Trade Republic Mobile App Privacy Notice
Current version: 31.08.2022
We, the Trade Republic Bank GmbH ("Trade Republic" or "we") respect and protect your privacy. Privacy of our users and customers is one of our main priorities. It is very important to us that we inform you about what personal data is collected, how it is used and what options and rights you have as a data subject.
This privacy notice is relevant for the use of our mobile application. The privacy policy for the use of and navigation on our website can be found at https://traderepublic.com/privacy.
We are responsible for the data processing performed on the personal data relating to you, making us “data controller” within the meaning of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Please note our company details, found in our imprint at https://www.traderepublic.com/en-nl/imprint. There you will also find exact representation relationships.
You can reach us by mail at Trade Republic Bank GmbH, Köpenicker Straße 40c, 10179 Berlin, Germany. We have appointed a data protection officer, who you can reach at the same address with the addition "Data Protection". You can reach us by email at service@traderepublic.com and the data protection officer at dataprotection@traderepublic.com.
In principle, processing activities take place only when absolutely necessary for providing the mobile app, or where the processing is mandatory for either entering into and fulfilling a contractual agreement with you or remaining in compliance with applicable laws and regulations. Every other processing activity that does not fall into those aforementioned purpose categories is carried out only if we carry a legitimate interest upon which to base the processing activity, or you have given us your consent to do so. We will inform you of this at the appropriate place within this notice and ultimately during execution of the mobile app.
Pursuant to Art. 21 (1) GDPR, as a data subject with regard to the processing of personal data concerning you, each user has the right to object at any time to processing activities that are based on the legitimate interest of the controller (here, we are the data controller, pursuant to Art. 4 (7) GDPR). In the circumstance in which we would not be able to prove the existence of our compelling legitimate interest overriding the interests, rights and freedoms of the data subject (the user), the processing activity to which the user objects is terminated immediately and the personal data is no longer processed for these purposes. A user always has the opportunity to object to processing activities for direct marketing purposes: in the event of an objection, the controller is obliged to terminate the processing activity to which the user has objected as soon as technically possible. More information can be found in paragraphs 6.7 and 6.8 of this notice.
Depending on your smartphone operating system, information is transferred to the App Store (for iOS users) or Google Play (for Android users) when you download the mobile app. We have no influence on this data collection and are not responsible for it.
In each following subsection we describe the individual processes, explain the purpose and scope of the processing, specify the categories of personal data if possible, and inform you of the legal basis for the processing as well as the storage period or the criteria for determining it.
When you use our mobile app, our servers process your IP address and other technical characteristics, such as the specific content you requested via the mobile app. The connection is encrypted using Transport Layer Security (or “TLS”). The mobile app is used for the purpose of offering our services. The legal basis for processing is Art. 6 (1) lit. b GDPR. Without this processing activity we would not be able to offer our mobile app to the public.
We have a further legitimate interest in ensuring the security, stability and functionality of the IT systems, in which case the legal basis for this purpose is Art. 6 (1) lit. f GDPR. We would not be able to offer a secure and stable mobile application without these security activities.
For this purpose we use the services provided by Datadog Inc., 620 8th Avenue 45th floor, New York City, NY 10018 USA, (“Datadog”) for managing the security logs generated by your use of the mobile app. These logs retain personal information limited to your IP-address and the activity performed by you while you have used our mobile app. The log files of the servers are retained for 90 days, after which they are permanently deleted. Datadog’s privacy policy can be found here.
These log files are additionally stored in our servers located in Frankfurt am Main, Germany, and provided as a hosting service by Amazon Web Services EMEA Sárl, 38 Avenue John F. Kennedy, L-1855 Luxembourg (“AWS”). More information on the data storage processes we deploy can be found further below in this notice (Sec. 3.6). The log files are retained in these servers for 14 months, after which they are permanently deleted. The log files are stored for a longer period of time, for allowing forensics investigations and other similar security-related activities. The privacy notice of AWS can be found at their website here.
You may object to this processing at any time for reasons arising from your particular situation, as is further detailed below in this notice (Sec. 6.).
As our customer, your user account is saved in our systems. We assign the individual actions performed by you (such as order executions, watchlists and price alerts) to this user account. For this purpose, our mobile app generates a "device key" that is assigned to your mobile device. This links your mobile device to the user account. This serves security purposes to protect your user account from unauthorised access. The legal basis is Art. 6 (1) lit. b GDPR. Without this processing activity we would not be able to provide you with the mobile application. We delete this mapping once the purpose of the processing is achieved.
