Privacy Notice when you make a purchase

This Privacy Notice fulfills the obligation to provide information pursuant to Article 13 et seq. of the General Data Protection Regulation (GDPR) where personal data is collected in connection with the conclusion of a contract via our website.

1. Name and contact details of the data controller:

CARFAX Europe GmbH Barthstraße 2-10 80339 Munich, Germany Email: info@carfax.eu

(hereinafter referred to as "CARFAX", "we", "us").

2. Contact details of the data protection officer:

Martin Holzhofer Holzhofer Consulting GmbH Lochhamer Str. 31 82152 Planegg, Germany Tel.: +49 89 125 01 56 00 Email: privacy@carfax.eu

Website: https://www.holzhofer-consulting.de/index_en.php

3. Purposes and Legal Basis for Personal Data Processing

3.1. Performance and management of contracts with consumers (Article 6(1)(b) GDPR)

To perform and fulfill an existing contractual relationship, in particular to provide the contracted services (e.g. purchase and subsequent provision of vehicle history reports, invoicing), we – and possibly also our commissioned third parties and processors – shall process the following data belonging to you that you share with us upon the conclusion or during the performance of the Agreement:

Personal details (email address)
Vehicle identification number (VIN) or license plate number
Payment details

If an invoice is requested, we – and possibly also our commissioned third parties and processors – shall also process the following data belonging to you:

Name
Address
Country

The legal basis is Article 6(1)(b) GDPR. Under this provision, the processing is necessary for the performance of a contract to which the data subject is a party.

3.2. Performance and management of contracts with business customers (Article 6(1)(f) GDPR)

contact details of a contact person for the organization of the business customer:

last name, first name or company/organization and if applicable, the department within the organization
business address
business email

In the case of a sole proprietor, where applicable:

company name (including last name and first name)
business address
business email
payment details
tax ID/ VAT ID
Vehicle identification number (VIN) or license plate number

For invoicing, monitoring and collection of receivables for products and services, we may process the contact details of contact persons in Accounting and other persons entrusted with these processing operations.

The legal basis for processing your data is our legitimate interest as per Article 6(1)(f) GDPR. An analysis of the interests concluded that the interests of the data subjects do not outweigh our interests in the performance and fulfillment of agreements with our business customers. At present we have a legitimate interest in the performance and management of our contractual obligations to our business customers, which requires the processing of the data and data categories listed here.

3.3. Creating a customer account and guest access (guest checkout)

You can also create a customer account with us by filling out the corresponding registration form within the purchase process.

The following data or data categories are collected and processed:

Email address
Password

We will store the information collected during the registration process throughout the period you are registered on our website. Your data will be deleted if you cancel your registration. Statutory retention periods remain unaffected.

The legal basis for processing your data is our legitimate interest as per Article 6(1)(f) GDPR. After weighing up the interests on both sides, we have reached the conclusion that the interests of the data subject do not outweigh our interests in data processing. In the present case, we have a legitimate interest in providing a customer portal for our customers for the use of certain functions and offers, for which the processing of the data and data categories mentioned here is necessary.

On our website, you can also purchase a vehicle history (1 CARFAX) as part of the purchase process without creating a customer account with us.

Only your email address will be collected and processed.

We generally store the data collected during guest access for the duration of the contract. Data that is no longer required after the contract has been fulfilled (in particular your email address) will be deleted immediately. Statutory retention periods remain unaffected.

The legal basis for this processing of your data is Art. 6(1)(b) GDPR (in the case of contracts with natural persons) or Art. 6(1)(f) GDPR (for contracts with legal entities). Accordingly, the processing is necessary for the fulfillment of a contract.

After weighing up the interests on both sides, we have come to the conclusion that the interests of the data subjects do not outweigh our interests in fulfilling the contracts, providing that the legal basis for processing is in our legitimate interest pursuant to Art. 6(1)(f) GDPR. At present, we have a legitimate interest in the performance and management of our contractual obligations to our business customers, which requires the processing of the data and data categories listed here.

3.4. Further data processing on the basis of legitimate interests (Article 6(1)(f) GDPR)

In consideration of your rights and freedoms, processing will be carried out beyond the scope of actual performance of the contract if this is necessary for the purposes of a legitimate interest on our part and this is not overridden by your interests, fundamental rights and fundamental freedoms, which require protection of personal data.

