Data subject access requests

last modified: 18th of August 2021

According to GDPR and CCPA you as an individual can require us to disclose if and what kind of data we - fortrabbit - have stored on you personally and for what purposes. You can also request to get it deleted and corrected. DSAR is the acronym for that.

fortrabbit is self service, with clients in control about most data stored. Clients can explore, edit and delete the data we store on them in the fortrabbit Dashboard. Apps, Companies and Accounts can be deleted. Please see the data collection and retention page to learn more about what data is stored, what for and for how long.

1. Right to information

  1. You may ask us to confirm if personal data concerning you is processed by us.
  2. If such processing is available, you can request information about the following information:
    1. the purposes for which the personal data are processed;
    2. the categories of personal data that are processed;
    3. the recipients or the categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
    4. the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
    5. the right of rectification or deletion of personal data concerning you, a right to restriction of processing by the person responsible or a right to object to such processing;
    6. the existence of a right of appeal to a supervisory authority;
    7. all available information on the source of the data if the personal data are not collected from the data subject;
    8. the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject.
  3. You have the right to request information about whether the personal data concerning you are transmitted to a third country or to an international organization. In this connection, you can request the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transfer.
  4. In the case of data processing for scientific, historical or statistical research purposes: This right of access may be restricted to the extent that it is likely that the realization of the research or statistical purposes is impossible or seriously impaired and the restriction is necessary for the performance of research or statistical purposes.

2. Right to rectification

  1. You have a right to request the controller to rectify and / or complete your data, if your personal data is incorrect or incomplete.
  2. You can correct many data yourself as a registered and registered client. Incidentally, the responsible person must make the correction without delay.
  3. In the case of data processing for scientific, historical or statistical research purposes: Your right of rectification may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of the research or statistical purposes.

3. Right to restriction of processing

  1. Under the following conditions, you may request the restriction of the processing of your personal data:
    1. if you deny the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal information;
    2. the processing is unlawful and you refuse the deletion of the personal data and instead demand the restriction of the use of the personal data;
    3. the person responsible no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defense of legal claims, or
    4. if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible prevail over your reasons.
  2. If the processing of personal data concerning you has been restricted, these data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for important reasons such as the public interest of the Union or of a Member State.
  3. If the restriction of processing according to the aforementioned preconditions is applied, you will be informed by the person in charge before the restriction is lifted.
  4. In the case of data processing for scientific, historical or statistical research purposes: Your right to restriction of processing may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of research or statistical purposes.

4. Right to cancellation

1. Obligation to delete

  1. You may require the controller to delete the personal information concerning you without delay and the controller shall immediately erase that information provided that any of the following is true:
    1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
    2. You revoke your consent, to which the processing acc. Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. DSGVO and there is no other legal basis for processing.
    3. You place acc. Art. 21 para. 1 DSGVO objection to the processing and there are no prior justifiable reasons for the processing, or you lay gem. Art. 21 para. 2 DSGVO Opposition to processing.
    4. Your personal data have been processed unlawfully.
    5. The deletion of personal data concerning you is required to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
    6. The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

2. Information on third parties

  1. If the person responsible has made the personal data relating to you public and is in accordance with Article 17 (1) of the GDPR, it shall take appropriate measures, including technical means, to inform data controllers who process the personal data that you have been identified as being affected, taking into account available technology and implementation costs, that you have requested the deletion of all links to such personal data or of copies or replications of such personal data.

3. Exceptions

  1. The right of erasure does not exist if the processing is necessary:
    1. to exercise the right to freedom of expression and information;
    2. to fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task which is in the public interest or in the exercise of official authority delegated to the controller;
    3. for reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;
    4. for archival purposes of public interest, scientific or historical research purposes or for statistical purposes acc. Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
    5. to assert, exercise or defend legal claims.

5. Right to information

  1. If you have asserted the right of rectification, erasure or restriction of the processing to the controller, the latter is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing unless this proves to be impossible or is associated with a disproportionate effort.

6. Right to data portability

  1. You have the right to receive personally identifiable information relating to you provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another person without hindrance by the person responsible for providing the personal data, provided that:
    1. the processing on a consent acc. Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a DSGVO or on a contract acc. Art. 6 para. 1 lit. b DSGVO is based and
    2. the processing is done using automated procedures.
  2. In exercising this right, you also have the right to obtain that personal data concerning you are transmitted directly from one person responsible to another person responsible, as far as this is technically feasible. Freedoms and rights of other persons may not be affected.
  3. The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

7. Right to object

  1. You have the right at any time, for reasons arising from your particular situation, to prevent the processing of your personal data, which pursuant to Art. 6 para. 1 lit. e or f DSGVO takes an objection; this also applies to profiling based on these provisions.
  2. The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.
  3. If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct mail.
  4. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
  5. Regardless of Directive 2002/58 / EC, you have the option, in the context of the use of information society services, of exercising your right to opt-out by means of automated procedures that use technical specifications.
  6. In the case of data processing for scientific, historical or statistical research purposes: You also have the right, for reasons arising from your particular situation, to process personal data relating to you for scientific or historical research purposes or for statistical purposes. Art. 89 para. 1 GDPR is to be contradicted. Its right of objection may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes, and that the restriction is necessary for the performance of the research or statistical purposes.

8. Right to revoke the data protection consent declaration

  1. You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

9. Automated decision on an individual basis including profiling

  1. You have the right not to be subject to a decision based solely on automated processing - including profiling - that will have legal effect or similarly affect you in a similar manner. This does not apply if the decision:
    1. is required for the conclusion or performance of a contract between you and the controller,
    2. is permitted by Union or Member State legislation to which the controller is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or
    3. has your express consent.
  2. However, these decisions may not be based on specific categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g DSGVO applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.
  3. With regard to the cases referred to in (1) and (3), the person responsible shall take reasonable measures to uphold the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person by the person responsible Position and contesting the decision.

10. Right to complain to a supervisory authority

  1. Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of its place of residence, employment or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.
  2. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.