You find more detailed information in the data privacy notices for customers, which are provided to you as a PDF during the onboarding process. We will briefly and concisely provide you with the information at this point, the moment this takes place within the mobile app.
If you, for any reason, decide to not complete the onboarding process for becoming our customer, the personal data collected until such moment is retained for a period of time between three (3) and six (6) months, unless retention periods determined by law apply.
Depending on the operating system on which your mobile device runs, we use either the Firebase Cloud Messaging service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") or the Apple Push Notification Services of Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA ("Apple") for the provision of push notifications or so-called in-app messages (messages that are only displayed within the app). In this process, a pseudonymized push reference is assigned to the mobile end-device, which serves as the target for the push messages or in-app messages. Information on the subject, type of message and time the message was sent is processed, as well as data on whether and when a message was received and read. In some cases, this data is also used as part of the analysis. Firebase Cloud Messaging and the Apple Push Notification Services are only used if you have provided your consent prior. The legal basis is Art. 6 (1) lit. a GDPR. You can revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
To facilitate the opening of the account, we offer an identification procedure for the required identification in accordance with the German Act on the Tracing of Profits from Serious Crimes - Money Laundering Act ("GwG") and the interpretation and application notes on the Money Laundering Act of the German Federal Financial Supervisory Authority ("BaFin"). The legal basis is Art. 6 (1) lit. b, c GDPR in conjunction with §§ 10, 11 GwG. Without the identification process we would not be able to allow you to become our customer.
The identification procedure is carried out on our behalf and exclusively for Trade Republic’s purposes by SafeNed-Fourthline B.V., Tesselschadestraat 12 1054 ET, Amsterdam ("Fourthline"), a company specialising in this field and an obligated party in accordance with Art. 2 (1) of the Directive (EU) 2015/849. In the procedure, we send your personal data, i.e. your full name, your date of birth, your email address, your telephone number and your selected language. The provider then verifies this information in the selected procedure. For this purpose, video recordings and photos of you and your ID document are taken, which are finally transmitted to us. We are obliged to keep this data for the duration of our contractual relationship and finally for five more years after the end of the contractual relationship (§§ 8, 10 GwG).
Fourthline’s privacy policy can be found at this link.
We use the services provided by AWS, as well as Snowflake Computing Netherlands B.V., FOZ Building, Gustav Mahlerlaan 300-314, 1082 ME Amsterdam (“Snowflake”), for data storage and structurisation purposes. The information that enters our data storage servers do so only after being pseudonymised thanks to the application of hashing methods.
Legal basis for the data hosting is art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest consists of being able to host our data in database storage centers with state-of-the-art security measures and processes, particularly benefitting the protection of the confidentiality, integrity, availability and resilience of your personal information which we process, as well as being able to structure information, which includes personal data, in such a way that we are able to successfully and error-free structure data flows which result in the precise outcomes desired. Examples of such outcomes are fulfilling your trade orders, conducting our own anti-money laundering and compliance controls and improving our products and services.
You may object to this processing at any time for reasons arising from your particular situation, as is further detailed below in this notice (Sec. 6.).
For the processing of personal information, both AWS and Snowflake have agreed a data processing agreement with us: in such agreement, AWS and Snowflake have agreed to solely store and otherwise process personal data on our behalf through servers located within the EU. It is still possible that, in the context of the processing activities performed on our behalf, AWS and Snowflake transfer data to or access data from a third country which does not guarantee the same standard of protection for personal information as in the EU. More information about our contractual setup and further measures implemented with the service providers for the safe processing of personal data can be found below, on Sec. 5 of this notice.
We have set up a customer data platform (“CDP”), with which we are able to automise all our communications and the initiation of workflows, depending on the events users trigger with the use of our mobile app. These events include, not only the sheer events triggered within the app, such as going from one screen to another, but also, if you are our customer, your trading activity and related information, as well as the personal data associated with your Trade Republic account.
All personal data that enters our CDP is pseudonymised beforehand with hashing techniques. This enables us to initiate the necessary event-dependent workflows with the sole strictly necessary information.
