Headline: Data Protection Policy

RIFS is integrated into the Helmholtz Centre Potsdam – GFZ German Research Centre for Geosciences. The GFZ takes the protection of personal data very seriously. The GFZ is bound to protect the privacy of everyone who uses its website and to treat any personal data provided in the strictest confidence. This data is used solely for the purposes indicated in each case and is not forwarded to any third party.

I. Name and address of controller

The data controller as defined in the General Data Protection Regulation, the national data protection laws of other EU member states, and other data protection regulations is:

Helmholtz Centre Potsdam – GFZ German Research Centre for Geosciences
Telegrafenberg
14473 Potsdam
Germany
Phone: +49 331 288 0
Website: https://www.gfz-potsdam.de

II. Name and address of data protection officer

The controller’s data protection officers are:

Eva Grübel-Hoffmann
Telegrafenberg
14473 Potsdam
Germany
Phone: +49 331 288 1052
E-Mail: datenschutz [at] gfz-potsdam [dot] de

III. General information on data processing

1. Scope of personal data processing

In general, the GFZ only processes personal data collected from users insofar as this is necessary to provide a functional website with the relevant content and services. As a rule, personal data provided by users is only processed with the respective user's consent. Exceptions apply in cases where the user’s prior consent cannot be obtained on factual grounds and statutory regulations permit the processing of personal data.

2. Legal basis for the processing of personal data

Art. 6 no. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis when the GFZ obtains a data subject's consent to the processing of their personal data. Art. 6 no. 1 lit. b GDPR serves as the legal basis when processing personal data for the performance of a contract to which the data subject is a party. The same applies to any processing measures that are required if steps are to be taken before entering into a contract.
Art. 6 no. 1 lit. c GDPR serves as the legal basis when the processing of personal data is necessary for compliance with a legal obligation to which the GFZ is subject. Art. 6 no. 1 lit. f GDPR serves as the legal basis when processing is necessary to safeguard the legitimate interests of the GFZ or a third party, and provided these legitimate interests are not outweighed by the data subject’s interests and fundamental rights and freedoms.

3. Data erasure and storage period

The data subject's personal data is erased or blocked as soon as the purpose for which it was stored ceases to apply. Personal data may also be stored if so specified by European or national legislators in EU regulations, laws or other provisions to which the data controller is subject. In such instances, personal data is blocked or erased when a retention period specified in any of the above-named legislation expires, unless it has to be retained for longer in order to conclude or execute a contract.

IV. Provision of website and generation of log files

1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the accessing computer system.
The following information is stored in the web server’s log files:

  • the client's IP address
  • the user’s ID, if the request requires the user to register
  • the date and time of the request
  • the client’s specific request, including the HTTP method, HTTP protocol version, and the path of the resource requested
  • the status code sent back to the client by the server
  • the size of the resources requested
  • the URL of the website from which the user accessed the current web page or file
  • the client program identifier

This data is also stored in our system’s log files. However, it is not stored together with other personal data collected from the user.
The legal basis for the temporary storage of this data is Art. 6 no. 1 lit. f GDPR.

2. Purpose of data processing

This data is used to optimise website use, correct errors, and safeguard the security of our information technology systems. Data collected in this context is not evaluated for marketing purposes.
The above-named purposes also constitute the GFZ’s legitimate interest in processing the data pursuant to Art. 6 no. 1 lit. f GDPR.

3. Storage period

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. Log files are deleted within 14 days of accessing the website.

4. Right to object and right to erasure

The collection of data for website provision and the storage of data in log files are absolutely essential to the operation of the website. The user is therefore unable to assert any right to object in this context.

V. Use of Cookies

1. Description and scope of data processing

The RIFS website uses cookies. Cookies are text files stored in the user’s web browser or by the web browser on the user’s computer system. Whenever a user accesses a website, a cookie can be stored on that user's operating system.

The GFZ uses cookies to make the RIFS website more user-friendly. Some elements on the RIFS website require the accessing browser to be identified after the user has moved to another web page.

When accessing the RIFS website, an info banner informs users that cookies are being used for analytical purposes and refers them to this data protection declaration. Users are also informed how the storage of cookies can be prevented by changing the browser settings.

NameCompanyPurposeTypeRetention periodParty
cookie-agreedRIFSSaves the preferences selected by the site visitor in the cookie boxEssential100 days1st Party

cookie-agreed-version

RIFSIndicates the version of the cookie that will be setEssential100 days1st Party
cookie-agreed-categoriesRIFSSaves the preferences selected by the site visitor in the cookie boxEssential100 days1st Party
_pk_id.1.ed65RIFSCreates an ID to facilitate the recognition of returning visitorsOptional, Performance29 days1st Party
_pk_ses.1.ed65RIFSCreates a unique ID that is valid for a single session to track how users move through the website (click path)

Optional,
Performance

 

Session1st Party

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 no. 1 lit. f GDPR.

