The protection of your personal data is important to us ("DACHSER"). The processing of your personal data such as your name, address, email address or your telephone number is always carried out in compliance with the General Data Protection Regulation (GDPR) and the country-specific data protection provisions that apply for DACHSER.
The aim of this Data Protection Declaration is to inform you of the type, scope and purpose of the personal data that we collect. In addition, we should like to inform you of your rights. If we want to offer you special services via our website or elsewhere, and if there should be no legal basis for the necessary processing of the data in this connection, we shall obtain your consent.
The office responsible within the meaning of the data protection law is:
The name and the contact details for the data protection officer at DACHSER SE are:
Data Protection Officer
Every time visited, this website records various general data and information These general data and information are stored in the server’s log files. It is possible that the following are recorded: (1) the type and version of browser used, (2) the operating system used by the accessing system, (3) the internet site from which the accessing system accesses our internet site (called referrer), (4) the sub-websites that link to our internet site via an accessing system, (5) the date and time the internet site was accessed, (6) the internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information that act as an emergency response in the case of attacks on our IT systems.
In using these general data and information, it is impossible for DACHSER to determine your identity. No profiling is carried out. The reason we need this information is rather to ensure that we keep the contents of our website up to date, that we optimize the contents of our website and the advertising for this, that we guarantee the permanent functionality of our IT systems and the technology of our website as well as to ensure that we are able to provide law enforcement authorities with the necessary information for prosecution in the event of a cyber attack.
DACHSER analyzes these anonymously recorded data and information on a statistical basis with the aim of increasing data protection and data security in our company. We save the anonymous data in the server log files separately from all the personal data that you have provided us. The legal basis for the temporary storage of the data and the log files is Art. 6 Para. 1 f) of the GDPR.
You can contact us using the contact form provided on our website or via the email address that you will find in our imprint. If you use one of these channels to contact DACHSER, we automatically save the personal data that you have given us. Such personal details given to DACHSER on a voluntary basis are saved to process your inquiry and/or for the purpose of getting in touch with you.
DACHSER SE allocates the inquiries and related personal data to the technically responsible office within the DACHSER group, usually the national branch of the subsidiary of the inquirer, for processing and use, and exchanges the data with this branch. For example, inquiries and the corresponding data from the website for Switzerland (www.dachser.com/ch) are exchanged with the DACHSER national branch in Switzerland (DACHSER Spedition AG). It is possible that data can be exchanged with third countries such as the USA in this connection.
The legal basis for the processing of the data for contract initiation or execution is Art. 6 Para. 1 b) of the GDPR and in all other cases Art. 6 Para. 1 f) of the GDPR. The legal basis for data transfer to a third country is Art. 49 Para. 1 b) of the GDPR.
Users are given the option of subscribing to the DACHSER newsletter (e.g., "eLetter") on the DACHSER website. The personal data that are recorded when subscribing to the DACHSER newsletter can be seen on the input screen.
DACHSER uses the newsletter to provide information on a regular basis to customers and business partners about innovations of our services and production, current press releases, information about our brand or the current contents of our website. The newsletter can fundamentally only be received by the person affected if (1) the person affected has a valid email address and (2) the person affected registers for receipt of the newsletter. For legal reasons, a confirmation email is initially sent to the registered email address of the affected person in a double opt-in procedure for receipt of the newsletter. This confirmation email serves as a check to ensure that the owner of the email address as the person affected has authorized the receipt of the newsletter. The legal basis for sending the newsletter is Art. 6 Para. 1 a) of the GDPR.
Upon registration for the newsletter, we store the IP address of the internet service provider (ISP) of the computer system of the person affected at the time of registration as well as the date and time of registration. The recording of this data is required to be able to identify the (possible) misuse of the email address of the person affected at a later point in time and therefore also to guarantee legal protection of DACHSER. Within the context of sending the newsletter, DACHSER commissions the company Atrivio GmbH, Albert-Einstein-Str. 6, 87437 Kempten, with the recording, processing, use and/or storage of the data as part of order processing.
The personal data collected as part of the registration process for the newsletter are used exclusively for the following purposes:
- Dispatch of the newsletter
- Advice and advertising
- Needs-related structure of the newsletter
- Compilation of the topics in the newsletter in line with the interests of subscribers
In addition, subscribers to the newsletter could be informed by email insofar as this is necessary for the operation of the newsletter services or a registration with regard to this, such as for changes to the offer or a modification to the technical circumstances.