The legal basis of processing for this activity is art. 6 (1) lit. f GDPR (legitimate interest), on the basis of our interest of not only being able to reliably provide communications in a timely manner to each customer, but also provide potentially interesting information to our customers and onboarding prospects. An example would be automatically providing valuable information for requesting support, in case a prospective customer encounters difficulties during the onboarding procedure. An additional benefit, which also is one of our legitimate interests, is to enable a much more efficient and less error-prone procedure for customers and prospective customers alike to see their data subject requests fulfilled in a timely and complete manner.
You may object to this processing at any time for reasons arising from your particular situation, as is further detailed below in this notice (Sec. 6.).
We retain personal data in our customer data platform for the sole duration of our customer relationship with you. After termination, personal data associable with you is automatically and permanently deleted from the CDP. If you are not a customer of Trade Republic, the personal data linkable to you is automatically and permanently deleted after a period of time between three (3) and six (6) months since its collection, unless retention periods determined by law apply.
Our CDP is provided by mParticle, Inc., 257 Park Avenue South, Floor 9, New York, NY 10010, United States (“mParticle”). For the processing of personal information, mParticle has agreed a data processing agreement: in such agreement, mParticle has agreed to solely store and otherwise process personal data on our behalf through servers located within the EU. It is still possible that, in the context of the processing activities performed on our behalf, mParticle transfers data to or accesses data from a third country which does not guarantee the same standard of protection for personal information as in the EU. More information about our contractual setup and further measures implemented with mParticle for the safe processing of personal data can be found below, on Sec. 5 of this notice.
We will send you emails in certain cases. These may be necessary, transactional emails. These are necessary, for example, to inform you about your contractual relationship with us. We use the service provider "SendGrid" of the company Twilio, Inc., 375 Beale St., San Francisco, CA 94105, United States (“Twilio”) and Braze, Inc. (318 West 39th Street, 5th Floor, New York 10018, USA „Braze”). Twilio is represented in the European Union by Twilio Ireland Ltd, 25-28 North Wall Quay, Dublin 1, Ireland. The data is processed for the purpose of communicating with you. It can be guaranteed that emails arrive and are not sent back. This is necessary, for example, to ensure that transactional emails are also delivered. It also enables us to fulfil our contract, as we ensure that important emails actually reach the customer or user.
The legal basis for the contractually necessary emails to be sent is Art. 6 (1) lit. b GDPR. Without this processing activity we would not be able to provide you with our services within the mobile application. We provide links to the privacy statements of Twilio and Braze, respectively.
We may send marketing material to you, from time to time, which we think may be of interest to you. We will only do so after obtaining your explicit consent allowing us to use your Personal Data for such purposes, unless you are an existing customer of ours. In that case we will only send you marketing material which relates to or is similar to the goods or services we have provided to you in the past. We ensure that in each communication with you which contains such digital marketing material we will include a link to unsubscribe from receiving such material in the future.
Twilio and Braze use so-called “web beacons” for enabling us to determine whether you have opened the email we have sent you. This is necessary for us to prove that you have received specific information contained in the emails. You can prevent this by not automatically loading external graphics in your email program, for example.
The sending of emails for direct marketing purposes, as well as the use of web beacons, is based upon our legitimate interest, art. 6 (1) lit. f GDPR.
We send short messages ("SMS") to your mobile phone number.
When you open a deposit, we make sure that you are not already a customer with us and therefore check whether the mobile phone number you have provided is not already in our database - this is done using a pseudonymized and secure hash algorithm. Your mobile phone number is subsequently stored in our customer database. This additional feature secures your access to your securities account and links your device and mobile phone number to your customer account. As soon as you are a customer with us, your data will be stored for the duration of the customer relationship. After the end of the contractual relationship, we are required by the Money Laundering Act to retain this data for up to five years, §§ 8, 10 GwG.
However, if you decide not to become a customer during the opening process, we will store the data collected so far for a period of time between three (3) and six (6) months after the start of the opening process, unless retention periods determined by law apply. It is not possible to become a customer without providing your mobile phone number.
Legal basis for processing is Art. 6 (1) lit. b GDPR (contractual fulfilment). Without this processing activity we would not be able to onboard you as a customer, thus impeding you from using our products and services.
For SMS dispatch, we use two service providers on our behalf, who send the SMSs automatically according to our instructions.
