Data protection information

BERD@NFDI is a consortium of the National Research Data Infrastructure (NFDI) for Business, Economic and Related Data. In accordance with Article 13 of the General Data Protection Regulation (GDPR), the BERD@NFDI team provides information on the collection and processing of personal data. Please observe the general information on data protection and in connection with our websites in the Data Protection Declaration of the University of Mannheim.

I. Identity and contact details of the controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

University of Mannheim
L1,1
68131 Mannheim

Phone: 0621/-181-1001
E-mail: rektor@uni-mannheim.de

II. Contact details of the data protection officer

Data protection officer of the University of Mannheim
L1,1
68131 Mannheim

E-Mail: datenschutzbeauftragte@uni-mannheim.de
Phone: 0621/181-1126

III. General information on data processing

1. Personal data
As defined in the General Data Protection Regulation (GDPR), personal data refers to any information relating to an identified or identifiable natural person. This is data such as the first and last name, address, e-mail address, phone number and, as a rule, the IP address.

2. Extent of personal data processing
Principally, we process personal data only as far as it is necessary in order to provide a functional website and our content and services. We only process personal data of our users after they have given their consent. An exception is made if it is not possible to get consent due to factual reasons and the processing is permitted by law.
We do not deliberately collect personal data of minors. We advise parents and legal guardians to watch their children’s activities online.

3. Legal basis for the processing of personal data
Provided that we have got the users’ consent to process their personal data, Article 6 paragraph 1(a) GDPR is the legal basis for the processing.
When processing personal data is necessary for the performance of a contract to which the data subject is party, Article 6 paragraph 1(b) GDPR is the legal basis for the processing. This also applies to processing operations that are necessary in order to take steps prior to entering into a contract.
Provided that the processing of personal data is necessary for compliance with a legal obligation to which the University of Mannheim is subject, Article 6 paragraph 1(c) GDPR is the legal basis for the processing.
If the processing of personal data is necessary to protect the vital interests of the data subject, Article 6 paragraph 1(d) GDPR is the legal basis for the processing.
If the processing is necessary for the purpose of a legitimate interest pursued by the University of Mannheim or by a third party and this interest is not overridden by the interests, fundamental rights and freedoms of the data subject, Article 6 paragraph 1(f) GDPR is the legal basis for the processing.
Our fundamental goal is to implement data-protection principles, such as data minimization, and to limit the processing of personal data while you are visiting our websites to the necessary minimum.

4. Deletion of data and storage period
The personal data of the data subject will be deleted or locked once the purpose for which they have been stored ceases to apply. Personal data may be stored for a longer period if provided for by European or national legislators in EU regulations, laws or other rules to which the controller is subject. The data will also be locked or deleted once a storage period specified in the above-mentioned rules has expired, unless further retention of the data is necessary to enter into or fulfill a contract.

IIV. Provision of the website and creation of log files

1. Description and extent of data processing
Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data are collected:

information on the browser type and the version used
the user’s operating system
the user’s Internet service provider
the user’s IP address
date and time of access
websites from which the user’s system accesses our website
websites accessed by the user’s system via our website.

The log files contain IP addresses or other data that can be assigned to a user. This could be the case, for example, if the link to the website from which the user accesses the website or the link to the website to which the user switches contains personal data. The data are also stored in our system’s log files. These data are not stored together with other personal data of the user.

2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6 paragraph 1(f) GDPR.

3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to facilitate the delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
The data are stored in log files to ensure the functionality of the website. In addition, the data help us optimize our website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
These purposes also constitute our legitimate interest in data processing according to Article 6 paragraph 1(f) GDPR.

4. Storage period
The data will be deleted once the purpose for which they have been collected ceases to apply. For the data collected in order to provide the website, this is the case when the respective session has ended.
If the data are stored in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated so that the accessing client can no longer be identified.

5. Right to object and deletion of data
The collection of data for the provision of the website and the storage of data in log files is absolutely essential for the operation of the website. Consequently, the user has no possibility to object.

