As the person in charge in the sense of We process data in accordance with data protection regulations.Gbasic regulation (hereinafter GDPR) obliges you as an affected person about your rights with regard to personal data, as well as about the type and scope of data use by us as a processor to clarify.

For the sake of consistency, we use the terms used in the GDPR below, which is why we do not address you personally with "you" in some places, but use the term "the data subject" or "the data subject" as used by the GDPR.

Privacy Policy

A) Ensuring the lawfulness of the processing

(1) The controller responsible for data processing is:

Rocker Parts GmbH, represented by Managing Director Martin Tischer, Christmannshof 10, 79206 Breisach am Rhein, Email: info[at]rocker-parts.de

The protection of your data is important to us, which is why we process data exclusively in accordance with legal regulations. You have the rights to information, rectification, erasure, restriction of processing, data portability, withdrawal of consent, and objection. The exact scope of these rights is described from section C onwards.

To exercise your rights, please contact the aforementioned responsible person.

Furthermore, you have the right to lodge a complaint with the supervisory authority if you feel your rights have been violated.

(2) „The data subject“ or „the data subject“ means anyone who uses this website, including you.

(3) The controller shall process personal data only if at least one of the following legal bases is met.

a) Article 6 paragraph 1 letter a) GDPR: The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) Article 6 paragraph 1 letter b) GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) Article 6 paragraph 1 letter c) GDPR: processing is necessary for compliance with a legal obligation to which the controller is subject;

d) Article 6 paragraph 1 letter f) GDPR: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

B) Voresponsible The following will occur during the use of this website personal Data collected or used.

- Website visit / Cookies

To ensure the proper functioning of the website, we use "cookies". Cookies are text files that are stored by your browser and contain information in text form, such as language settings or a unique ID of the current user session, to distinguish your session from that of another user or to personalize a shopping cart.

Our website uses so-called session cookies, which are deleted after the current user session ends. We also use cookies that remain stored even after the session ends to save settings for the next visit and/or for analysis purposes.

If third-party modules are used on our site, which in turn use cookies, this will be addressed in the description of the respective processing activity.

Not all cookies are always used; the cookies used vary depending on the situation. System usage and login status.

We do not use any of the cookies for purposes other than their direct technical function. Neither personal data analysis nor... one Merger other data will be used.

The collection of these cookies is necessary for technical reasons. Legal basis for data processing: Article 6 paragraph 1 letter f) GDPR. The processing is necessary to protect the legitimate interests of the controller.

You can delete cookies in your browser or configure your browser to prevent cookies from being created at all. Instructions for doing so can be found on your browser's website. Please note, however, that disabling cookies may restrict the functionality of the website.

- Subscribe to the newsletter

The data you enter (email address, name, gender, and title if applicable) as well as the IP address used at the time of registration, and the date and time of registration, will be recorded. After registering, you will receive an email in which you can confirm your subscription. Clicking the link will activate your newsletter subscription. The IP address used at the time of activation, as well as the date and time of activation, will be stored. This is for the purpose of allowing us to prove that the subscription was completed and confirmed.

Your email address will be used solely for the purpose of sending you the newsletter. Providing your gender and name allows us to personalize the greeting. This data will only be used for sending the newsletter. The legal basis for this is your consent pursuant to Article 6(1)(a) GDPR.

Your email address will be used for the newsletter as long as you wish to receive it. If you unsubscribe, your email address will no longer be used for sending the newsletter. Each newsletter contains an unsubscribe link.

To document your prior registration, your email address and IP address will be stored even after you unsubscribe (further information can be found under the heading "Unsubscribing from the newsletter"). The legal basis for this is Article 6(1)(f) GDPR. The processing is necessary for the purposes of the legitimate interests pursued by the controller.

You can unsubscribe from the newsletter on the website. To do so, follow the unsubscribe link found in every newsletter email. Alternatively, you can also contact the above-mentioned responsible party informally using one of the listed contact methods.

- Contact form / Contacting us

On our website, you have the option to send us data by filling out a contact form and/or writing an email. The data you enter will be transmitted and stored. This typically includes your name, email address, message, address, and any other information you provide. Data transmission is encrypted.