Twilio
Twilio, Inc., 375 Beale St., San Francisco, CA 94105, United States (“Twilio”). Twilio, Inc. is represented in the EU by Twilio Ireland Ltd., 25-28 North Wall Quay, Dublin 1, Ireland. Twilio’s privacy statement can be found here.
MessageBird
MessageBird B.V., Trompenburgstraat 2C, (1079 TX) Amsterdam (“MessageBird“). MessageBird’s privacy statement can be found here.
As a customer, you have the opportunity to refer other customers and receive a bonus in exchange. You can find more details about this in the corresponding description and the conditions of the customer referral program. We use the technology "Adjust" provided by Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany ("Adjust"). Adjust creates an individual identifier based on the advertising ID (IDFA or ADFA) of your mobile device and can thus create an individual link that you can send to the advertised person. Based on this link, your bonus can finally be granted to you in case of successful advertising. The ID used is pseudonymized, i.e. Adjust cannot draw any conclusions about a specific person.
The legal basis for the processing is Art. 6 (1) lit. b GDPR (contract fulfilment of the customer referral program). More information about Adjust’s data processing can be found in their privacy statement here. Without this processing activity, we would not be able to track the individuals that would benefit from the customer referral program.
As a customer, you can contact us directly via the mobile app. For this purpose, an integrated contact form is used, in which you may contact us directly. For the performance of this service you would have to provide us with your name and email address: this allows us to determine that you are our customer and help you accordingly. This service is provided in the context of the execution of the contract established with you and, thus, the legal basis for processing is Art. 6 (1) lit. b GDPR. Without this processing activity we would not be able to provide you with support for your inquiries.
We use the services of Trade Republic Service GmbH, Kastanienallee 32, 10435 Berlin Germany, (“TRS”), to provide customer service.
We use the ticket system “Zendesk”, a customer service platform provided by Zendesk Inc, 989 Market Street 300, San Francisco, CA 94102, United States (“Zendesk”), to process customer requests.
We have entered into a processing agreement with TRS, as well as Zendesk, which govern the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and our obligations and rights. TRS and Zendesk will only process your personal data on our instructions. TRS and Zendesk guarantee all necessary technical and organisational measures to ensure security of your personal data appropriate to the risk. We will delete the personal data obtained through your contact as soon as it is no longer necessary to achieve the purpose. This is usually the case when the respective conversation has ended. We assume termination when it can be inferred from the circumstances that the matter in question has been conclusively clarified. Of course, we limit the processing of personal data to the utmost necessary. However, the deletion period may be longer if we are required to retain it due to regulatory obligations as a licensed bank. Furthermore, there may be longer retention periods related to our responses, which may contain your inquiry as a quote, as far as commercial and business letters are concerned. Here, the legal storage obligation may be up to 10 years.
Zendesk’s privacy policy can be found here. Zendesk additionally published a page on their website regarding their implemented data protection standards, which you may check out here.
Further information regarding the data processing activities we perform for processing support requests can be found in the privacy notice for customer support, which we present the moment a support request is initiated.
We present news content within our app in both written and podcast form. In order to display the content, we use the services of Contentful GmbH, Max-Urich-Straße 3, 13355 Berlin, Germany ("Contentful"). Contentful uses a so-called CDN (Content Delivery Network) to provide the service, and processes your IP address for this purpose.
The legal basis for the processing performed by Contentful is Art. 6 (1) lit. f (legitimate interest): our legitimate interest is to offer you a mobile app with appealing features, content and processes, as well as to make the information contained on our mobile app easily readable and accessible.
Market updates can be turned off at any time through the settings in the app. When turned off, no data processing is performed by Contentful on our behalf.
More information can be found on Contentful’s privacy notice here.
In this section, we inform you about our intended marketing and analysis processing within our mobile app. In doing so, we largely rely on "software development kits" or “SDKs” for short. These are provided by the respective providers and represent small programming snippets that are incorporated into the mobile app.
We use the Firebase Crashlytics technology from Google. Firebase Crashlytics is part of the Google Cloud Platform. Firebase Crashlytics is used for the stability and improvement of the mobile app. It collects information about the device used and the usage of our app (e.g. the timestamp, when the app was started and when a crash occurred), which enables us to diagnose and solve problems. In this process, so-called "crash_reports'' are generated, which only receive information about issues and crashes. We use Crashlytics for the purpose of providing a functional mobile app and fixing stability issues. The data is analysed in a fundamentally anonymized way. This purpose represents our legitimate interest in processing, the legal basis is Art. 6 (1) lit. f GDPR. Google Firebase uses servers within the EU for these services at our discretion. The data is deleted automatically after 90 days. More details about the processed data can be found here.