IV. Use of cookies

1. Description and extent of data processing
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user accesses a website, a cookie can be stored in the user’s operating system. This cookie contains a characteristic string that enables a clear identification of the browser when the website is accessed again.
We use cookies to improve your experience on our website. Some elements on our website require that the accessing browser can be identified after the user changed to another website.

The following data are stored and transmitted:

a randomly generated session key of the website
login information (if necessary)

In addition, we use cookies on our website which enable us to analyze the online behavior of our users. See section VI Web analytics with Matomo.

2. Legal basis for data processing
The legal basis for the processing of personal data using cookies is Article 6 paragraph 1(f) GDPR.

3. Purpose of data processing
The purpose of using cookies that are required for technical reasons is to simplify the use of website for users. Some features of our website cannot be offered without the use of cookies. For these features it is necessary that the browser is identified even after the user changed to another website.

We need cookies for the following applications:

forms
user login

The user data collected by cookies that are required for technical reasons are not used to generate user profiles.

The use of analysis cookies serves the purpose of improving the quality of our website and its content. Analysis cookies allow us to find out how the website is used in order to continuously optimize our services.

See section VI Web analytics with Matomo.

These purposes also constitute our legitimate interest in processing personal data according to Article 6 paragraph 1(f) GDPR.

4. Storage period, right to object and deletion of data
Cookies are stored on the user’s computer and transmitted to our website. Consequently, the user, has full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. You can also delete cookies which have been stored at any time. This can also be done automatically. If you deactivate cookies for our website, you may no longer be able to use the site’s full range of features.

VI. Web analytics with Matomo

1. Extent of personal data processing
On our website, we use the open source software tool Matomo (formerly Piwik) to analyze the online behavior of our users. The software saves a cookie on the user’s computer (for cookies, see V). If individual pages on our website are accessed, the following data are stored:

two bytes of the IP address of the user’s accessing system
the web page accessed
the website from which the user accessed the website accessed (referrer)
the web pages accessed from the website accessed
the amount of time spent on the website
the frequency of accessing the website

The software runs exclusively on the servers of our website. The users’ personal data are only stored on our servers. The data are not passed on to third parties.
The software is configured in a way that the IP addresses are not stored completely. Two bytes of the IP address are masked (example: 192.168.xxx.xxx). This way, the shortened IP address can no longer be assigned to the accessing computer.

2. Legal basis for data processing
The legal basis for the processing of users’ personal data is Article 6 paragraph 1(f) GDPR.

3. Purpose of data processing
The processing of users’ personal data allows us to analyze the online behavior of our users. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes also constitute our legitimate interest in processing personal data according to Article 6 paragraph 1(f) GDPR. By anonymizing the IP address, the users’ interest in protecting their personal data is sufficiently taken into account.

4. Storage period
The data will be deleted once the purpose for which they have been collected ceases to apply, in our case after 7 days.

5. Right to object and deletion of data
Cookies are stored on the user’s computer and transmitted to our website. Consequently, the user, has full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. You can also delete cookies which have been stored at any time. This can also be done automatically. If you deactivate cookies for our website, you may no longer be able to use the site’s full range of features.
We offer the users of our website the option to opt out of the analysis procedure. To do this, you need to click the corresponding link. This way, another cookie is saved to your system which signals our system not to store your data. If you intentionally or unintentionally delete the corresponding cookie from your system, you need to save the opt-out cookie again.

Objection
Tracking cookies are currently not allowed.

Allow tracking cookies
In addition, most modern browsers have a “Do Not Track” option which enables you to inform websites not to track your user activities.
More information on the privacy settings of the Matomo software can be found on: https://matomo.org/docs/privacy/.

VII. Personal data processing in the BERD newsletter

1. Description and extent of data processing
On our website, you have the option to subscribe to a free newsletter (“BERD newsletter”). The newsletters’ administration with regard to subscriptions, deliveries and the recipients administration requires a software. We use a WordPress newsletter plugin wich runs on servers of the University of Mannheim, University Library.