This will occur, for example, for the establishment of legal claims and defense in case of legal disputes.

Use of your email address for the sending of direct advertising

Unless you have opted out, we will use the email address we received from you in the context of selling a service to send you promotional material via electronic means about our services which are similar to those you have already purchased from us. You may opt out of your email address being used at any time by notifying us that you wish to do so. The contact details to be used for opting out can be found in the legal notice. You can also use the link provided in the promotional email. There will be no charges beyond the basic tariffs associated with communicating in these ways.

4. Obligation to provide the data

It is mandatory to provide an email address, VIN or registration number and payment information for the chosen method of payment. If you do not provide us with this information, it will not be possible to conclude a contract with us.

5. Automated decision-making including profiling

CARFAX Europe GmbH shall only employ automated individual decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR in the event a contract is concluded during the order process as part of a credit check and scoring by the payment service provider Adyen N.V. This will be done on the basis of Article 22(2)(a) GDPR and is therefore necessary in order to conclude the contract between you and us.

6. Data transfer to a third country

Data is transferred to countries outside the EU and the European Economic Area ("third countries") as part of administering, developing and operating IT systems. Data shall only be transferred on the basis of:

an adequate decision of the European Commission under Article 45 GDPR;
an approved certification mechanism pursuant to Article 42 GDPR together with legally binding and enforceable obligations on the part of the controller or the processor in the third country;
standard data protection clauses issued by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR.

At present, in the context of a contract being concluded via our website, data will be transmitted to countries outside the EU and the European Economic Area ("third countries") in the following case:

VIN is forwarded to our parent company CARFAX Inc., 5860 Trinity Parkway, Suite 600, Centerville, VA 20120 in the USA only when there is no data in our own database and thus to give you total access to the global database.
Privacy policy notice for the use of Google reCaptcha

In the order form, we use the reCAPTCHA function from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google). This function is used primarily to distinguish whether an input is being made by a natural person or is misuse by machine and automated processing, for example, by a bot or other spam software. By spam, we mean any unsolicited, unwanted information sent electronically. The reCAPTCHA is therefore used to secure our website and ultimately also for your security.

The reCAPTCHA service is a JavaScript element integrated into the source text and the application runs in the background and analyzes your user behavior.

With classic CAPTCHAS, you generally have to solve a text or image puzzle for verification or check a box to confirm that you are not a bot.

With the new invisible reCAPTCHA version, you no longer have to check a box. Rather, the entire recognition process and the corresponding risk analysis run in the background. Google does not disclose exactly which data it collects and stores in this process. We currently are using both reCaptcha versions on our website. The classic reCAPTCHA is only used as a fallback solution if the invisible reCAPTCHA identifies a user as a bot in order to still give real users the opportunity to access the website.

According to our information, the following information is collected in relation to your terminal and your browser and transmitted to Google:

Referrer URL (the address of the site from which the visitor is coming)
User’s IP address
User’s operating system
Mouse and keyboard behavior
Language set in the browser
Screen and window resolution
Timezone
Installation of browser plugins
Limited location and usage data

Furthermore, Google reCAPTCHA also uses cookies (small text files in which your data is stored in your browser).

The Captcha window uses "Google Fonts" for the visual display, i.e. the fonts loaded from the Internet by Google. There is no processing of information other than that mentioned above, which is already transmitted to Google via the functionality of reCAPTCHA.

The use of Google reCAPTCHA occurs in accordance with Article 6(1)(f) of the GDPR based on our legitimate interest in establishing individual ownership on the Internet and preventing misuse and spam, and thereby ensuring the security of our website. Information is stored and accessed in accordance with Article 25 (1 and 2) TTDSG (Telekommunikation-Telemedien-Datenschutzgesetz — German Telecommunications and Telemedia Data Protection Act).

As part of this use of Google reCAPTCHA, personal data may be transmitted to the server at Google LLC. in the USA. For the USA, the European Commission has issued an adequacy decision according to Article 45(3) GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. The service provider Google is certified under the DPF and thus committed to complying with European data protection principles.