You can object to this processing at any time for reasons arising from your particular situation. You can find more information under "Your rights" in the last section.
We use the technology Google Firebase Remote Config ("Remote Config") from Google. Remote Config is part of the Google Cloud Platform. Remote Config provides us with the ability to change configurations and make updates to the appearance and performance of our mobile app while it remains functional. This way, users can continue to use our mobile app without downtime. This is critical for the trading services we provide to work. Remote Config uses the same technology as Crashlytics. Only performance-related data is collected and no data that could be used to identify or profile the user is collected. We use Remote Config for the purpose of providing a functional mobile app. This purpose constitutes our legitimate interest in processing, making the legal basis of the processing Art. 6 (1) lit. f GDPR. Google Firebase uses servers within the EU for these services at our discretion. The data is deleted automatically after 180 days. More details about the processed data can be found here.
You can object to this processing at any time for reasons arising from your particular situation. You can find more information under "Your rights" in the last section.
We use the technology Google Analytics for Firebase from Google. Google Analytics for Firebase enables the analysis of the use by users of the app of our product. This means that information about the use of our mobile app is collected, transmitted to Google and stored there. For this purpose, device information, information on individual requests within the app (events), location data and user IDs are processed. The data is used to analyse user behaviour and make decisions regarding product and marketing optimization based on the results. Google Analytics for Firebase is generally only started after your expressed consent, the legal basis of processing is therefore Art. 6 (1) lit. a GDPR. You may revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the revocation. You may revoke your consent within the mobile app just as easily as you have given the consent itself.
For the processing activities involving the use of services provided by AWS and Datadog - 3.1 Mobile app use -, Snowflake - 3.5 Data hosting -, mParticle - 3.6 Customer Data Platform (CDP) -, SendGrid and Braze - 3.7 Emails -, Google Firebase Crashlytics - 4.1 - and Remote Config - 4.2 -, the following applies:
Third-country data transfer - “AWS”, “Datadog”, “Snowflake”, “mParticle”, “SendGrid”, “Braze”, “Google Firebase Crashlytics”, “Google Firebase Remote Config”
The providers of these services are contractually obligated not to transfer personal data to the United States of America. There may be exceptional circumstances beyond our control under which these service providers may transfer personal data to the United States. In this case, the personal data may be transferred to a so-called third country, in this case the United States. The United States is a third country not covered by an adequacy decision of the European Commission and therefore does not provide an adequate level of protection for personal data. Such a transfer is only permitted if the level of protection of your data guaranteed by the GDPR is met. The transfer therefore takes place on the basis of appropriate safeguards pursuant to Art. 46 (2) lit. c GDPR, the so-called standard data protection clauses ("standard contractual clauses"). In conjunction with additional measures to ensure an adequate level of protection, this guarantees that the EU data protection requirements are also met when processing data in the United States. You can request additional information and a copy of the standard contractual clauses by emailing us.
For the processing activities, involving the use of the services provided by Google and Apple - 3.3 Push Notifications -, as well as Google Analytics for Firebase - 4.3 -, the following applies:
Third-country data transfer - “Google”, “Apple”, “Google Analytics for Firebase”
There may be exceptional circumstances beyond our control under which the providers of these services transfer personal data to the United States of America, a so-called third country. Data may be transferred to all data centres of the service providers (including in non-EU countries without an adequate level of data protection, in particular the United States) without appropriate safeguards within the meaning of Article 46 of the GDPR. In its ruling of July 16, 2020, the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield invalid (Case C-311/18; so-called ‘Schrems II’) and stated that an adequate level of data protection cannot be guaranteed in the United States. On the one hand, there is a risk of access to the transferred data by U.S. security authorities without any provision for effective legal remedies. On the other hand, there are no enforceable data subject rights. The transfer of personal data is only permitted if the level of protection of your data guaranteed by the GDPR is met. The transfer therefore takes place on the basis of appropriate safeguards pursuant to Art. 46 (2) lit. c GDPR, the so-called standard data protection clauses ("standard contractual clauses"). In conjunction with additional measures to ensure an adequate level of protection, this guarantees that the EU data protection requirements are also met when processing data in the United States. You can request additional information and a copy of the standard contractual clauses by emailing us. These transfers only take place with your express consent on the basis of Art. 49 (1) lit. a GDPR.