Subscription to a newsletter takes place with a double opt-in , i.e. the subscription is only completed when you click on the corresponding link in the e-mail you receive to confirm your subscription. The data stored during the newsletter subscription process (e-mail address, IP address, time stamp of subscription and activation) are stored on servers of the University of Mannheim in Germany in line with the European data protection regulations. Your data will not be used for any other purposes than the delivery of the newsletter. It is not permitted to disclose your personal data.
When delivering newsletters, the delivery status is recorded in order to sort out recipient addresses that are no longer in service.

2. Legal basis for data processing
The legal basis for the processing of personal data after subscription to the newsletter by the users, once their consent has been obtained, is Article 6 paragraph 1(a) GDPR.

3. Purpose of data processing
The user’s e-mail address is processed for the purpose of delivering the newsletter.
The purpose of collecting other personal data (IP address, time stamp of subscription and activation) in the course of the subscription process is to prevent the misuse of the services or of the e-mail address used.

5. Right to object and deletion of data
You can withdraw your consent to receiving the newsletter at any time and without having to state any reasons and unsubscribe from the newsletter free of charge. To that end, each newsletter contains a corresponding link.

VIII. Social networks

We are not being informed about the content of the data transmitted and their use by social networks (e.g. Facebook, Instagram, LinkedIn, Twitter, YouTube). Information on the purposes, extent, further processing and use of data collected by each social network as well as your rights in relation to such processing can be found in the respective privacy policies. The University of Mannheim does not assume responsibility for these contents or the privacy policy.
We do not know what kind of data are collected and how they are used by the respective social network. It is very likely that at least the following data are collected even if you are not signed in:

IP address
time when the website was accessed
URL of the website that uses the plugin
location-based information (on mobile devices)
device-related information (e.g. the operating system used and browser information)
websites which were visited previously for advertising purposes
data of uninvolved third parties (e.g. e-mail addresses (in case of recommendations)).

Unless otherwise specified, it can be assumed that the following technologies are used for data processing:

cookies (e.g. permanent storage of your login data), this can also happen via third party providers such as advertising customers
log files (storage of the cookie data on the service’s servers)
analysis scripts (e.g. tracking of the clicking behavior on a website)
forwarding of posted links
local data storage (e.g. permanent storage of pictures)

4. Twitter
Our website uses features of the Twitter service provided by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (more information: https://help.twitter.com/de/twitter-for-websites-ads-info-and-privacy). By using Twitter and the “Retweet” feature, the websites visited by you are linked to your Twitter account and disclosed to other users. This way, Twitter can link your visit to our website to your user account. We are not being informed of the kind of data transmitted and their use by Twitter. Information on the purpose, extent, further processing and use of data collected by Twitter as well as your rights regarding such processing can be found in the Twitter Privacy Policy: https://twitter.com/privacy. The University of Mannheim does not assume responsibility for these contents or the privacy policy. Furthermore, we opted out of having information from your website used for personalization by Twitter (https://developer.twitter.com/en/docs/twitter-for-websites/privacy).

IX. Personal Data processing in BERD Academy

1. Description and extent of data processing

BERD Academy enables you to learn data science and data management by offering a variety of courses, workshops and other educational content.

Pretix

Within our event offer, functions and contents of the service Pretix, offered by rami.io GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg, Germany, are integrated. This includes the ticket shop, which is integrated via a JavaScript widget. When you buy a ticket, Pretix uses a technically necessary cookie to enable the ordering process and to remember which shopping cart belongs to you. The cookie is set as soon as you interact with the widget. Pretix does not store IP addresses, browser information or other unnecessary meta data beyond the duration of your request. You can find more information about data protection at Pretix here: pretix.eu/about/en/privacy

Registration for the online courses is done via the Pretix contact form, which processes the following information:

Email address (mandatory)
Name (mandatory)
Institution/Company (optional)
Invoice information (optional)

This information is used to allocate your registration and subsequent participation in the online course (see section 3. Purpose of data processing). By registering, you give us your voluntary consent for the purpose of your participation in online courses and contacting you. We request your explicit consent (see section 2. Legal basis for data processing) for the purposes of processing your personal data.