The data you provide is for the purpose of contacting us, and the data you enter will be used exclusively for that specific purpose and will not be used for any other purpose or combined with other data. This only changes if a legally binding business relationship arises from the contact. In that case, the data will be used further for that purpose.

The duration of data storage depends on the content of the inquiry. If it is merely an initial communication without a subsequent legal relationship, the collected data will be deleted within 90 days of the communication being concluded. If a legal relationship arises from the contact, the duration of data collection is governed by the applicable legal regulations.

Right to object and erasure: If you wish to have your transmitted data deleted, please contact the data controller. The data will then be deleted unless there is another legal obligation to retain it.

The legal basis for storing the data you have entered is initially your consent according to Article 6 paragraph 1 letter a GDPR.

If a contractual relationship subsequently arises or is initiated through contact, the legal basis is Article 6 paragraph 1 letter b) GDPR, since the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

 - Registration on the website / Ordering products

You have the option to register as a customer on our website. In this case, we collect and store all the data you enter. You can change this data after logging into your user account. You also have the option to delete your account. When you place orders, the order data (products / time of order / delivery address / billing address / bank information) is stored and, if an account exists, associated with it. The legal basis for this processing is your consent pursuant to Article 6(1)(a) GDPR.

We store the data for as long as necessary due to the initiated and/or concluded contract. If you delete your account, the data will be deleted as soon as we are no longer legally obligated to retain it. The legal basis for this is Article 6(1)(b) GDPR.

- Ordering function / Registration functions

At various points on our website, you have the option to register for something or apply for membership. In this case, we collect and store all the data you enter, such as your name, contract details, and bank details. This data is transmitted via a secure connection. The legal basis for this processing is your consent pursuant to Article 6(1)(a) GDPR.

We store the data for as long as is necessary due to the initiating and/or concluded contract. The legal basis for this is Article 6 paragraph 1 letter b) GDPR.

- Disclosure of order data to third parties

We share the data you provide when placing an order with third parties who use this data to process your order. Examples include our delivery service, banks that accept payments, and payment service providers we work with. We have a data processing agreement in place with these companies. The legal basis for this data processing is Article 6(1)(c) GDPR, as this transfer is necessary for the performance of the contract. The data is stored for as long as legally required and then deleted. This data will not be used for any other purpose.

- Watchlist / Favorites list / Wish list / Item comparison

Depending on your settings, you have the option to add products to a product comparison, favorites list, watchlist, or wish list. In this case, we store the selected data/products in your user account on our server. The legal basis for this processing is your consent pursuant to Article 6(1)(a) GDPR. You can edit these lists and remove products at any time in your user menu after logging in. Alternatively, you can also contact the data controller.

You have the option to share your wish list with others. Please note that if you do so, any visitor to the website can view your wish list by entering your email address in the wish list search field or by clicking on a corresponding link. The legal basis for this processing is your consent pursuant to Article 6(1)(a) GDPR. You can prevent this by not sharing your wish list with others or by deleting the products from your wish list.

- Product rating / comment function

Depending on your settings, you have the option to leave comments on products. If you enter and save a comment, it will appear on the website along with your name and the date it was posted. The legal basis for this processing is your consent pursuant to Article 6(1)(a) GDPR. You can have one or all of your comments deleted at any time. Simply contact the data controller to do so.

- Aunsubscribe from the newsletter

After unsubscribing from the newsletter, your email address will no longer be used to send newsletters. However, your email address, as well as the data collected during newsletter registration, such as IP address and date/time, will remain stored. The date and time of your unsubscription will also be recorded.

We store this data to prove that a registration took place and that consent to receive the newsletter existed until the time of unsubscription. Otherwise, we would be unable to prove this after an unsubscription and would incur legal risks. This data will not be used for any other purpose. The data will be stored until any potential civil claim relating to the sending of the last newsletter has expired.

You can request the immediate deletion of the data collected during newsletter registration at any time, provided you simultaneously send us an informal email from the relevant email address assuring us that you will not assert any claims based on previously received newsletters. Suggested wording: "Please delete all data you provided when registering for your newsletter, including data that allows you to prove your registration. I assure you that I will not assert any claims that require proof of registration."„

Legal basis for data processing: Article 6 paragraph 1 letter f) GDPR. The processing is necessary for the purposes of the legitimate interests pursued by the controller.

