Information on the use and protection of your data and your rights - Information pursuant to Articles 13, 14 and 21 of the European Data Protection Regulation (hereinafter referred to as DSGVO)
In the following, we, the miha bodytec GmbH, inform you about how we process, collect and use your personal data in the context of the use of our offers and services.
When you use and access the offers and services of miha bodytec GmbH, various information is transmitted to us via your PC or other end device, such as a smartphone, with which you use our offers (hereinafter: your "system"), depending on the type of use. The majority of the information transmitted in the course of use is not personal. In the following data protection declaration, we explain what information and personal data is involved and how we use it.
First things first: For us, sensitive and responsible handling of your personal data is an elementary component of a serious and customer-oriented business activity. The principle of data economy is already of great importance when collecting data. We collect and process your personal data only insofar as you have given us your consent to do so or the legislator expressly permits us to do so or stipulates that we do so or you allow us to do so. We guarantee that no personal data will be passed on to third parties without authorisation.
We would like to point out that the European General Data Protection Regulation and a new version of the Federal Data Protection Act apply from 25.05.2018.
1. WHAT IS PERSONAL DATA?
Personal data is any information about the personal and factual circumstances of an identified or identifiable natural person (Section 3(1) BDSG) or user. Examples of personal data are details such as your name, address, location, online identifiers or telephone number.
The offer of miha bodytec is basically directed at users of legal age. Use by minors without the consent of their legal guardians is not permitted. Miha bodytec therefore reserves the right to delete all data relating to underage users if the parent or guardian has not given their consent.
3. RESPONSIBLE BODY
The responsible party for the collection, processing and use of your personal data in the sense of the DSGVO is miha bodytec GmbH, Siemensstraße 1, 86343 Gersthofen.
If you have a concern about data protection at miha bodytec, please contact us using the following methods:
miha bodytec GmbH
telephone: +49 821 45 54 92 - 0
4. CONTACT DETAILS OF THE DATA PROTECTION OFFICER
Mr. Michael Tetté has been appointed as data protection officer. He carries out the activities according to Art. 38 and Art. 39 DSGVO. You can contact the data protection officer at
email@example.com at any time with data protection-related concerns.
5. HOW DO WE COLLECT AND PROCESS YOUR PERSONAL DATA? WHICH SOURCES AND DATA DO WE USE?
Your data is collected, on the one hand, because you provide it to us or because it is publicly accessible. This can be, for example, data that you give us in person, by telephone, by e-mail or via a contact form.
Other data is collected automatically by our IT systems when you visit the website. This is mainly technical data (e.g. internet browser, operating system or time of page access). This data is collected automatically as soon as you enter our website.
If you send us enquiries via the contact form, your details from the enquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not pass on this data without your consent.
The processing of the data entered in the contact form is therefore based exclusively on your consent (Art. 6 para. 1 lit. a DSGVO). You can revoke this consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.
The data you entered in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your enquiry). Mandatory legal provisions - in particular retention periods - remain unaffected.
If you would like to receive a newsletter offered by miha bodytec, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data will not be collected. We use this data exclusively for sending the requested information and do not pass it on to third parties.
You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time.
Newsletter information and consent
The following information explains the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedures and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the procedures described. ["Note on the Newsletter according to the sample of lawyer Dr. Thomas Schwenke"].
Content of the newsletter
We send newsletters, e-mails and other electronic notifications with advertising information (hereinafter referred to as "newsletter") only with the consent of the recipients or with a legal permission. If the contents of the Newsletter are specifically described in the context of a registration, they are decisive for the consent of the users. In addition, our newsletters contain information about topics in the fitness market, in particular EMS training, as well as about our company and partner organisations. (This may include, in particular, references to blog articles, lectures or workshops, our services or online presences).
Double opt-in and logging
Registration for our newsletter takes place in a so-called double opt-in process. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other people's e-mail addresses.
The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored with MailChimp are also logged.
Use of the "MailChimp" dispatch service provider
The newsletter is sent using "MailChimp", a newsletter sending platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The email addresses of our newsletter recipients, as well as their other data described in this notice, are stored on MailChimp's servers in the USA. MailChimp uses this information to send and evaluate the newsletter on our behalf. Furthermore, according to its own information, MailChimp may use this data to optimise or improve its own services, e.g. for the technical optimisation of the dispatch and the presentation of the newsletters or for economic purposes in order to determine from which countries the recipients come. However, MailChimp does not use the data of our newsletter recipients to write to them itself or to pass it on to third parties.