Consent to the storage of personal data that the person affected has given us for the subscription to the newsletter can be revoked at any time. There is a corresponding link in every newsletter for the revocation of consent. In addition, it is also possible to deregister at any time directly with DACHSER by sending a notification to the contact details given under number 1.
Our newsletters contain tracking pixels. A tracking pixel is a miniature graphic that is embedded in such emails that are sent in HTML format to facilitate the recording and analyzing a log file. This means that a statistical analysis of the success or failure of online marketing campaigns can be carried out. By means of the embedded tracking pixels, DACHSER can identify whether and when an email was opened by a person affected and which of the links in the email were accessed by the person affected.
Such personal data recorded via the tracking pixels contained in the newsletter are saved and evaluated by DACHSER to optimize the dispatch of newsletters and to align the contents of future newsletters better to the interests of the person affected. Persons affected are entitled to revoke the separate declaration of consent given via the double opt-in procedure at any time. Following a revocation, these personal data are deleted by DACHSER. Deregistration of the subscription to the newsletter is automatically deemed by DACHSER to be a revocation.
You can prevent the placing of cookies by our website at any time by means of a corresponding setting of your internet browser and consequently prevent the setting of cookies on a permanent basis. In addition, cookies that have already been placed can be deleted at any time via an internet browser or another software program. This is possible in all standard internet browsers. However, if you deactivate the placing of cookies in your internet browser, not all the functions of our website will be fully available to you in certain circumstances. The legal basis for the processing of personal data using cookies is Art. 6 Para. 1 f) of the GDPR.
The data generated with etracker is processed and stored by etracker on behalf of the provider of this website exclusively in Germany and is therefore subject to the strict German and European data protection laws and standards. etracker has been independently tested, certified, and awarded the ePrivacyseal data protection seal of approval.
The data processing is based on the legal provisions of Article 6 Paragraph 1f (legitimate interest) of the General Data Protection Regulation (GDPR). Our concern in GDPR terms (legitimate interest) is the optimization of our online offer and our web presence. Since the privacy of our visitors is important to us, any data that may allow a reference to an individual person, such as the IP address, login, or device IDs, is anonymized or pseudonymized as soon as possible. There will be no other use, combination with other data, or transfer to third parties.
Activating the “do not track” browser setting will also automatically exclude you from tracking.
You can object to the abovementioned data processing at any time.
You can find more information about data privacy at etracker here.
On its website, DACHSER offers services under the tool eLogistics. One of the core functions of the eLogistics portal is the online calculation of shipping costs, the registering of transport orders and order tracking by means of Tracking & Tracing.
DACHSER SE allocates the inquiries and related personal data to the technically responsible office within the DACHSER group, usually the national branch of the subsidiary of the inquirer, for processing and use, and exchanges the data with this branch. For example, inquiries and the corresponding data from the website for Switzerland (www.dachser.com/ch) are exchanged with the DACHSER national branch in Switzerland (DACHSER Spedition AG). It is possible that data can be exchanged with third countries such as the USA in this connection. Users can use the eLogistics applications with or without individual registration. In the event of registration, the relevant national branch activates the user following successful authentication. In the case of registration, users have more “credentials” than in the case of use without registration, i.e., users can take advantage of further services. The personal data that are forwarded to DACHSER in this process can be seen from the relevant input screen that was used for registration.
The intention behind the use of data when using the eLogistics services is exclusively to make the services mentioned available. The legal basis for the processing of the data for contract initiation or execution is Art. 6 Para. 1 b) of the GDPR and in all other cases Art. 6 Para. 1 f) of the GDPR. The legal basis for data transfer to a third country is Art. 49 Para. 1 b) of the GDPR.
This site uses the map service Google Maps. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This means that we can show you interactive maps directly on the website and enable you to use the map features simply and easily.
By accessing its website, Google obtains information that you have visited the corresponding sub-site on our website. In addition, the data mentioned under number 2 are transmitted. This occurs irrespective of whether Google makes a user account available, via which you are logged in, or if there is no user account. If you are logged in to Google, your data are directly allocated to your account. If you do not wish this allocation to your profile with Google, you must log out before activating the button. Google stores your data as a usage profile and uses this for the purposes of advertising, market research and/or the needs-related structuring of its website. Such an evaluation is carried out in particular (even for users who do not log in) to provide needs-related advertising and to inform other users in your social network of your activities on our website. You have a right to object to the creation of this user profile, but you have to contact Google directly to enforce this. Further information on the purpose and scope of the data collection and the processing thereof by the plugin service provider can be found in the data protection declaration of the service provider.
