Data protection declaration
UNILUX GmbH (hereinafter, “UNILUX” or “we”) places a particularly high priority on data protection. The UNILUX website can normally be used without providing any personal data. However, if a data subject wants to use specific company services via our website, the processing of personal data may become necessary.
The processing of personal data, for example the name, address, e-mail address or telephone number of a data subject, is always performed in accordance with the applicable data protection regulations, and in particular of the General Data Protection Regulation (hereinafter, "GDPR”). By means of this data protection declaration, UNILUX wishes to inform you about the type, scope and purpose of the personal data that is collected, used and processed. Data subjects are also informed about the rights to which they are entitled.
As the controller responsible for processing, UNILUX has implemented a wide range of technical and organizational measures in order to ensure the most complete protection possible for the personal data processed via this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection cannot be guaranteed. For this reason, every data subject is also free to transmit personal data to UNILUX in other ways, or example by telephone.
The UNILUX data protection declaration is based on the terms used by the European legislative and regulatory authority when the GDPR was released. Our data protection declaration should be easy to read and understand for everybody. In order to ensure this, we would like to first explain the terminology used.
In this data protection declaration, we use, inter alia, the following terms:
a. Personal data
Personal data is any information that refers to an identified or identifiable natural person (hereinafter, “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing is any process carried out with or without the help of automated procedures or any such series of processes in connection with personal data such as the collection, recording, organizing, arranging, storage, adapting or changing, reading out, querying, use, disclosure through transmission, distribution or any other form of provision, matching or linking, restriction, deletion or destruction.
c. Restriction of processing
Restriction of processing is the labeling of saved personal data with the aim of restricting the future processing thereof.
Profiling is any kind of automated processing of personal data wherein this personal data is used to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects relating to work performance, economic circumstances, health, personal preferences, interests, reliability, behavior, location or changes of location of this natural person.
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without additional information, provided that this additional information is kept separately and technical and organizational measures are taken to ensure that the personal data is not assigned to an identified or identifiable natural person.
f. Controller or processing controller
The controller or processing controller is the natural or legal person, authority, institution or other body that, alone or together with others, decides on the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of UNILUX.
A recipient is a natural or legal person, authority, institution or other body to which personal data is released, regardless of whether they are a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
i. Third party
A third party is a natural or legal person, authority, institution or other body other than the data subject, UNILUX, the processor and the persons who, under the direct responsibility of UNILUX or the processor, are authorized to process the personal data.
Consent is any expression of will voluntarily given in an informed manner and unequivocally by the data subject for the specific case in the form of a declaration or other clear confirmation action, with which the data subject indicates that they consent to the processing of their personal data.
2. Name and address of the controller
The controller within the meaning of the GDPR, other data protection laws applicable within the member states of the European Union and other provisions relating to data protection is:
3. Name and address of the data protection officer
The UNILUX data protection officer is:
A data subject can contact our data protection officer directly at any time about any question or suggestion relating to data protection.
The setting of cookies by our website can be prevented at any time by means of a corresponding setting in the web browser used, and the setting of cookies can be permanently prevented in this way. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If the setting of cookies is disabled in the Internet browser used, not all of the functions of our website may be fully usable.
5. Collection of general data and information
The UNILUX website collects a range of general data and information during every visit. This general data and information are stored in the server log files. The following may be collected: (1) the browser type and version used, (2) the operating system used, (3) the website from which our website was accessed (the so-called referrer), (4) the sub-websites which are accessed on our website, (5) the date and time of access, (6) an Internet protocol address (the IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information that is used to avert danger in the event of an attack on our information technology systems.
When using this general data and information, UNILUX does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. UNILUX therefore analyzes this anonymously collected data and information statistically with the aim of increasing data protection and data security within our company, and ultimately to ensure an optimal level of protection for the personal data that we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
6. Contact option via the website
Due to legal requirements, the UNILUX website contains information that enables rapid electronic contact with our company as well as direct communication with us, which also includes a general address for so-called electronic mail (an e-mail address). If a data subject contacts UNILUX by e-mail or via a contact form, the personal data transmitted by the data subject is stored automatically. Personal data of this kind submitted voluntarily is stored for processing purposes or to contact the data subject. There is no transfer of this personal data to third parties.