To register for the newsletter, it is sufficient to enter your e-mail address.
Statistical collection and analyses
The newsletters contain a so-called "web-beacon", i.e. a pixel-sized file that is retrieved from the MailChimp server when the newsletter is opened. Within the scope of this retrieval, technical information, such as information on the browser and your system, as well as your IP address and the time of the retrieval are initially collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined with the help of the IP address) or the access times.
Statistical surveys also include determining whether newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our intention nor that of MailChimp to observe individual users. The analyses serve us much more to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
Online access and data management
You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. At the same time, your consent to the sending of the newsletter via MailChimp and the statistical analyses will expire. Unfortunately, it is not possible to separately revoke the sending via MailChimp or the statistical analysis.
You will find a link to cancel the newsletter at the end of each newsletter.
Legal basis Data Protection Ordinance
In accordance with the requirements of the Basic Data Protection Regulation (DSGVO) applicable from 25 May 2018, we inform you that consent to the sending of e-mail addresses is given on the basis of Art. 6 Para. 1 lit. a, 7 DSGVO as well as § 7 Para. 2 No. 3, or Para. 3 UWG. The use of the dispatch service provider MailChimp, the performance of statistical surveys and analyses as well as the logging of the registration process are based on our legitimate interests pursuant to Art. 6 para. 1 lit. f DSGVO. Our interest is directed towards the use of a user-friendly and secure newsletter system that serves both our business interests and the expectations of the users.
We would also like to point out that you can object to the future processing of your personal data in accordance with the legal requirements pursuant to Art. 21 DSGVO at any time. The objection can be made in particular against the processing for purposes of direct advertising
Server log files
The provider of our websites automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
- Browser type and browser version
- Operating system used
- Referrer URL
- Host name of the accessing computer
- Time of server request
- IP address.
This data is not merged with other data sources.
The basis for data processing is Art. 6 para. 1 lit. f DSGVO, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.
Our websites use functions of the web analysis service Google Analytics. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called "cookies". These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.
Google Analytics cookies are stored on the basis of Art. 6 (1) lit. f DSGVO. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.
We have activated the IP anonymisation function on our websites. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
Objection to data collection
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set, which will prevent the collection of your data during future visits to this website: Deactivate Google Analytics.
Google AdWords and Google Conversion Tracking
Our websites may use Google AdWords. AdWords is an online advertising programme of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States ("Google").
Within the framework of Google AdWords, we use so-called conversion tracking. When you click on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the internet browser stores on the user's computer. These cookies lose their validity after 30 days and are not used to personally identify the user. If the user visits certain pages of this website and the cookie has not yet expired, Google and we will be able to recognise that the user clicked on the ad and was redirected to this page.
Each Google AdWords customer receives a different cookie. The cookies cannot be tracked across AdWords customers' websites. The information obtained using the conversion cookie is used to create conversion statistics for AdWords customers who have opted in to conversion tracking. The customers learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users. If you do not wish to participate in the tracking, you can object to this use by easily deactivating the Google conversion tracking cookie via your internet browser under user settings. You will then not be included in the conversion tracking statistics.
The storage of "conversion cookies" is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.
You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.
Facebook plugins (Like & Share button)
Plugins of the social network Facebook, provider Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA, are integrated on our pages. You can recognise the Facebook plugins by the Facebook logo or the "Like button" ("Like") on our page. You can find an overview of the Facebook plugins here: http: //developers.facebook.com/docs/plugins/.
When you visit our pages, a direct connection is established between your browser and the Facebook server via the plugin. Facebook thereby receives the information that you have visited our site with your IP address. If you click the Facebook "Like" button while you are logged into your Facebook account, you can link the content of our pages on your Facebook profile. This allows Facebook to associate the visit to our pages with your user account.
If you do not wish Facebook to be able to associate your visit to our pages with your Facebook user account, please log out of your Facebook user account.
Our website uses the visitor action pixel from Facebook, Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook") to measure conversions.
This makes it possible to track the behaviour of page visitors after they have been redirected to the provider's website by clicking on a Facebook ad. This allows the effectiveness of the Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimised.
The data collected is anonymous for us as the operator of this website, we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook data usage policy. This enables Facebook to serve advertisements on Facebook pages as well as outside of Facebook. This use of the data cannot be influenced by us as the site operator.