- Server log files

The website is operated on a server that logs network connections and collects and stores the following data:

- The IP address from which our service was accessed and the name of the requesting system

- Information about the browser used, operating system, language

- Information about which page, if any, was accessed via a link to our site.

- Information about which website was accessed after leaving our site

- Name of the pages of our website that were accessed

- Date and time of access and time zone used on the accessing system - Amount of data transferred
- Error messages and status information generated

- Information on the transmission protocols used

No further personal data is stored in the log files. Likewise, this data is not linked to any other personal data.

The storage in the log files serves to maintain technical operation, as well as for the purpose of troubleshooting and website optimization, and to maintain security in the event of attacks on the server and to track misuse of the website.

IP addresses are generally anonymized after a period of 7 days by replacing the last 3 digits of the address with 000. This makes it impossible to trace the address back to the user. In the event of an attack on the server, the relevant IP addresses are only anonymized or deleted when they are no longer needed to investigate the attack or to protect against further attacks.

The collection of this data is necessary for technical and security reasons, therefore there is no option to object. The only way to prevent this data collection in the future is to stop visiting the website.

Legal basis for data processing: Article 6 paragraph 1 letter f) GDPR. The processing is necessary for the purposes of the legitimate interests pursued by the controller.

- GGoogle Analytics

To optimize our services and analyze their usage, we use Google Analytics. This service is provided to us by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and is implemented within the framework of a data processing agreement. Cookies are used for this purpose, which, with the aid of a pseudonymous user ID, also enable analysis of usage across different devices. We use the anonymization function provided by Google, which shortens your IP address if you access this service from an EU member state. Your IP address is therefore generally shortened on a server located in the European Union before the data is transferred to the USA. Only in exceptional cases, which may be technically necessary, is the full IP address transmitted and then shortened in the USA. Google is certified under the Privacy Shield Framework and therefore guarantees compliance with European data protection law.

By using the analytics tool, we would like to obtain information about the use of our site, as well as reports on the development of usage in order to optimize our offer.

Google Analytics uses cookies to collect usage data. Among others, the following cookies may be used:

A full description of the possible cookies can be found directly at Google under:

https://policies.google.com/technologies/types?hl=de

Legal basis for data processing: Article 6 paragraph 1 letter f) GDPR. The processing is necessary for the purposes of the legitimate interests pursued by the controller.

You can prevent Google from storing cookies, by downloading and installing a plugin provided by Google on each of the devices where you no longer want Google to set cookies. The plugin is available at

https://tools.google.com/dlpage/gaoptout?hl=de

For more information on data protection, please contact Google directly:

https://policies.google.com/privacy?hl=de&gl=de

- Use of fonts from Google

Our website template uses external fonts from Google to enhance the visual appearance of our site. To enable the fonts to load, your current IP address is sent to Google. This service is provided to us by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google is certified under the Privacy Shield framework and offers data protection comparable to European standards. You can find more information about Google's privacy policy at [link to Google's privacy policy].

https://policies.google.com/privacy?hl=de&gl=de

The legal basis for data processing is our legitimate interest within the meaning of Article 6(1)(f) GDPR. You can prevent this data transfer by no longer using our service.

- Integration of videos via YouTube

Our website embeds videos from YouTube in various places. This feature is provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066 USA. Using videos allows us to create a more engaging design and enhance our offerings.

We use the so-called "enhanced privacy mode" for this. According to YouTube, no data is collected if a video is embedded but not played. By accessing a page on our website that contains one or more embedded videos and playing a video, YouTube LLC receives information about which page you visited and which video was played. If you are logged into YouTube at the same time, YouTube will associate this information with your user account there. If you do not want this association, you should log out of your YouTube account beforehand.

If you click on and play a video, Google will be notified and will learn your IP address.

Further information data protection You will receive them directly from Google:
https://policies.google.com/privacy?hl=de&gl=de

Legal basis for data processing: Article 6 paragraph 1 letter f) GDPR. Processing is necessary for the purposes of the legitimate interests pursued by the controller. In the case of playing a video, processing is based on your consent pursuant to Article 6 paragraph 1 letter a) GDPR.