7. Routine deletion and blocking of personal data
UNILUX processes and stores personal data of the data subject only for the period necessary in order to achieve the purpose of the storage or where provided for under applicable legislation.
If the purpose of the storage no longer applies or a statutory storage period has expired, the personal data is blocked or deleted as a matter of course and in accordance with the statutory provisions.
8. Rights of the data subject
a. Right to confirmation
Every data subject has the right to request confirmation from UNILUX as to whether and how their personal data is or has been processed. If a data subject wishes to exercise this right, they can contact our data protection officer or any other of our employees at any time.
b. Right of access
Any person affected by the processing of personal data has the right, at any time and free of charge, to access the personal data relating to themselves saved by UNILUX, and to receive a copy thereof. There is also a right of access with regard to the following information:
- The processing purposes
- The categories of personal data that are processed
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- The existence of the right to correct or delete the personal data concerning them or restrict processing by UNILUX or a right to object to this processing
- The existence of the right to lodge a complaint with a supervisory authority
- Where the personal data are not collected from the data subject: All available information on the origin of the data
- The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject
In addition, the data subject has a right of access as to whether personal data has been transmitted to a third country or to an international organization. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to exercise this right of access to information, they can contact our data protection officer or any other of our employees at any time.
c. Right to correction
Everyone has the right to request the immediate correction of incorrect personal data concerning them. Furthermore, the right also exists, taking into account the purposes of the processing, to request the completion of incomplete personal data – also by means of an additional declaration.
If a data subject wishes to exercise this right to correction, they can contact our data protection officer or any other of our employees at any time.
d. Right to erasure (right to be forgotten)
Everyone affected by the processing of personal data has the right to request from UNILUX that the personal data concerning them be deleted immediately, provided that one of the following reasons applies, and that the processing is not necessary:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
- The personal data have been unlawfully processed.
- The deletion of the personal data is necessary in order to fulfill a legal obligation on the part of UNILUX.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
Provided that one of the reasons given above applies and a data subject wishes to have the personal data stored at UNILUX deleted, they can contact our data protection officer or any other of our employees at any time. Our data protection officer and/or other employee will ensure that the request for deletion is complied with immediately.
If UNILUX has made the personal data public and UNILUX as controller is required to delete the personal data in accordance with Article 17(1) of the GDPR, UNILUX shall take appropriate measures, including of a technical kind, taking into account the available technologies and the cost of implementation, to inform other persons responsible for the processing of the data who process the published personal data, that the data subject has requested from another data-processing officer the deletion of all links to this personal data or of copies or replications of this personal data, provided that processing is not necessary. The data protection officer or other employee of UNILUX will take the necessary steps on a case-by-case basis.
e. Right to restriction of processing
Everyone affected by the processing of personal data has the right to request that UNILUX restrict the processing thereof, if any of the following conditions applies:
- The accuracy of the personal data is contested by the data subject, and for a duration that enables UNILUX to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
- UNILUX no longer requires the personal data for processing purposes, but the data subject still requires them in order to assert, exercise or defend a legal claim.
- The data subject has lodged an objection to the processing pursuant to Art. 21(1) of the GDPR and it has not yet been determined whether the legitimate grounds of the UNILUX controller outweigh those of the data subject.
Provided one of the above prerequisites applies, and a data subject wishes to request the restriction of processing of personal data stored by UNILUX, they can contact our data protection officer or any other of our employees at any time. The data protection officer or other employee of UNILUX will authorize the processing restriction.
f. Right to data portability
Everyone affected by the processing of personal data has the right to receive their personal data, which was made available to UNILUX by the data subject, in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from UNILUX, provided that the processing is based on the consent pursuant to point (a) of Art. 6(1) of the GDPR or point (a) of Art. 9(2) of the GDPR or based on a contract pursuant to point (b) of Art. 6(1) of the GDPR, and the processing is carried out using automated procedures, unless the processing is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in UNILUX.