3. Purpose of data processing

The use of technically necessary cookies is intended to simplify website use. Some of the functions on our website cannot be provided unless cookies are enabled. In these cases, it is essential that the browser is also recognised after accessing another page.
The user data collected by these technically necessary cookies is not used to generate user profiles.

4. Storage period, right to object and right to erasure

Cookies are stored on the user's computer, from where they are sent to our website. This means that users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing their web browser settings. Any cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for our website, it may no longer be possible to use all the website’s functions in full.

VI. Subscription to our newsletter

Visitors to the RIFS website are invited to subscribe to the institute’s newsletter. The scope of personal data transmitted to the controller when subscribing to the newsletter is specified on the input page.

RIFS informs its users and partners at regular intervals by means of a newsletter about its various activities. As a rule, this newsletter can only be received by a data subject if (1) the data subject has a valid e-mail address and (2) registers for the newsletter. For legal purposes, a confirmation email is initially sent to the email address specified by the data subject as a double opt-in procedure. This confirmation e-mail serves to verify whether the owner of the e-mail address has in fact authorized the receipt of the newsletter.

When a data subject registers for the newsletter, we also store the IP address of the computer system used at the time of registration, as assigned by the Internet Service Provider (ISP), as well as the date and time of registration. The collection of this data is necessary in order to be able to trace the (possible) misuse of a data subject's e-mail address at a later time and serves as a legal safeguard for the controller.

Personal data collected in connection with the newsletter will be used exclusively for the transmission of our newsletter. Subscribers to the newsletter may also be informed by e-mail of developments relevant to the newsletter or a related registration, such as changes to the newsletter itself or technical aspects of this service. Personal data collected within the scope of the newsletter service is not forwarded to any third parties. A subscription to our newsletter can be cancelled by the data subject at any time. Data subjects may revoke their consent to the storage of personal data relevant to the newsletter service at any time. Consent may be revoked using a corresponding link contained in each issue of the newsletter. It is also possible to unsubscribe from the newsletter at any time directly on the website of the controller or to notify the controller of this by other means.

VII. Newsletter tracking

RIFS newsletters contain so-called tracking pixels. A tracking pixel 1x1 image created with a small piece of HTML coding, used to log and analyse user behaviour. The use of tracking pixels facilitates the statistical evaluation of the success or failure of our online marketing activities. The data collected enables RIFS to see if and when an e-mail was opened by a data subject, and which links contained in the e-mail were called up by the data subject.

Personal data collected via tracking pixels contained newsletters are stored and analysed by the controller in order to optimize the newsletter service and to adapt the content of future newsletters to the interests of the data subject. This personal data will not be disclosed to third parties. Data subjects may, at any time, revoke their declaration of consent to the use of tracking pixels via double opt-in. The controller will delete any personal data collected by this means following the revocation of consent. If you terminate your subscription to the newsletter, RIFS shall consider this as a revocation of consent.

VIII. Contacting RIFS through our website

In accordance with statutory provisions our website contains information that enables data subjects to quickly contact us electronically – this includes a general address for electronic mail (e-mail address). If a data subject contacts the controller by e-mail or by using a contact form, the personal data transmitted by the data subject will be stored automatically.  Personal data submitted to the controller on a voluntary basis by a data subject will be stored for the purpose of processing or contacting the data subject. This personal data is not passed on to third parties.

IX. Comment function in the website’s blog

RIFS allows visitors to the controller’s website to leave individual comments on posts published on a so-called ‘blog’. A blog is a portal on a website, usually publicly available, in which one or more people, called bloggers or web bloggers, can post articles or write down thoughts in so-called blogposts. The blogposts can usually be commented on by third parties.

If a data subject leaves a comment on the blog published on our website, information on the time of comment entry and the user name (pseudonym) chosen by the data subject will be stored and published in addition to the comments left by the data subject.

Furthermore, the IP address assigned by the Internet service provider (ISP) of the data subject is also logged. The IP address is stored for security reasons and in the event the data subject violates any third-party rights or posts illegal content through a submitted comment. The storage of this personal data is therefore in the interest of the controller, so that the controller could exculpate itself if necessary in the event of an infringement. There is no disclosure of this collected personal data to third parties, unless such disclosure is required by law or serves the controller’s legal defence.