“Pretix” is a software-as-a-service product, i.e. it is a cloud software. You can find out about the security measures taken by the provider rami.io GmbH here: https://pretix.eu/about/en/security When you buy a ticket, Pretix processes the data exclusively to make the requested sale and to forward the data to us. Pretix does not use the data itself and does not link it to your purchases from other organisers. Pretix also does not pass on your data to third parties.

2. Legal basis for data processing
The legal basis for the processing of personal data for the purposes of offering the BERD Academy courses, once the users consent has been obtained, is Article 6 paragraph 1(a) GDPR.

3. Purpose of data processing

The information you provide will be stored for the purpose of processing your registration and subsequent participation in the online course as well as for possible follow-up questions. Your booking will be entered, viewed and checked by us within the “Pretix” software. All persons involved in the booking process are separately bound to secrecy and treat your data as strictly confidential. If you book a ticket for one of our courses, your data will only be processed for the purpose of course planning for this specific course.

In order to ensure a variety of high-quality courses, workshops and events we work closely with our partner, the Ludwig Maximilian University of Munich, Germany, which is offering some of the BERD Academy courses on this website. If you register for a course, offered by our partner, we will transfer your data directly to them in order to enable the course offering and participation. No personal data of any kind are being transmitted to a third country or an international organization outside of the European Union.

5. Right to object and deletion of data
You can withdraw your consent at any time and without having to state any reasons. To that end, you can reply to the confirmation of receipt e-mail and request the deletion or correction of your data.

X. Personal Data processing on the BERD Platform

BERD@NFDI offers a platform for the collection, processing, analysis and preservation of Big Data in the areas of business and economics related data.

Information materials, training, workshops, tools and data-related services are offered on the platform. Processor of the BERD Platform as per Article 28 GDPR is ZBW – Leibniz-Informationszentrum Wirtschaft (“ZBW”).

Identity and contact details of the processor

ZBW – Leibniz-Informationszentrum Wirtschaft
Düsternbrooker Weg 120
24105 Kiel

Telefon: +49-431-8814-555 (Team Information Kiel)
Telefax: +49-431-8814-520
info@zbw.eu

You can find out more about the ZBW Privacy Policy here: https://www.zbw.eu/en/data-protection

Contact details of the data protection officer of the processor

Datenschutzbeauftragter
Sven Markgraf

Neuer Jungfernstieg 21
20354 Hamburg
E-Mail: datenschutz@zbw.eu

1. Description and extent of data processing
On the BERD Platform, you have the option to:

freely browse the platform offerings (“free access without registration”) or
register and get access (“access with registration”) to the restricted services

The software, used for the platform, administration, registrations, data services and the user management, is the open source framework Invenio, which runs on the servers, managed by ZBW.

Registration takes place on the platform after completing the registration process, i.e. by entering the mandatory information (user account data) and accepting the Terms and Conditions. The user account data consist of:

Username
Name
Email address
Affiliation
URL to verify the user profile (e.g., LinkedIn)

The data stored during your visit on the platform, regardless of registering or not, are:

information on the browser type and the version used
the user’s operating system
user´s device
the user’s IP address
date and time of access
number of times the user has logged in
country name

This information is stored on servers in Germany in line with the European data protection regulations. Your data will not be used for any other purposes than the administrating the BERD platform.

2. Legal basis for data processing
The legal basis for the processing of user account data and the temporary storage of data, and log files on the platform is Article 6 paragraph 1(b) GDPR.