In addition, when exercising their right to data portability pursuant to Art. 20(1) of the GDPR, the data subject shall have the right to have the personal data transferred directly from UNILUX to another controller, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.
The data subject can contact the UNILUX data protection officer or any other employee at any time to assert their right to data portability.
g. Right to object
Every person affected by the processing of personal data has the right, for reasons arising from their particular circumstances, to object at any time to the processing of their personal data based on point (e) or (f) of Art. 6(1) of the GDPR. This also applies to profiling based on these provisions.
UNILUX will no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subject, or the processing is required to assert, exercise or defend a legal claim.
If UNILUX processes personal data for direct advertising purposes, the data subject has the right to object at any time to the processing of their personal data for the purpose of such advertising. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to the processing by UNILUX for the purpose of direct advertising, UNILUX will no longer process the personal data for this purpose.
In addition, the data subject has the right, for reasons arising from their particular circumstances, to object to the processing of personal data relating to them by UNILUX for scientific or historic research purposes, or for statistical purposes pursuant to Art. 89(1) of the GDPR, unless such processing is necessary in order to fulfill a task which is in the public interest.
The data subject can contact the UNILUX data protection officer or any other employee at any time to exercise their right of objection. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
h. Automated individual decision-making, including profiling
Every person affected by the processing of personal data has the right not to be subject to a decision based exclusively on automated processing, including profiling, which produces legal effects concerning them or which significantly affects them in a similar manner, provided that the decision (1) is not necessary for the conclusion or fulfillment of a contract between the data subject and UNILUX, or (2) is permitted on the basis of legal provisions to which UNILUX is subject, and these legal provisions contain appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, or (3) is based on the express consent of the data subject.
If the decision is necessary (1) for the conclusion or fulfillment of a contract between the data subject and UNILUX or (2) is based on the express consent of the data subject, UNILUX will take appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, including at least the right to obtain human intervention on the part of UNILUX, to express their own standpoint and to contest the decision.
If the data subject wishes to assert their right relating to automated decision-making, they can contact our data protection officer or any other of our employees at any time.
i. Right to withdraw consent under data protection law
Every person affected by the processing of personal data has the right to withdraw consent to the processing of personal data at any time.
If the data subject wishes to assert their right to withdraw consent, they can contact our data protection officer or any other of our employees at any time.
9. Data protection for applications and in application procedures
UNILUX collects and processes the personal data of applicants for the purposes of handling the application process. The processing may also be carried out electronically. This is in particular the case if an applicant transfers application documents to UNILUX electronically, for example by e-mail or via a web form on the website. If UNILUX concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If no employment contract is concluded between UNILUX and the applicant, the application documents will be automatically deleted two months after notification of the rejection decision, provided that deletion does not conflict with the legitimate interests of UNILUX. Other legitimate interest in this relation is, e.g., a burden of proof in a procedure under the General Equal Treatment Act (AGG).
10. Data protection regulations governing the deployment and use of Facebook
UNILUX has integrated components from the company Facebook into this website. Facebook is a social network.
A social network is a social meeting point operated on the Internet, an online community that generally enables users to communicate with each other and interact in a virtual space. A social network can serve as a platform for exchanging opinions and experiences, or enable the Internet community to provide personal or company-related information. Among other things, Facebook enables users of its social network to create private profiles, upload photographs, and network via friend requests.
Facebook’s operating company is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside of the USA or Canada, the controller for the processing of personal data controller is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Every time that an individual page on this website integrating a Facebook component (Facebook plug-in) is accessed, the Internet browser on the data subject’s information technology system is automatically prompted by the relevant Facebook component to download a display of the corresponding Facebook component from Facebook. An overview of all Facebook plug-ins can be found here: https://developers.facebook.com/docs/plugins. As part of this technical process, Facebook is informed of the specific sub-page of our website visited by the data subject.