The legal basis for the processing of your personal data when using Google Maps is Art. 6 Para. 1 f) of the GDPR. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here and here.
We use the social plugins (“Plugins”) of Facebook, Twitter, YouTube, Xing and LinkedIn on our website. We use plugins in particular so that you can share the contents of our website with other users of social networks or you can refer them to these contents. You can identity the provider of the relevant plugin from its logo or initial letter.
When you visit our website, we do not initially transmit any personal data to the plugin provider. However, if you click the relevant field, your personal data are sent directly to the provider of the relevant plugin and processed by said provider in third countries such as the USA under certain circumstances. After you click a plugin field, a new window opens in your browser and calls up the website of the provider of the relevant social network. The data transfer to the provider of the relevant plugin is carried out irrespective of whether you have an account with the social network of said plugin provider. Once you have logged on to the plugin provider, your data that have been registered with us are directly transmitted to the account you have with the plugin provider.
We have no influence on the type and scope of the data that are collected and processed by using the plugin, nor do we know the full scope of the data collection, the purposes of the processing or the storage periods. According to the information of the plugin provider, the data transmitted include information about your browser, the websites that you have visited as well as the date and time of your visit. The plugin providers process this information to create a user profile and to create tailor-made advertising for you, for example. You have a right to object to the creation of this user profile, but you have to contact the respective plugin provider directly to enforce this revocation right. You will find further information on this on the internet sites and in the data protection declarations of the relevant service providers.
The legal basis for processing your personal data using social plugins is Article 6 Paragraph 1f of GDPR. When using the services of Facebook, Twitter, YouTube, and LinkedIn, data transfer to third countries such as the United States may occur. In these cases, we ensure that the level of data protection is sufficient to implement the requirements of European law. This is normally done by means of EU standard contractual clauses provided by the European Commission and, if necessary, other appropriate guarantees.
Access to personal data is technically possible for service providers and contracting parties that we employ for the operation of our website. These external service providers are obliged to use your personal data only for the purpose of providing the services that we require or for other purposes in compliance with out instructions.
DACHSER will transmit your personal data to companies within the DACHSER Group for the purposes stated in this data protection declaration and forward them to the relevant national branches. DACHSER companies are also based outside of the European Union or the European Economic Area. DACHSER is responsible for ensuring that you are informed about your rights as a person affected within the context of the valid data protection laws. You can address any inquiries or complaints regarding your personal data to DACHSER. The other DACHSER companies within the DACHSER Group, which also process your personal data, collaborate with us and support us in dealing with such inquiries or complaints.
Apart from the aforementioned data transfer, we do not transmit, sell or market your personal data to third parties such as other companies or organizations unless you have given us your express permission to do so, or the transmission is required for us to be able to fulfill our contractual duties to you, the user of our website.
The criterion for the duration of the storage of personal data is the relevant statutory storage period. Once this deadline has expired, we routinely delete all the corresponding data insofar as they are no longer required to fulfill or initiate a contract.
If the reason for storage no longer applies or if the storage deadline set by the European regulator or another relevant legislator should expire, the personal data are routinely blocked or deleted in accordance with statutory provisions.
As a person affected, you are entitled to the rights as set out in Articles 15-21 of the GDPR vis-à-vis DACHSER if the prerequisites set out therein have been fulfilled. These are the rights to information (Art. 15 of the GDPR), correction (Art. 16 of the GDPR), deletion (Art. 17 of the GDPR), restriction in processing (Art. 18 of the GDPR), data transfer (Art. 20 of the GDPR) and the right to object (Art. 21 and 22 of the GDPR). In addition, you have a right to complain to the supervisory authority pursuant to Art. 77 of the GDPR.
Data protection notice for the business relationship
The DACHSER Ireland Limited data protection declaration applies the terminology used by the European regulator with the issuance of the General Data Protection Regulation (GDPR). Please refer to the definition of terms in Article 4 of GDPR. GDPR can be accessed here.