You can also deactivate the "Custom Audiences" remarketing function in the settings section for advertisements at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook.
If you do not have a Facebook account, you can disable usage-based advertising from Facebook on the European Interactive Digital Advertising Alliance website: http: //www.youronlinechoices.com/de/praferenzmanagement/.
You can change your privacy settings on Twitter in the account settings at http://twitter.com/account/settings.
On our pages, we use social plugins of the social network Pinterest, which is operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA ("Pinterest"). When you call up a page that contains such a plugin, your browser establishes a direct connection to the Pinterest servers. The plugin transmits log data to the Pinterest server in the USA. This log data may contain your IP address, the address of the websites visited that also contain Pinterest functions, the type and settings of the browser, the date and time of the request, how you use Pinterest and cookies.
Further information on the purpose, scope and further processing and use of the data by Pinterest, as well as your rights in this regard and options for protecting your privacy, can be found in the Pinterest data protection information: https: //about.pinterest.com/de/privacy-policy
Our websites may use plugins from the YouTube site operated by Google. The operator of the sites is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
When you visit one of our sites equipped with a YouTube plugin, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited.
If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.
YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f DSGVO.
Functions of the Instagram service are integrated on our pages. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram.
In our online shop we offer, among other things, payment via PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal").
If you select payment via PayPal, the payment data you enter will be transmitted to PayPal.
The transmission of your data to PayPal is based on Art. 6 para. 1 lit. a DSGVO (consent) and Art. 6 para. 1 lit. b DSGVO (processing for the performance of a contract). You have the option to revoke your consent to data processing at any time. A revocation does not affect the validity of past data processing operations.
Google Web Fonts
This site uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly. For this purpose, the browser you use must connect to Google's servers. This informs Google that our website has been accessed via your IP address. Google Web Fonts are used in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f DSGVO. If your browser does not support web fonts, a standard font from your computer will be used.
Adobe Typekit Web Fonts
Our website uses so-called web fonts from Adobe Typekit for the uniform display of certain fonts. The provider is Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe). When you call up our pages, your browser loads the required fonts directly from Adobe in order to be able to display them correctly on your end device. In doing so, your browser establishes a connection to Adobe's servers in the USA. This enables Adobe to know that our website has been accessed via your IP address. According to Adobe, no cookies are stored when providing the fonts. Adobe is certified in accordance with the EU-US Privacy Shield. The Privacy Shield is an agreement between the United States of America and the European Union that is intended to ensure compliance with European data protection standards. More information can be found at: https: //www.adobe.com/de/privacy/eudatatransfers.html. The use of Adobe Typekit Web Fonts is necessary to ensure a consistent typeface on our website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.
You can find more information about Adobe Typekit Web Fonts at: https: //www.adobe.com/de/privacy/policies/typekit.html. You can find Adobe's data protection declaration at: https: //www.adobe.com/de/privacy/policy.html.
miha bodytec LogX Software
The miha bodytec training devices can communicate with the miha bodytec LogX software via a hard-coded access device ("Access Point") to be purchased by the customer. This is an online platform for the optimal commercial use of the miha bodytec training devices.
The miha bodytec LogX software processes the following data:
- Master data collected by the EMS - operator (name, date of birth, address and contact details, duration of my training contract, etc.)
- Training data (settings of the training devices and data collected during the use of the devices, such as time and scope of the training)
- Voluntary information provided by the trainee (e.g. height, weight, blood pressure, injuries, medication, training goals and the like)
- The trainee can also provide additional information at any time at his or her own discretion: for example, training results and ratings of the training.
6. HOW DO WE HANDLE COOKIES? WHAT CAN YOU SET IN RELATION TO COOKIES?
Some of the Internet pages use so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.
Most of the cookies we use are so-called "session cookies". They are automatically deleted at the end of your visit. Other cookies remain stored on your terminal device until you delete them. These cookies enable us to recognise your browser on your next visit.
You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or generally and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.
Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested (e.g. shopping cart function) are stored on the basis of Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services. Insofar as other cookies (e.g. cookies to analyse your surfing behaviour) are stored, these will be dealt with separately in this data protection declaration.
7. DOES MIHA BODYTEC SHARE PERSONAL DATA WITH THIRD PARTIES? WHO RECEIVES YOUR DATA?
We may share your personal information with third parties. Such a transfer of data may be necessary if it is required in the context of the processing of the contract, for example to the companies entrusted with the delivery of the goods or to the credit institution entrusted with the processing of payments. Furthermore, data transfer may be necessary to enable you to access our services, to comply with our legal obligations, to enforce our General Terms and Conditions, to carry out our marketing and advertising activities and to prevent, detect, contain and investigate fraud or illegal activities in connection with our services. No further transfer of data will take place or will only take place if you have expressly consented to the transfer.
