Privacy Policy

PRIVACY NOTICE
Privacy Policy
I. Controller’s name and address
The controller in the sense of the General Data Protection Regulation and the Member States’ various national data protection legislation as well as other data protection provisions is the:
Institute for European Traffic Law
12, Rue Gabriel Lippmann
L-5365 MUNSBACH
Luxembourg
Phone: +352 26 31 12 04
E-mail: contact@ietl.net
Register of associations: F8857

The controller’s data protection officer is:
Alain KUNZ
12, Rue Gabriel Lippmann
L-5365 MUNSBACH
Luxembourg
Phone: +41 79 20 25 778
E-mail: contact@ietl.net
Website: www.ietl.net

II. General information on data processing
1. Extent to which personal data are processed
In principle, we process the personal data of our users only to the extent required to provide a fully-functioning website as well as our contents and services. As a rule, we only process personal data with the user’s consent. An exception applies where such prior consent could not be obtained for practical reasons and processing of the data is permitted by law.
2. Legal basis for the processing of personal data
If and to the extent that we ask the data subject to consent to the processing of his or her personal data, Art. 6(1) (a) of the EU General Data Protection Regulation (GDPR) shall serve as the legal basis for processing.
If and to the extent that the processing of personal data is necessary for the performance of a contract to which the data subject is party, Art. 6(1) (b), GDPR, shall serve as the legal basis. This also applies to the processing necessary for taking steps prior to entering into a contract.
If and to the extent that processing is necessary for compliance with a legal obligation to which our organisation is subject, Art. 6(1) (c), GDPR, shall serve as the legal basis.
Where the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 6(1) (d), GDPR, shall serve as the legal basis.
Where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6(1) (f), GDPR, shall serve as the legal basis for processing.
3. Data erasure and storage period
We will erase the data subject’s personal data or make them unavailable as soon as the purposes for which they were stored no longer apply. In addition, the controller may store personal data if required by Union or Member State laws or regulations, laws or other provisions to which the controller is subject. Unless required to retain the data for the conclusion or performance of a contract, the controller will make the data unavailable or erase them upon expiry of the storage periods defined in the above-mentioned legislation.

III. Provision of the website and creation of log files
1. Description and extent of data processing
Our system collects data and information by automated means from computers that generate a pageview on our website.
We collect the following data:
1. Browser type and version
2. The user’s operating system
3. The user’s IP address
4. Date and time of access
5. Websites from which the user’s system accesses our website
6. Websites accessed by the user’s system through our website
The data are also stored in our system’s log files. These data are not stored together with other personal data of the user.
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6(1) (f), GDPR.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the provision of the website to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session.
We store such data in log files to ensure the functionality of the website. In addition, we use the data to optimise our website and to ensure the security of our information technology systems. We do not analyse the data for marketing purposes in this context.
These purposes constitute our legitimate interest in data processing pursuant to Art. 6(1) (f), GDPR.
4. Storage period
The data will be erased once they are no longer necessary for the purpose for which they were collected. As regards the collection of data for the provision of the website, this is the case when the respective session has ended.
Where the storage of data in log files is concerned, this is the case no later than after 30 days. Longer storage periods are possible. In such case, the user’s IP address is deleted or anonymized to prevent any future matching to the client that generated the pageview.
5. Option to object and erase
For the provision and operation of the website, it is essential that we collect the data and store them in log files. Therefore, users have no option to object.

IV. Use of cookies
1. Description and extent of data processing
Our website uses cookies. Cookies are text files that are stored on the user’s computer system in and/or by the Internet browser. Whenever a user visits a website, a cookie can be stored in his/her operating system. The cookie contains a unique string of characters which allows to clearly identify the browser when the user revisits the website.
We use cookies to make our website more user-friendly. Several elements of our website require the connecting server to be identifiable also after visiting another website.
The cookies store and transmit the following data:
• site and language settings
• log-in information
We have technical measures in place to pseudonymise the user data collected. This means that the data can no longer be matched to the user who accessed the site. The data are not stored together with other personal data of the user.
A cookie information banner informs users visiting our website that we use cookies for analysis purposes and refers them to this Privacy Policy. They are asked for their consent to the processing of their personal data used in this context. In addition, they are informed about how to disable the storage of cookies in their browser settings.
2. Legal basis for data processing
The legal basis for the processing of personal data using cookies that are technically necessary is Art. 6(1) (f), GDPR.
3. Purpose of data processing
The purpose of using technically necessary cookies is to enhance the use of a website. Without cookies, some functionalities of our website will not work. For the website to be fully functional, the browser needs to be identified also after visiting another website.
We need cookies for the following applications:
• site and language settings
• log-in information
We do not use the user data collected through technically necessary cookies to create user profiles.
These purposes constitute our legitimate interest in the processing of personal data pursuant to Art. 6(1) (f), GDPR.
4. Storage period, option to object and erase
Cookies are stored on the user’s computer and sent to our website from there. This means that, as a user, you have full control over the use of cookies. By changing your browser’s settings, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done by automated setting. If you disable cookies for our website, you may no longer be able to use all of the functionalities of our website.

