Last review date: 17 December 2024

• the identity and the contact details of the controller and, where applicable, of the controller's representative
• the contact details of the data protection officer, where applicable
• the purposes of the processing for which the personal data is intended
• the legal basis for the processing
• the categories of personal data concerned
• the source from which the personal data originates, and if applicable, whether it came from publicly accessible sources
• the legitimate interests pursued by the controller or by a third party if processing is based on the legitimate interests ground
• the recipients or categories of recipients of the personal data, if any
• information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards and the means by which by to obtain a copy of them or where they have been made available
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
• the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.
• the existence of the right to withdraw consent if processing is based on consent
• the right to lodge a complaint with a supervisory authority
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
• if applicable, information regarding automated decision making, including profiling

Last review date: 17 December 2024

Yes.

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

• right to access the data subject's own personal data
• right to rectify/correct the data subject's own personal data where inaccurate or incomplete
• right to erasure of personal data
• right to restrict data processing
• right to data portability
• right to object to the processing of personal data
• right to withdraw consent
• other: e.g., right to claim damages or to request a cease and desist order

Last review date: 17 December 2024

Yes.

There are accountability and governance requirements to:

• take privacy by default and design measures for all processing of personal data
• perform and document data protection impact assessments (DPIAs) for high-risk processing:
• The German data protection authorities issued a list of processing activities for which a DPIA is to be carried out (available in English: Offizielles Kurzpapier der DSK).
• maintain a record of processing activities
• implement appropriate measures to comply with data privacy and cybersecurity
• demonstrate compliance with data privacy and cybersecurity
• identify a specific individual as the data privacy contact for data subject or data protection authority inquiries
• provide training to employees
• audit or supervise data processors
• appoint a local representative in the jurisdiction (if the controller or processor is not located in the jurisdiction)