2. Name and address of the controller and of the data protection officer
For the purposes of GDPR, other applicable regulations in member states of the European Union, and other regulations pertaining to data protection, the controller is:
DACHSER Ireland Limited, Blackchurch Business Park, Rathcoole, Co. Dublin, D24 C796, Ireland, Tel.: +35 1 4013333, E-mail: email@example.com, Website: www.dachser.ie
3. General information about data processing
3.1 Scope of processing of personal data
We generally collect and process our business partners’ personal data only insofar as this is necessary for the purposes of entering into a contract or executing our orders and contracts. Once our contractual responsibilities have been met, we process data only after consent has been given. The exception is when consent cannot be obtained in advance for practical reasons, or when legislation permits or requires that data be processed.
3.2. Handling of personal data
The collection, processing, or use of personal data is generally prohibited, unless a legal standard explicitly permits such data handling. According to GDPR, personal data may generally be collected, processed, or used:
- when a contractual relationship already exists with the data subject.
- as part of entering into or performing a contract with the data subject.
- if and to the extent that the data subject has given consent.
3.3 Legal basis for the processing of personal data
To the extent we obtain consent from the data subject for processing their personal data, the legal basis is Article 6 Paragraph 1a of GDPR.
Whenever the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is Article 6 Paragraph 1b of GDPR. This is also true for processing operations when taking steps prior to entering into a contract.
To the extent that processing is necessary for compliance with a legal obligation to which our company is subject, the legal basis is Article 6 Paragraph 1c of GDPR.
To the extent that processing is necessary for the purposes of a legitimate interest pursued by our company or by a third party, and that the interests or fundamental rights and freedoms of the data subject do not override the aforementioned interest, the legal basis for that processing is Article 6 Paragraph 1f of GDPR.
3.4. Categories of affected persons and their data
To carry out business activities and fulfill all related obligations, the following data categories are present to the extent necessary:
- Customer data and contacts, as well as data provided by customers on their customers to the extent necessary for order processing and customer service.
- Data from service providers, suppliers, and their contacts to the extent necessary for order processing on behalf of customers, service providers, and suppliers.
When using personal data and determining the amount of data to collect, the following are observed: the basic principles of informational self-determination; other data protection standards, particularly the principles of preventive prohibition, of limitation of purpose, of transparency, and of obligations to inform and notify; the basic principles of data avoidance and data minimization; and the rights to rectification, blocking, erasure, and objection.
Personal data is collected and processed to the extent permissible under law. Account is taken of the special conditions for collecting and processing sensitive data in accordance with Article 9 Paragraph 1 of GDPR. Only such information may generally be processed and used as is necessary for performing operational tasks and is related directly to the purposes of the processing.
In the event that other parties request information concerning data subjects, this will be passed on without the data subject’s consent only when there is either a legal obligation to do so or the company has a justificatory, legitimate interest in passing the information on and the identity of the requesting party is beyond doubt.
3.5 Recipients of personal data
Only in the context of fulfilling the logistics service you commissioned is personal data transferred to involved third parties such as subsidiaries, partners, or subcontractors. Personal data concerning people involved in the logistics service may also be transferred to the party commissioning the logistics service (e.g. proof of delivery).
Above all, we will not sell your personal data to third parties nor market it in any other way.
3.6 Data transfer to third countries
Data is transferred to third countries exclusively to fulfill commissioned logistics services. In the spirit of data minimization, only the data required for the purposes of sending and delivering goods to the customer’s customers is transferred to national and international DACHSER Group companies and external service providers. Data transfer to a third country that does not have an appropriate level of data protection is permitted for the purposes of fulfilling a contract between the data subjects and the unit responsible for processing, provided the data transfer is necessary for the performance of the contract.
3.7 External service providers / order processing / maintenance
To the extent necessary, agreements with external service providers are in place in accordance with Article 28 of GDPR or with the EU standard contractual clauses.
3.8 IT Security concept
In recognition of the fundamental importance of information security, and besides the raft of technical and organizational measures already taken, DACHSER has also put relevant guidelines in place.
The DACHSER IT Center’s information security management system (ISMS) has been ISO 27001 certified since 2011.
3.9 Erasure of data and duration of storage
A data subject’s personal data is erased or blocked as soon as there is no longer a reason to store it. In addition, data may be stored if European or national legislators have provided for this in Union regulations, laws, or other legislation to which the controller is subject. Data will also be blocked or erased once a storage period specified in the aforementioned legislation ends, unless there is a need to continue to store the data in order to enter into or perform a contract.