For the processing activity involving the use of the services Zendesk - 3.10 Contact request via the mobile app (customer service) and Twilio - 3.8 SMS Messages, the following applies:
Third-country data transfer - “Zendesk”, “Twilio”
The personal data may be transferred to a so-called third country, in this case the United States. The United States is a third country that is not covered by an adequacy decision of the European Commission and therefore does not provide an adequate level of protection for personal data. Such a transfer is only permitted if the level of protection of your data guaranteed by the GDPR is met. The transfer therefore takes place on the basis of appropriate guarantees pursuant to Art. 46 (2) lit. b in conjunction with Art. 47 GDPR. Art. 47 GDPR, the so-called “Binding Corporate Rules”. In conjunction with additional measures to ensure an adequate level of protection, this guarantees that the EU data protection requirements are also complied with when processing data in the United States. You can request additional information and a copy of the Binding Corporate Rules from us by email.
You have the following rights: right to access, right to rectification, right to restriction of processing, right to erasure, right to information and right to data portability. In addition, you have a right of objection to processing, of withdrawal of consent and the right to complain to a supervisory authority.
You have the right to request confirmation from us as to whether we are processing your personal data. If so were the case, you have the right to obtain information about the following:
If we transfer your data to an international organisation or to a third country, you have the right to request information about appropriate safeguards in accordance with Art. 46 GDPR have been established for those transfers.
You have the right to correct and/or complete the data we have stored about you if this data is incorrect or incomplete. We will then of course correct this data immediately, in accordance with your input and request.
Under specific circumstances, you have the right to request that we restrict the processing of your personal data. At least one of the following conditions must be met:
You have the right to demand that we delete your personal data immediately if we are obliged to do so. This is the case if one of the following conditions is met:
If we have made your personal data public and we are obliged to erase it in accordance with the aforementioned conditions, we shall take reasonable measures, including technical measures, to inform other data controllers processing the personal data that you have requested that we erase all links to or copies or replications of such personal data, taking into account the technologies at our disposal and implementation costs.
However, your right to erasure is not sustained if the processing is necessary for the following reasons (exceptions):
If you have exercised your right to rectify, erase or restrict the processing of your data, we are obliged to notify all recipients to whom we have disclosed your personal data of the rectification, erasure or restriction of the processing of your data, unless this proves impossible or involves a disproportionate effort.
You have the right to receive the personal data you have provided us in a structured, commonly used and machine-readable format, as well as to have this data transferred to another controller, subject to the following conditions:
You have the right to have us transfer your personal data directly to another controller, insofar as this is technically feasible and does not affect the freedoms and rights of other persons.
This right to data portability does not apply if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
You have the right to object at any time to the processing of your personal data based on Art. 6 (1) lit. e or lit. f GDPR for reasons arising from your particular situation. This also applies to profiling based on these provisions.
We will no longer process your personal data after an objection, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.
We may send marketing material to you, from time to time, which we think may be of interest to you. We will only do so after obtaining your explicit consent allowing us to use your Personal Data for such purposes, unless you are an existing customer of ours. In that case, we will only send you marketing material which relates to or is similar to the goods or services we have provided to you in the past. We ensure that in each communication with you which contains such digital marketing material we will include a link to unsubscribe from receiving such material in the future.
According to Art. 7 (3) GDPR, you have the right to revoke your provided consent at any time. The withdrawal of consent does not retroactively invalidate the lawfulness of the processing.
You have the right to lodge a complaint to a supervisory authority, without prejudice to any other administrative or judicial remedy. In particular, you may exercise your right to lodge a complaint in the Member State of your residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
An overview of the respective country data protection officers of the countries and their contact details can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en .
You may also reach the supervisory authority responsible for us, at the following address:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
Visitors entrance: Puttkamer Straße 16 - 18 (5th floor)
10969 Berlin
Telephone: 030/138 89-0
E-Mail: mailbox@datenschutz-berlin.de
Homepage: https://www.datenschutz-berlin.de