3. Purpose of data processing
The user’s name and e-mail address are processed for the purpose of registering, administering and using the offers on the BERD platform.
The temporary storage of the IP address by the system is necessary to facilitate the delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
The data are stored in log files to ensure the functionality of the website. In addition, the data help us optimize our website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

4. Storage period
The data will be deleted once the purpose for which they have been collected ceases to apply. Therefore, the user’s e-mail address will be stored until the user deletes their account or it has been established that the e-mail address is no longer in service.
The data collected in order to provide the website will be deleted when the respective session has ended.
If the data are stored in log files, this is the case after thirty days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated so that the accessing client can no longer be identified.

5. Right to object and deletion of data
You can deactivate your account at any time, without having to state any reasons and free of charge.
The collection of data for the provision of the website and the storage of data in log files is absolutely essential for the operation of the website. Consequently, the user has no possibility to object.

XI. Rights of the data subject

If your personal data are being processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:

1. Right of access
You have the right to obtain confirmation as to whether or not we are processing your personal data.
Where this is the case, you have the right to obtain the following information from the controller:
(1) the purpose for the which your personal data are being processed;
(2) the categories of personal data which are being processed;
(3) the recipients or categories of recipients to whom your personal data have been or will be disclosed;
(4) the projected period for which your personal data will be stored or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of personal data concerning you or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where personal data are not collected from the data subject themselves, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in Article 22 paragraph 1 and paragraph 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to obtain information as to whether or not your personal data are being transmitted to a third country or an international organization. In this context, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
Your right of access may be restricted in so far as the right is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

2. Right to rectification
You have the right to obtain the rectification and/or completion of inaccurate or incomplete personal data concerning you from the controller. The controller must rectify the data immediately.
Your right to rectification may be restricted in so far as the right is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

3. Right to restriction of processing
You have the right to demand the restriction of the processing of personal data concerning you where one of the following conditions applies:
(1) you contest the accuracy of personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims; or
(4) if you have objected to processing pursuant to Article 21 paragraph 1 GDPR and the verification whether the legitimate grounds of the controller override your grounds is pending.

Where processing of personal data concerning you has been restricted, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where processing has been restricted under one of the above conditions, you will be informed by the controller before the restriction of processing is lifted.
Your right to restriction of processing may be restricted in so far as the right is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

4. Right to erasure
a) Obligation to erase data
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay. The controller is obliged to erase these data without undue delay where one of the following grounds applies:
(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw consent on which the processing is based according to Article 6 paragraph 1(a), or Article 9 paragraph 2(a) GDPR, and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Article 21 paragraph 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 2 paragraph 2 GDPR;
(4) the personal data concerning you have been unlawfully processed;
(5) the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) the personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8 paragraph 1 GDPR.
b) Notification of third parties
Where the controller has made personal data concerning you public and is obliged pursuant to Article 17 paragraph 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions
The right to erasure does not apply where the processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Article 9 paragraph 2(h) and (i) as well as Article 9 paragraph 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 paragraph 1 GDPR in so far as the right referred to in subsection a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defense of legal claims.

5. Right to be informed
Where you have asserted your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to inform each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controller about who these recipients are.

6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, unless
(1) the processing is based on consent pursuant to Article 6 paragraph 1(a) or Article 9 paragraph 2(a) GDPR or on a contract pursuant to Article 6 paragraph 1(b) GDPR; and
(2) the processing is carried out by automated means.
Furthermore, in exercising the right to data portability, you have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other persons may not be affected by such transmission.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object
On grounds relating to your particular situation, you have the right to object to the processing of your personal data according to Article 6 paragraph 1(e) or (f) GDPR at any time, including profiling based on those provisions.

The controller may no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data may no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 paragraph 1 GDPR, you have the right to object to processing of personal data concerning you on grounds relating to your particular situation.
Your right to object may be restricted in so far as the right is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

8. Withdrawal of consent
You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and a data controller;
(2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9 paragraph 1 GDPR, unless Article 9 paragraph 2(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
Regarding the cases referred to in (1) and (3), the data controller must implement suitable measures to safeguard your data rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged informs the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.