X. Web analysis by Matomo (formerly PIWIK)

1. Scope of personal data processing

The GFZ uses the open source software tool Matomo (formerly PIWIK) on the RIFS website to analyse the browsing behaviour of its website users (specifically Matomo’s 'JavaScript Tracker’). The software stores a cookie on the user’s computer (see above for information about cookies). The following data is stored whenever individual pages on the website are accessed:

  • IP address of the user's accessing system (anonymized)
  • the date and time of the request
  • Title of the viewed page (page title)
  • URL of the viewed page (page URL)
  • URL of the previously viewed page (referrer URL)
  • Screen resolution
  • Time in the user's local time zone
  • Files clicked and downloaded (downloads)
  • Links that have been clicked and point to other domains (outlinks)
  • Time for page creation and download (page speed)
  • Country of origin of the user (geolocation)
  • Main language of the browser used (Accept-Language header)
  • "User Agent" of the used browser (User-Agent header) * the "Universal Device Detection library" is used to detect the browser, the operating system, the used device, its manufacturer and model

Some information is stored in "first party cookies" and evaluated by Matomo:

  1. Random unique visitor ID
  2. Time of the first visit for the specific visitor
  3. Time of the previous visit for the specific visitor
  4. Number of visits for the specific visitor

The raw data of the visits, which are stored anonymously in the Matomo database, are deleted after 14 days.

The software runs exclusively on the website’s servers. Users’ personal data is stored only on these servers and is not passed on to third parties.

The software is set so that 2 bytes of a user’s IP address are masked (Ex: 192.168.xxx.xxx). As a consequence, it is not possible to match the abridged IP address to the calling computer. If your web browser flags a Do Not Track option, we will respect your choice.

2. Legal basis for the processing of personal data

The legal basis for the processing of the user's personal data is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

Processing personal data enables us to analyse the browsing behaviour of our users. Evaluations of the data collected allow the GFZ to compile information about the use of individual components on the website. This helps us to continue improving our website and make it more user-friendly. These purposes also constitute our legitimate interest in processing the data pursuant to Art. 6 no. 1 lit. f GDPR. The user’s interest in the protection of their personal data is duly taken into account by anonymising the IP address.

4. Storage period

Data is deleted as soon as it is no longer required for our purposes.

5. Right to object and right to erasure

Cookies are stored on the user's computer, from where they are sent to our website. This means that users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing their web browser settings. Any cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for the RIFS website, it may no longer be possible to use all the website’s functions in full.
For more information on the privacy settings of the Matomo software, please visit: https://matomo.org/docs/privacy

XI. Data protection provisions on the use and application of Facebook plug-ins

The controller has integrated components provided by the company Meta (formerly Facebook, Inc.) on this website. Facebook is a social network.

A social network is a social meeting place operated on the Internet, an online community that usually allows users to communicate and interact with each other in virtual space. A social network can serve as a platform for the exchange of opinions and experiences or enable the user community to share personal or company-related information. Facebook allows users to create private profiles, upload photos, and build networks through friend requests, among other features.

The operating company of Facebook is Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. For data subjects residing outside of the United States or Canada, the controller is: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Each individual visit to our website, which is operated by the controller and equipped with a Facebook component (Facebook plug-in), causes the browser used by the data subject to download a corresponding representation of the component from Facebook. A complete overview of all Facebook plug-ins can be found at https://developers.facebook.com/docs/plugins/. As part of this technical process, Facebook receives information about which specific subpage of our website is visited by the data subject.

If the data subject is logged into Facebook at the same time, Facebook recognizes which specific subpage of our website the data subject is visiting each time the data subject calls up our website and for the entire duration of the respective stay on our website. This information is collected by the Facebook component and matched by Facebook to the respective Facebook account of the person concerned. If the data subject activates one of the Facebook buttons integrated on our website, for example the "Like" button, or if the data subject makes a comment, Facebook matches this information to the data subject's personal Facebook user account and stores this personal data.

Facebook always receives information via the Facebook component that the data subject has visited our website if the data subject is logged into Facebook at the same time as calling up our website; this takes place regardless of whether the data subject clicks on the Facebook component or not. If the data subject does not want this information to be transmitted to Facebook, he or she can prevent this by logging out of their Facebook account before accessing our website.

Facebook's data policy can be found at https://www.facebook.com/privacy/policy and provides an overview of the collection, processing and use of personal data by Facebook. It also explains the setting options Facebook offers to protect the privacy of the data subject. In addition, different applications are available that allow users to suppress the communication of data to Facebook. Such applications can be used by the data subject to suppress the transfer of data to Facebook.