We never pass on your personal data to third parties for their marketing and advertising purposes without your express consent.
8. HOW IS THE DATA ENCRYPTED AND SECURED?
Miha bodytec secures its processes and websites by technical and organisational measures against loss, destruction, access, alteration or distribution of your data by unauthorised persons, however, no one can guarantee absolute protection.
For security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator, our pages use SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Encrypted payment transactions in our online shop
If, after the conclusion of a contract with costs, there is an obligation to transmit your payment data to us (e.g. account number in the case of direct debit authorisation), this data is required for payment processing.
Payment transactions via the common means of payment (Visa/MasterCard, direct debit) are made exclusively via an encrypted SSL or TLS connection. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
With encrypted communication, your payment data that you transmit to us cannot be read by third parties.
All servers on which miha bodytec customer data is stored are located within the European Union. Miha bodytec only transmits personal data in encrypted form.
9. HOW LONG WILL YOUR DATA BE STORED?
We adhere to the principles of data avoidance and data economy. We therefore only store your personal data for as long as is necessary to provide the service you have requested or ordered, i.e. generally for as long as there is a contractual relationship with you and/or you have given your consent. After the respective processing purpose has ceased to exist or in the event of the termination/termination of a contractual relationship or after your consent has been revoked, the corresponding data will be blocked or deleted by miha bodytec, insofar as further storage is not required due to statutory retention periods (in accordance with the provisions of the German Commercial Code), which we must comply with.
10. WILL DATA BE TRANSFERRED TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANISATION?
Servers on which miha bodytec stores customer data are located within the European Union / European Economic Area (EEA).
We will inform you separately about any exceptions. In this context, we refer in particular to point 5. information on the newsletter and consent.
11. WHAT RIGHTS DO YOU HAVE?
Every data subject has the right to information according to Art. 15 of the GDPR, the right to rectification according to Art. 16, the right to erasure according to Art. 17, the right to restriction of processing according to Art. 18, as well as the right to data portability from Art. 20. For the right to information and the right to erasure, the restrictions according to §§34 and 35 of the BDSG apply. In addition, there is a right of appeal to a data protection authority (Art. 77 in conjunction with § 19 BDSG).
12. TO WHAT EXTENT IS YOUR DATA USED FOR PROFILING OR FOR AUTOMATED DECISION-MAKING?
As a matter of principle, we do not use automated decision-making pursuant to Art. 22 DS-GVO for the establishment and implementation of the business relationship. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.
There is also no "profiling" of us. Profiling means any kind of automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location. Examples of such profiling include, but are not limited to, the analysis of data (e.g. based on statistical methods) with the aim of displaying personalised advertising to the user or providing job advertisements.
13. WHAT DO WE PROCESS YOUR DATA FOR (PURPOSE OF PROCESSING) AND ON WHAT LEGAL BASIS?
Art. 6 I lit. a DSGVO serves as the legal basis for our company for processing operations in which we obtain consent for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b DSGVO. The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example in the case of enquiries about our products or services.
If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c DSGVO.
In rare cases, the processing of personal data might become necessary in order to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to be injured on our premises and as a result his or her name, age, health insurance details or other vital information had to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 I lit. d DSGVO.
Finally, processing operations could be based on Art. 6 I lit. f DSGVO. Processing operations which are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, sentence 2 of the GDPR). Similarly, the processing of personal data for the purposes of direct marketing may be considered as a processing serving a legitimate interest (Recital 47, 7th sentence, GDPR).
15. HOW YOU CAN CHANGE AND DELETE YOUR DATA: YOUR REVOCATION OPTIONS
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if applicable, a right to correction, blocking or deletion of this data. You can contact us at any time at the address given in the imprint for this purpose and for further questions on the subject of personal data.
If you ask us to delete your personal data, we will comply with this request without delay. However, in individual cases this may require us to terminate your use of the data. Furthermore, we may - insofar as this is legally permissible - merely block data (e.g. because we are legally obliged to retain it).
16. INFORMATION ABOUT YOUR RIGHT TO OBJECT ACCORDING TO ART. 21 OF THE GDPR:
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.