- Use of images and personal data on our website

The website displays pictures of the processor's employees and cooperation partners, as well as names and, where applicable, job descriptions and contact details (email address, possibly telephone number).

The presentation of this information is intended to give website visitors an impression of our partners and provide contact options.

The data will be used for the duration of the cooperation and then deleted, unless a legal obligation to retain it exists.

Unless otherwise stipulated in an individual contractual agreement or other legal basis, you have the right to object to this use at any time.

The legal basis for processing is your consent pursuant to Article 6 paragraph 1 letter a) GDPR.

- Payment provider Paypal

We use PayPal to process payments and to provide a straightforward payment method. This service is provided by PayPal (Europe) S.à rl et Cie, SCA.
22-24 Boulevard Royal, L-2449 Luxembourg. In connection with the use of PayPal wLogos and/or other information from PayPal are loaded at various points on this page, thereby making PayPal among other things her current IP Address will be revealed via PayPal. is certified under the so-called Privacy Shield and offers data protection comparable to European standards. Further information on data protection can be found at [link to privacy policy]. PayPal Find out more at:

https://www.paypal.com/de/webapps/mpp/ua/privacy-full

You can prevent PayPal from collecting this data by no longer using our site.

Legal basis for data processing: Article 6 paragraph 1 letter f) GDPR. The processing is necessary for the purposes of the legitimate interests pursued by the controller.

- Hosting / Provider

This website is hosted on a server belonging to our provider, who supplies us with the technical infrastructure, including storage space, databases, computing capacity, security features, and internet connectivity. In this context, we, or rather the hosting provider, process contract data, contact information, email and communication data, as well as metadata. To ensure data protection in this regard, we have concluded a data processing agreement with our provider. The legal basis for this is our legitimate interest pursuant to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR.

Your fundamental rights regarding data collected by us as the data controller

C) Right to information

1) Every data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of processing;

b) the categories of personal data that are processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the planned duration for which the personal data will be stored, or, if this is not possible, the criteria used to determine that duration;

e) the existence of a right to rectification or erasure of personal data concerning them or to restriction of processing by the controller or a right to object to such processing;

f) the existence of a right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, any available information on the source of the data;

h) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR and — at least in those cases — meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request electronically, the information shall be provided in a commonly used electronic format unless otherwise requested by the data subject.

(4) The right to receive a copy pursuant to paragraph 1b shall not adversely affect the rights and freedoms of other persons.

D) Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

E) Right to erasure

(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

b) The data subject withdraws his or her consent on which the processing was based according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and there is no other legal basis for the processing.

c) The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.

d) The personal data were processed unlawfully.

e) The erasure of personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.

f) The personal data were collected in relation to information society services offered pursuant to Article 8(1) GDPR.

(2) Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase them, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copies or replications of, those personal data.

(3) Paragraphs 1 and 2 shall not apply insofar as processing is necessary

a) to exercise the right to freedom of expression and information;

b) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) GDPR and Article 9(3) GDPR;

d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or

e) for the establishment, exercise or defense of legal claims.

Data is automatically deleted or blocked by us if the purpose of storage no longer applies or a storage period stipulated by European or national legislation expires, unless further storage is necessary for legal or contractual reasons.

F) Right to restriction of processing

(1) The data subject shall have the right to request from the controller the restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,

b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests the restriction of their use instead;

c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims, or

d) the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification of whether the legitimate grounds of the controller override those of the data subject.

(2) Where processing has been restricted pursuant to paragraph 1, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction is lifted.

G) Right to object to processing

(1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

(3) If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

(4) The data subject must be explicitly informed of the right referred to in paragraphs 1 and 2 at the latest at the time of the first communication with him or her; this information must be provided in an understandable form and separately from other information.

(5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

(6) The data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.

 H) Right to data portability

(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where

a) the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and

b) processing is carried out using automated procedures.

(2) When exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

(3) The exercise of the right referred to in paragraph 1 of this Article shall not affect Article 17 GDPR. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(4) The right under paragraph 2 shall not adversely affect the rights and freedoms of others.

I) Right to withdraw consent at any time

In the case of data processing where the legal basis is consent given by the data subject pursuant to Article 6 paragraph 1 letter a) GDPR, the data subject has the right to withdraw his or her consent at any time.