If the data subject is logged into Facebook at the same time, Facebook recognizes the specific sub-page of our website visited by the data subject every time the data subject accesses our website and for the entire duration of their stay on our website. This information is collected by the Facebook component and assigned by Facebook to the respective Facebook account of the data subject. If the data subject clicks on one of the Facebook buttons integrated into our website, for example the “Like” button, or the data subject makes a comment, Facebook assigns this information to the personal Facebook user account of the data subject and stores this personal data.
Facebook receives information via the Facebook component that the data subject has visited our website if the data subject is also logged into Facebook when they access our website; this occurs regardless of whether the data subject clicks the Facebook component or not. If the data subject does not want this information to be transmitted in this way to Facebook, they can prevent this transmission by logging out of their Facebook account before accessing our website.
The Facebook data policy can be accessed here: https://facebook.com/about/privacy/, and provides information on the collection, processing and use of personal data by Facebook. This also explains the setting options that Facebook offers to protect the privacy of the data subject. In addition, various applications are also available which allow you to suppress the transmission of data to Facebook, for example Facebook Blocker provided by Webgraph, which can be obtained here: http://webgraph.com/resources/facebookblocker/. The data subject can use applications of this kind to suppress the transmission of data to Facebook.
11. Data protection regulations governing the deployment and use of Matomo (formerly Piwik)
This website uses the Matomo open source Web analysis service. Matomo uses technologies that enable cross-site recognition of users in order to analyze user behavior (e.g., cookies or device fingerprinting). The information collected by Matomo about the use of this website is stored on our server. IP addresses are anonymized prior to storage.
Matomo enables us to collect and analyse data on the use of our website by website visitors. This enables us, inter alia, to see when a page was accessed, and the region from which the request came. We also record different log files (e.g., IP address, referrer, browsers and operating systems used) and can measure whether our website visitors perform certain actions (e.g., clicks, purchases, inter alia.).
The use of this analysis tool is based on point (f) of Art. 6(1) of the GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its website as well as its advertising. If a corresponding consent has been requested, the processing is performed exclusively on the basis of point (a) of Art. 6(1) of the GDPR and § 25(1) of the TTDSG, provided that the consent includes the storage of cookies or access to information on the user's end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be withdrawn at any time.
When performing analyses with Matomo, we use IP anonymization. Your IP address is abbreviated prior to the analysis, so that it can no longer be clearly assigned to you.
We host Matomo exclusively on our own servers, so that all analysis data remains with us, and is not forwarded.
12. Data protection regulations governing the deployment and use of Google AdWords
UNILUX has integrated Google AdWords into this website. Google AdWords is an Internet advertising service that allows advertisers to place advertising both in Google's search engine results and in the Google advertising network. Google AdWords allows an advertiser to predefine certain keywords that will then be used to display an advertisement in Google's search engine results when the user uses the search engine to retrieve a keyword-relevant search result. In the Google advertising network, the advertisements are distributed to topic-relevant websites by means of an automatic algorithm and taking into account the previously defined keywords.
The operator of the Google AdWords service is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The purpose of Google AdWords is to promote our website by displaying interest-relevant advertising on the website of third-party companies and in search results from the Google search engine, and by displaying third-party advertising on our website.
If a data subject accesses our website via a Google ad, a so-called conversion cookie will be stored on the data subject’s information technology system. Cookies have already been explained above. A conversion cookie expires after thirty days and is not used to identify the data subject. Provided that the conversion cookie has not expired, the cookie is used to determine whether specific sub-pages, for example the shopping cart of our online shop system, have been accessed on our website. The conversion cookie allows both us and Google to understand whether a data subject who accessed our website via an AdWords ad generated any revenue, i.e., whether they completed or canceled a purchase.
The data and information collected through the use of conversion cookies and information are used by Google to generate visit statistics for our website. In turn, we use the visit statistics to determine the total number of users that reach us via AdWords advertisements, i.e., in order to determine the success or otherwise of the relevant AdWords advertisement and to optimize our future AdWords advertising. Neither our company nor other Google AdWords advertisers receive information from Google that could be used to identify a data subject.