XII. Data protection provisions on the use and application of LinkedIn

The controller has integrated components provided by the LinkedIn Corporation on this website. LinkedIn is an Internet-based social network that allows users to connect with existing business contacts and make new business contacts. LinkedIn has over 400 million registered users in more than 200 countries. This makes LinkedIn currently the largest platform for business networking and one of the most visited websites in the world.

LinkedIn is operated by LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. Data subjects residing outside of the USA with concerns about privacy issues should contact: LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

With each individual visit of our website that is equipped with a LinkedIn component (LinkedIn plug-in), this component causes the browser used by the data subject to download a corresponding representation of the component from LinkedIn. Further information on the LinkedIn plug-ins can be found at https://developer.linkedin.com/plugins. As part of this technical process, LinkedIn receives information about which specific sub-page of our website is visited by the data subject.

If the data subject is logged on to LinkedIn at the same time, LinkedIn recognizes which specific sub-page of our website the data subject is visiting each time the data subject calls up our website and for the entire duration of the respective stay on our website. This information is collected by the LinkedIn component and matched by LinkedIn to the respective LinkedIn account of the person concerned. If the data subject activates a LinkedIn button integrated on our website, LinkedIn matches this information to the personal LinkedIn user account of the data subject and stores this personal data.

LinkedIn always receives information via the LinkedIn component that the data subject has visited our website if the data subject is logged into LinkedIn when visiting our website; this takes place regardless of whether the data subject clicks on the LinkedIn component or not.  If the data subject does not want this information to be transmitted to LinkedIn, he or she can prevent the transmission by logging out of his or her LinkedIn account before accessing our website.

LinkedIn users can unsubscribe from email messages, SMS messages, and targeted ads, as well as manage ad settings at www.linkedin.com/psettings/guest-controls. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame, which may set cookies. LinkedIn's cookies policy is available at https://www.linkedin.com/legal/cookie-policy. LinkedIn's applicable privacy policy is available at https://www.linkedin.com/legal/privacy-policy. LinkedIn's cookie policy is available at https://www.linkedin.com/legal/cookie-policy.

XIII. Data protection provisions on the use and application of Twitter plug-ins

The controller has integrated components provided by Twitter on this website. Twitter is a multilingual, publicly accessible micro-blogging service on which users can publish and distribute so-called ‘tweets’: short messages limited to 280 characters. These short messages can be accessed by anyone, including people who are not logged on to Twitter. However, tweets are also displayed to the respective user’s so-called ‘followers’. Followers are other Twitter users who subscribe to (follow) a user's tweets. Twitter also enables users to address a broad audience through hashtags, links or retweets.
Twitter is operated by: Twitter International Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07, Ireland.

Each time a person visits one of the individual pages of our website operated by the controller and on which a Twitter component (Twitter button) has been integrated, the Internet browser on the data subject’s information technology system is automatically caused by the respective Twitter component to download a representation of the corresponding Twitter component from Twitter. Further information on the Twitter buttons can be found at https://about.twitter.com/de/resources/buttons. As part of this technical process, Twitter receives information about which specific subpage of our website is visited by the data subject. The purpose of integrating the Twitter component is to enable our users to distribute the content of this website, to make this website known in the digital world and to increase our visitor numbers.

If the data subject is logged in to Twitter at the same time, Twitter recognizes which specific subpage of our website the data subject is visiting each time the data subject visits our website and for the entire duration of the respective stay on our website. This information is collected by the Twitter component and matched by Twitter to the data subject’s respective Twitter account. If the data subject activates a Twitter button integrated on our website, Twitter matches this information to the data subject’s personal Twitter user account and stores this personal data.

Twitter always receives information via the Twitter component that the data subject has visited our website if the data subject is logged into Twitter when visiting our website; this takes place regardless of whether the data subject clicks on the Twitter component or not. If the data subject does not want this information to be transmitted to Twitter, he or she can prevent the transmission by logging out of his or her Twitter account before accessing our website.

Twitter's applicable privacy policy is available at https://twitter.com/privacy.

XIV. Data protection provisions on the use and application of YouTube plug-ins

We have integrated YouTube components on our website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge and other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all kinds of videos, which is why complete film and TV shows, but also music videos, trailers or videos made by users themselves can be accessed via the Internet portal.

YouTube’s operating company is Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

Each time a person visits one of the individual pages of our website operated by the controller and on which a YouTube component (YouTube video) has been integrated, the Internet browser on the data subject’s information technology system is automatically caused by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. More information about YouTube can be found at https://www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google receive information about which specific subpage of our website is visited by the data subject.

