. If the restriction on processing has been restricted in accordance with the above conditions, the person responsible will inform you before the restriction is lifted.

    4. Right to delete
      1. Obligation to delete: You may require the controller to delete the personal data concerning you without delay, and the controller is obliged to delete this data immediately if one of the following reasons applies:

        - Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
        - You revoke your consent, to which the processing acc. Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. DSGVO and there is no other legal basis for processing.
        - You lay gem. Art. 21 para. 1 DSGVO objection to the processing and there are no prior justifiable reasons for the processing, or you lay gem. Art. 21 para. 2 DSGVO Opposition to processing.
        - Your personal data has been processed unlawfully.
        - The deletion of personal data concerning you is required to fulfill a legal obligation under Union or national law to which the controller is subject.
        - The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

      2. Information to third parties: If the person in charge has made the personal data concerning you public and he is acc. Article 17 (1) of the GDPR, it shall take appropriate measures, including technical means, to inform data controllers who process the personal data that you have been identified as being affected, taking into account available technology and implementation costs Persons requesting deletion of all links to such personal data or of copies or replications of such personal data.
      3. Exceptions: The right to delete does not exist if the processing is necessary
        - to exercise the right to freedom of expression and information;
        - to fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task which is in the public interest or in the exercise of public authority delegated to the controller;
        - for reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;
        - for archival purposes of public interest, scientific or historical research purposes or for statistical purposes acc. Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
        - to assert, exercise or defend legal claims.
    5. Right to information: If you have the right to rectify, erase or restrict the processing to the controller, he / she is obliged to notify all recipients to whom the personal data relating to you have been corrected or deleted or processing restricted; unless this proves impossible or involves disproportionate effort. You have a right to the person responsible to be informed about these recipients.
    6. Right to Data Portability: You have the right to receive the Personal Data relating to you provided to the Responsible in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another person without hindrance by the person responsible for providing the personal data, provided that the processing is based on a consent in accordance with Art. Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a DSGVO or on a contract acc. Art. 6 para. 1 lit. b DSGVO is based and processing is done using automated procedures. In exercising this right, you also have the right to obtain that your personal data relating to you are transmitted directly from one person to another, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected. The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.
    7. Right to object: You have the right at any time, for reasons that arise from your particular situation, against the processing of your personal data, which pursuant to Art. 6 para. 1 lit. e or f DSGVO takes an objection; this also applies to profiling based on these provisions. The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, exercising or defending legal claims. If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct mail. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes. Regardless of Directive 2002/58 / EC, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.
    8. Right to revoke the data protection consent declaration: You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
    9. Automated decision on a case-by-case basis, including profiling: You have the right not to be subjected to a decision based solely on automated processing - including profiling - which will have legal effect or similarly affect you in a similar manner. This does not apply if the decision to conclude or to execute a contract between you and the controller is required by Union or Member State legislation to which the controller is subject, and that legislation is adequate to safeguard your rights and freedoms as well as your legitimate interests or with your express consent. However, these decisions must not be based on special categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g DSGVO applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases mentioned, the person responsible shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person by the controller, to express his or her own position and to challenge the decision.
    10. Right to complain to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of its residence, place of work or place of alleged infringement, if you believe that the Processing of your personal data violates the GDPR. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.