V. Registration
1. Description and extent of data processing
On our website users can register by entering their personal data. After you enter your data in an input mask, they are transmitted to us and stored. We do not forward data to third parties. The data below are collected during registration.
During registration, the following data are stored:
1. The user’s IP address
2. Date and time of registration
3. Last name
4. First name
5. User name
6. E-mail address
7. Physical address
8. Password hash
We ask you to consent to the processing of your data during your registration.
2. Legal basis for data processing
The legal basis for the processing of data with the user’s consent is Art. 6(1) (a), GDPR.
If the registration is necessary for the performance of a contract to which the user is party or in order to take steps prior to entering into a contract, the legal basis for data processing is Art. 6(1) (b), GDPR.
3. Purpose of data processing
The user’s registration is necessary for the performance of a contract to which the user is party or in order to take steps prior to entering into a contract.
4. Storage period
Data are erased once they are no longer necessary for the purpose for which they were collected.
Where this concerns the registration for the performance of a contract to which the user is party or in order to take steps prior to entering into a contract, the data are erased once they are no longer necessary for the performance of the contract. The requirement to store the contracting party’s personal data may survive the conclusion of the contract to ensure compliance with the contractual or legal obligations.
5. Option to object and erase
Users may unsubscribe or have their stored data changed at any time. To request such unsubscription or change, please contact our data protection officer at the postal address or e-mail address provided in item I. above.
If the registration is necessary for the performance of a contract to which the user is party or in order to take steps prior to entering into a contract, earlier erasure of the data is possible only to the extent permissible by the contract or law.

VI. Contact form and e-mail contact
To get in touch with us, you can use the e-mail address provided. If you do so, we will store the personal data you transmit by e-mail.
No data are forwarded to third parties in this regard. The data are used exclusively for processing the correspondence.
1. Legal basis for data processing
The legal basis for the processing of data with the user’s consent is Art. 6(1) (a), GDPR.
The legal basis for the processing of data transmitted as part of an e-mail is Art. 6(1) (f), GDPR. If the aim of the e-mail enquiry is to conclude a contract, the legal basis for the processing shall also be Art. 6(1) (b), GDPR.
2. Purpose of data processing
We only process the personal data from the input mask in order to handle the e-mail enquiry. An e-mail enquiry also constitutes the required legitimate interest in data processing.
The other personal data processed while the e-mail is being sent serve to prevent any abuse of the contact form and to ensure the security of our information technology systems.
3. Storage period
Data are erased once they are no longer necessary for the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective correspondence with the user has ended. A correspondence is deemed to have ended when it can be inferred from the circumstances that the matter has been clarified conclusively.
The other personal data collected while the e-mail is being sent are erased no later than after seven days.
4. Option to object and erase
Users may revoke their consent to the processing of their personal data at any time. Users contacting us by e-mail may object to their personal data being stored at any time. Such objection means the end of any correspondence.
To object to data storage or revoke your consent, please contact our data protection officer at the postal address or e-mail address provided in item I. above.
In this case we will erase all your personal data stored in relation to your enquiry.

VII. Rights of the data subject
Whenever and wherever your personal data are processed, you are a data subject as defined in the GDPR and entitled to exercise the following rights towards the controller:
1. Right of access
You have the right to obtain from us as the controller confirmation as to whether or not we process personal data concerning your person.
If this is the case, you may request the following information from the controller:
• the purposes of the processing of personal data;
• the categories of personal data processed;
• the recipients or categories of recipient to whom your personal data have been or will be disclosed;
• the envisaged period for which your personal data will be stored, or, if no specific information can be provided, the criteria used to determine the storage period;
• the existence of the right to request from the controller rectification or erasure of your personal data or restriction of the processing of your personal data or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4), GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to be informed about whether or not your personal data are transferred to a third country or to an international organisation. Where this is the case, you may request information about the appropriate safeguards pursuant to Art. 46, GDPR, relating to the transfer.
2. Right to rectification
You have the right to request the controller to rectify or complete inaccurate or incomplete personal data concerning your person without undue delay.
3. Right to restriction of processing
You have the right to request the controller to restrict the processing of your personal data where one of the following applies:
• you challenge the accuracy of your personal data for as long as the controller needs to verify the accuracy of your personal data;
• the processing is unlawful and you oppose the erasure of your personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims; or
• you have objected to the processing pursuant to Art. 21(1), GDPR, pending the verification whether or not the legitimate grounds of the controller override yours.
Where processing has been restricted, the relevant personal data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where processing has been restricted for one of the above grounds, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
4.1 Obligation to erase
You have the right to obtain from the controller the erasure of your personal data without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
• your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you withdraw your consent on which the processing is based according to Art. 6(1) (a) or Art. 9(2) (a), GDPR, and there is no other legal ground for the processing;
• you object to the processing pursuant to Art. 21(1), GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2), GDPR;
• your personal data have been unlawfully processed;
• your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1), GDPR.
4.2 Notification of third parties
Where the controller has made your personal data public and is obliged pursuant to Art. 17(1), GDPR, to erase your personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing your personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
4.3 Exemptions
• The right to erasure will not apply to the extent that processing is necessary
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Art. 9(2) (h) and (i) as well as Art. 9(3), GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1), GDPR, in so far as the right referred to in clause 4.1 above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise or defence of legal claims.
5. Right to be informed
Where you requested the controller to rectify or erase any data or restrict the processing, the controller is under the obligation to communicate such rectification or erasure of personal data or restriction of processing to each recipient to whom your personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.
At your request, the controller must inform you about those recipients.
6. Right to data portability
You have the right to receive the personal data you have provided to a controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
• the processing is based on consent pursuant to Art. 6(1) (a), GDPR, or Art. 9(2) (a), GDPR, or on a contract pursuant to Art. 6(1) (b), GDPR; and
• the processing is carried out by automated means.
In exercising this right, you are also entitled to have your personal data transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Art. 6(1) (e) or (f), GDPR, including profiling based on those provisions.
The controller will no longer process your personal data unless demonstrating compelling legitimate grounds for the processing which override your interests, rights and freedoms or for establishing, exercising or defending legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw the data protection consent
You are entitled to withdraw your data protection consent at any time. Your withdrawal of consent will not affect the lawfulness of processing based on your consent before its withdrawal.
9. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78, GDPR.