The conversion cookie is used to store personal information, for example the websites visited by the data subject. Accordingly, with each visit to our website, personal data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass this personal data collected via the technical process to third parties.
As previously mentioned, the data subject can prevent the setting of cookies by our website at any time by means of a corresponding setting in the web browser used, and the setting of cookies can be permanently prevented in this way. Such a setting of the Internet browser used would also prevent Google from setting a conversion cookie on the data subject’s information technology system. In addition, an existing cookie set by Google AdWords can be deleted at any time using the Internet browser or other software.
The data subject also has the option of objecting to interest-relevant advertising from Google. To do this, the data subject must direct each of the Internet browsers that they use to the following link: www.google.com/settings/ads, and make the desired settings there.
Further information and Google’s applicable data protection regulations can be found here: https://www.policies.google.com/privacy.
13. Data protection regulations governing the deployment and use of YouTube
UNILUX has integrated components from YouTube into this website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge, and other users to use, rate and comment on them, also free of charge. YouTube allows the publishing of all types of videos, which is why both complete films and TV episodes, as well as videos, trailers and videos produced by users themselves are available on the Internet portal.
The operator of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Every time that an individual page on this website integrating a YouTube component (YouTube video) is accessed, the Internet browser on the data subject’s information technology system is automatically prompted by the relevant YouTube component to download a display of the corresponding YouTube component from YouTube. Further information on YouTube can be found here: https://about.youtube. As part of this technical process, YouTube and Google are informed of the specific sub-page of our website visited by the data subject.
If the data subject is also logged into YouTube, when they access a sub-page which contains a YouTube video, YouTube is informed of the specific sub-page of our website visited by the data subject. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.
YouTube and Google receive information via the YouTube component that the data subject has visited our website if the data subject is also logged into YouTube when they access our website; this occurs regardless of whether the data subject clicks the YouTube video or not. If the data subject does not want this information to be transmitted in this way to YouTube and Google, they can prevent this transmission by logging out of their YouTube account before accessing our website.
The YouTube data privacy provisions can be accessed here: https://www.policies.google.com/privacy, and provide information on the collection, processing and use of personal data by YouTube and Google.
14. Legal basis of the processing
The GDPR, and Art. 6 and 9 in particular, provides the legal basis for our processing of personal data:Point (a) of Art. 6(1) GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on point (b) of Article 6(1) GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. If UNILUX is subject to a legal obligation under which the processing of personal data is required, such as for example in order to fulfill tax obligations, the processing is based on point (c) of Art. 6(1) of the GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his or her name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on point (d) of Art. 6(1) GDPR. Finally, processing operations could be based on point (f) of Article 6(1) GDPR. This legal basis is used for processing operations which are not covered by any of the above mentioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. They considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).
15. Legitimate interests in the processing performed by UNILUX or a third party
If the processing of personal data is based on point (f) of Article 6(1) of the GDPR, our legitimate interest is in particular conducting our business activities for the benefit of all of our employees and our shareholders.
16. Duration for which the personal data is stored
The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfillment of the contract or the initiation of a contract.
17. Provision of personal data as statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal data; Possible consequences of failure to provide such data
We hereby clarify that the provision of personal data is partially required by law (e.g., under tax regulations) or can also result from the provisions of a contract (e.g., information on the contractual partner). In order to conclude a contract, it may sometimes be necessary for a data subject to provide us with personal data, which must subsequently be processed by us. For example, the data subject is obligated to provide us with personal data if UNILUX concludes a contract with them. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded. Before personal data is provided by the data subject, the data subject can contact our data protection officer. Our data protection officer will explain to the data subject on a case-by-case basis of whether the provision of the personal data is required by law or under the contract, or is necessary in order to conclude the contract, whether there is an obligation to provide the personal data, and what the consequences would be of any failure to provide the personal data.
18. Existence of automated decision-making
As a responsible company, we do not use automatic decision-making or profiling.