If the data subject is logged in to YouTube at the same time, YouTube recognizes which specific subpage of our website the data subject is visiting each time the data subject visits a subpage of our website. This information is collected by YouTube and Google and matched to the respective YouTube account of the person concerned.

YouTube and Google always receives information via the YouTube component that the data subject has visited our website if the data subject is logged into YouTube when visiting our website; this takes place regardless of whether the data subject clicks on a YouTube video or not. If the data subject does not want this information to be transmitted to YouTube or Google, he or she can prevent the transmission by logging out of his or her YouTube account before visiting our website.

YouTube’s applicable privacy policy is available at https://policies.google.com/privacy?hl=en and provides information about the collection, processing and use of personal data by YouTube and Google.

XV. Rights of the data subject

Whenever personal data is processed, the data subject defined in GDPR has the following rights vis-à-vis the data controller:

1. Right to request information

Data subjects (users) can request the GFZ’s controller to confirm whether or not the GFZ is processing their personal data.

If this is the case, data subjects are entitled to request the following information from the GFZ’s controller:

  1. the purposes for which the personal data is being processed;
  2. the recipient or category of recipient to whom your personal data has been or is to be disclosed;
  3. the period for which your personal data will be stored, or, if no specific information can be provided, the criteria used to determine that period;
  4. the existence of a right to request the controller to rectify or erase your personal data, to restrict the controller’s processing of your personal data, or to object to such processing;
  5. the existence of a right to complain to a supervisory authority;
  6. where the personal data is not collected from the data subject, any available information as to its source.

2. Right to rectification

Data subjects have the right to request the GFZ’s controller to rectify and/or complete their personal data insofar as that of their personal data being processed is incorrect or incomplete. In such cases, the GFZ’s controller must rectify the data immediately.

3. Right to restriction of processing

Data subjects are entitled to request restrictions on the processing of their personal data in the following circumstances:

  1. if the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data;
  2. if the controller no longer needs the personal data for the purposes for which it was processed but it is still required by the data subject for the establishment, exercise, or defence of legal claims;
  3. if the data subject has objected to the processing of their data pursuant to Article 21 no. 1 GDPR and it has not yet been established whether the legitimate grounds of the GFZ override those of the data subject.

If the processing of the data subject’s personal data has been restricted, this data may – with the exception of storage – only be processed with the data subject’s consent, or to establish, exercise, or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest within the EU or an EU member state.

A data subject who has obtained restriction of processing under the conditions specified above must be informed by the GFZ’s data controller before the restriction of processing is lifted.

4. Right to deletion

a) Obligation to delete

The data subject may request the controller to erase their personal data without delay, in which case the controller is obliged to erase the data without delay where one of the following grounds applies:

  1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  2. The user revokes their consent on which the processing is based according to. Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
  3. The data subject objects to the processing of their data pursuant to Art. 21 no. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of their data pursuant to Art. 21 no. 2 GDPR. The user's personal data was processed unlawfully.
  4. The personal data has to be erased for compliance with a legal obligation in EU or member state law to which the controller is subject.
  5. The deletion of the personal data concerning the user is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller of the GFZ is subject.

b) Communication to third parties

If the GFZ’s controller has made the data subject’s personal data public and is obliged pursuant to Art. 17 no. 1 GDPR to erase it, the controller, taking account of the technology available and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers who are processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of their personal data

c) Exceptions

No right of erasure exists if the data must be processed

  1. to exercise a right to freedom of speech and information;
  2. for compliance with a legal obligation according to which processing is required by EU or member state law to which the controller is subject, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health pursuant to Art. 9 no. 2 lit. h, i and Art. 9 no. 3 GDPR;
  4. for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 no. 1 GDPR, insofar as the right referred to in point a is likely to render impossible or seriously impair the achievement of the objectives of the processing; or
  5. for the establishment, exercise, or defence of legal claims.

5. Right to notification

If the data subject exercises their right to rectification or erasure of personal data or restriction of processing, the controller is obliged to communicate this to all recipients to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.

The GFZ’s controller is obliged to inform the data subject about these recipients if so requested.

6. Right to object

The data subject has the right to object at any time, on grounds relating to their particular situation, to any processing of his/her personal data effected on the basis of Art. 6 no. 1 lit. e or f GDPR.

If this right is exercised, the GFZ’s controller will cease processing this personal data unless he/she can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or if the data has to be processed for the establishment, exercise, or defence of legal claims.

7. Right to revoke the declaration of consent provided in compliance with data protection legislation

The data subject has the right to withdraw their consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing effected on the basis of the data subject’s consent before its withdrawal.

8. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, place of work, or place of the alleged violation, if the data subject considers that the processing of their personal data violates the GDPR.