J) Automated individual decision-making, including profiling

(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

(2) Paragraph 1 shall not apply if the decision

a) is necessary for the conclusion or performance of a contract between the data subject and the controller,

b) is permitted under Union or Member State law to which the controller is subject and which contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject or

c) with the explicit consent of the data subject.

(3) In the cases referred to in paragraph 2(a) and (c), the controller shall implement suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

(4) Decisions pursuant to paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1) GDPR unless Article 9(2)(a) or (g) GDPR applies and appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject have been taken.

K) Existence of a right of appeal

(1) Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

- End of privacy policy -

Note to competitors: This privacy policy was prepared to the best of our knowledge and belief, taking into account numerous legal issues that have not yet been definitively resolved. Should you have any grounds for complaint as a result, particularly if you believe you are at a competitive disadvantage, please refrain from issuing a costly cease-and-desist letter. Instead, please inform us, and we will review your concerns and take appropriate action.

The following list of definitions according to the GDPR is not part of the privacy policy and is provided for your further information:

1. „Personal data“ means any information relating to an identified or identifiable natural person (hereinafter referred to as „data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. „Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. „Restriction of processing“ means the marking of stored personal data with the aim of limiting its future processing;

4. „Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

5. „Pseudonymisation“ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

6. „Filing system“ means any structured set of personal data which are accessible according to specific criteria, irrespective of whether that set of data is centralized, decentralized or organized according to functional or geographical considerations;

7. „Controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law;

8. „Processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. „Recipient“ means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.;

10. „Third party“ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

11. „Consent“ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

12. „Personal data breach“ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. „genetic data“ means personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which are obtained in particular from the analysis of a biological sample from the natural person concerned;

14. „biometric data“ means personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by special technical means which enable or confirm the unique identification of that natural person, such as facial images or fingerprint data;

15. „Health data“ means personal data relating to the physical or mental health of a natural person, including the provision of health services, and revealing information about their health status;

16. „Head office“

(a) in the case of a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions regarding the purposes and means of processing personal data are taken in another establishment of the controller in the Union and that establishment is empowered to implement those decisions; in which case the establishment which takes such decisions shall be deemed to be the central establishment;

(b) in the case of a processor with establishments in more than one Member State, the location of its central administration in the Union or, if the processor does not have a central administration in the Union, the establishment of the processor in the Union where the processing activities in the context of the activities of an establishment of a processor mainly take place, insofar as the processor is subject to specific obligations under this Regulation;

17. „Representative“ means a natural or legal person established in the Union who has been appointed in writing by the controller or processor in accordance with Article 27 and who represents the controller or processor in respect of the obligations incumbent upon them under this Regulation;

18. „Undertaking“ means any natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

19. „Group of companies“ means a group consisting of a controlling company and the companies dependent on it;

20. „binding corporate rules“ means measures for the protection of personal data which a controller or processor established in the territory of a Member State undertakes to comply with with regard to transfers or a category of transfers of personal data to a controller or processor in the same group of undertakings or of the same group of undertakings engaged in a joint economic activity in one or more third countries;

21. „Supervisory authority“ means an independent public authority established by a Member State pursuant to Article 51 GDPR;

22. „Concerned supervisory authority“ means a supervisory authority which is affected by the processing of personal data because

a) the controller or processor is established in the territory of the Member State of that supervisory authority,

b) this processing has or is likely to have a significant impact on data subjects residing in the Member State of this supervisory authority or

c) a complaint has been lodged with this supervisory authority;

23. „cross-border processing“ either

(a) processing of personal data which takes place in the context of the activities of establishments of a controller or processor in the Union in more than one Member State, where the controller or processor is established in more than one Member State, or

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which has or is likely to have a significant impact on data subjects in more than one Member State;

24. „relevant and reasoned objection“ means an objection to a draft decision as to whether there has been an infringement of this Regulation or whether the proposed measures against the controller or processor comply with this Regulation, where the objection clearly demonstrates the extent of the risks posed by the draft decision in relation to the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union;

25. „Information society service“ means a service within the meaning of Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council ( 1 );

26. „international organisation“ means an organisation under international law and its subordinate bodies or any other body established by or on the basis of an agreement between two or more countries.