4. Rights of the data subject
If your personal data is processed, you are a data subject for the purposes of GDPR and you have the following rights with regard to the controller:
4.1 Right of access
You can obtain from the controller confirmation as to whether or not we are processing personal data concerning you.
Where that is the case, you can obtain access to information from the controller about the following:
- the purposes of the processing of the personal data;
- the categories of personal data being processed;
- the recipients or categories of recipient to whom the personal data concerning you have been or will be disclosed;
- the envisaged period for which the personal data concerning you will be stored, or, if it is not possible to provide specific information, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data concerning you, and of the right to request restriction of processing of personal data concerning you or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- any available information as to the source of the data, where the personal data is not collected from the data subject;
- the existence of automated decision-making, including profiling, referred to in Article 22 Paragraphs 1 and 4 of GDPR and, at least in those cases, meaningful information about
the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to know whether personal data concerning you is transferred to a third country or to an international organization. In this context, you can obtain information on the appropriate safeguards in accordance with Article 46 relating to the transfer.
4.2 Right to rectification
To the extent that personal data concerning you is incorrect or incomplete, you have the right to obtain rectification or completion of the data from the controller. The controller must rectify the data without undue delay.
4.3 Right to restriction of processing
Where the following conditions apply, you can obtain restriction of processing of personal data concerning you from the controller:
- you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise, or defense of legal claims; or
- you have objected to processing in accordance with Article 21 Paragraph 1 of GDPR pending verification whether the legitimate grounds of the controller override yours.
Where processing of personal data concerning you has been restricted, this data may, with the exception of storage, be processed only with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a member state.
If data processing was restricted in line with the abovementioned conditions, you will be informed by the controller before the restriction of processing is lifted.
4.4 Right to erasure
4.4.1 Duty to erase
You can demand that the controller erases personal data concerning you without undue delay, and the controller is obligated to erase this data without undue delay where one of the following grounds applies:
- the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- you withdraw your consent on which the processing is based in accordance with Article 6 Paragraph 1a or Article 9 Paragraph 2a of GDPR, and there is no other legal ground for the processing;
- you object to the processing in accordance with Article 21 Paragraph 1 of GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Article 21 Paragraph 2 of GDPR;
- the personal data concerning you has been unlawfully processed;
- the personal data concerning you has to be erased for compliance with a legal obligation in Union or member state law to which the controller is subject;
- the personal data concerning you was collected in relation to the offer of information society services referred to in Article 8 Paragraph 1 of GDPR.
4.4.2 Informing third parties
Where the controller has made the personal data concerning you public and is obligated in accordance with Article 17 Paragraph 1 of GDPR to erase that data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers processing the personal data that as the data subject you have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
There is no right to erasure to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation that requires processing by Union or member state law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with Article 9 Paragraph 2h and 2i as well as Article 9 Paragraph 3 of GDPR;
- for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes in accordance with Article 89 Paragraph 1 of GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise, or defense of legal claims.
4.5 Right to be informed
If you have exercised your right to rectification, erasure, or restriction of processing with regard to the controller, the controller is obligated to communicate any rectification or erasure of personal data concerning you or restriction of its processing to each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to request information about the recipients from the controller.
4.6 Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data was provided, where:
- the processing is based on consent in accordance with Article 6 Paragraph 1a of GDPR or Article 9 Paragraph 2a of GDPR or on a contract in accordance with Article 6 Paragraph 1b of GDPR; and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4.7 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based on Article 6 Paragraph 1e or 1f of GDPR, including profiling based on those provisions.
The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms or the processing is for the establishment, exercise, or defense of legal claims.
Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you can exercise your right to object by automated means using technical specifications.
4.8 Right to withdraw data protection declaration of consent
You have the right to withdraw your data protection declaration of consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
4.9 Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and the controller;
- is authorized by Union or member state law to which the controller is subject and that also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests; or
- is based on your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9 Paragraph 1 of GDPR, unless Article 9 Paragraph 2a or 2g of GDPR applies and suitable measures to safeguard your rights and freedoms and your legitimate interests are in place.
In relation to the cases referred to in points (1) and (3), the data controller will implement suitable measures to safeguard your rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.
4.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Article 78 of GDPR.