For further information on data privacy at Google, please visit: https://www.google.com/intl/de/policies/privacy/

Further information on Google reCAPTCHA can be read on the Google web developer’s page at https://developers.google.com/recaptcha?hl=de:

7. Recipients of data and data sources

7.1. Categories of data recipient

To the extent permitted by law, we share personal data, or data that can be used to identify persons, with external service providers:

Banks and payment service providers for billing and payment transactions (Adyen N.V., the Netherlands).

In order to process the personal data for the purposes mentioned here, we appoint the following categories of recipients as data processors as defined in Article 28 GDPR: Software service providers for the provision and use of our billing software (easybill, Germany)

All personal data we collect will only be processed and used for the purpose of fulfilling and processing your order as well as for handling your inquiries. In addition, your personal data will only be shared with or transmitted to third parties as far as this is necessary for the purposes of processing the contract, in particular to our service partners, who are required in order to process the contractual relationship. In these cases, we strictly observe the requirements of the GDPR and the Bundesdatenschutzgesetz (German Federal Data Protection Act). The data transfer will be limited to a minimum.

In addition, we will only share your personal data with third parties if you have expressly consented to this. You have the right to withdraw your consent at any time with effect for the future.

Your data will also be shared as far as we are legally obliged to do so.

7.2 Summary of Payment Service Providers

Privacy notice regarding the use of Adyen

On our website, you have the option to pay by credit card or debit card. The payment service provider is payment gateway provider Adyen B.V., Simon Carmiggeltstraat 6—50, 5th Floor, 1011 DJ Amsterdam, the Netherlands (hereinafter “Adyen”). As part of the checkout process, the Adyen service verifies your credit card details and approves the payment. We receive confirmation that the details are correct and the payment process is complete.

If you select this payment method, Adyen shall be the controller that is responsible under privacy law for processing your data because Adyen handles the payments directly with the customers, which means it does not process the payment data based on instructions.

If the described communications to Adyen involve the processing of personal data, this shall only be performed for the purposes of payment processing, which falls under performance of a contract as per Article 6(1)(b) GDPR (for contracts with individuals) or as per Article 6(1)(f) GDPR (for contracts with legal entities).

For further information on data privacy at Adyen, please visit: https://www.adyen.com/policies-and-disclaimer/privacy-policy

Privacy notice regarding the use of Google Pay

On our website, you have the option to pay using payment service provider Google Pay. The payment service provider is Google Inc. LLC (1600 Amphitheater Parkway, Mountain View, CA 94043, USA).

If you select this payment method, Google shall be the controller that is responsible under privacy law for processing your data because Google handles the payments directly with the customers, which means it does not process the payment data based on instructions.

In this case, the payment details you entered are provided to Google. Payment using the Google Pay app on your mobile terminal device charges a bank card stored with Google Pay or a payment system verified by Google Pay (such as PayPal). For this purpose, Google also receives the details you entered during the ordering process and information on your order. Google then transfers your payment details stored in Google Pay back to the original website in the form of a unique transaction number, which is used to verify a completed payment. This transaction number does not contain any information on the actual payment details you entered in Google Pay. Rather, it is created and sent as a single-use digital token.

Google reserves the right to collect, store and analyze certain transaction-specific information on any transaction carried out using Google Pay. This generally includes:

Transaction date, time and amount
Merchant location and description
Merchant’s description of the purchased goods or services
Name, address and email of the buyer and seller
Payment method used
Any photos you attached to the transaction
Any description of the reason for the transaction and the offer associated with the transaction

In its Privacy Notice, Google also reserves the right to disclose the collected data to third-party service providers and affiliates.

Processing of the aforementioned data is neither legally nor contractually obligatory. Disclosure of these personal data is however necessary in order to pay using Google Pay. Nevertheless, you always have the option to select a different payment method.

Google also processes your data in the United States. For the USA, the European Commission has issued an adequacy decision according to Article 45(3) GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. The service provider Google is certified under the DPF and thus committed to complying with European data protection principles.

If the described communications to Google involve the processing of personal data, this shall only be performed for the purposes of payment processing, which falls under performance of a contract as per Article 6(1)(b) GDPR (for contracts with individuals) or as per Article 6(1)(f) GDPR (for contracts with legal entities).

For further information on data privacy and Google Pay, please visit: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en

Privacy notice regarding the use of BLIK (only available on the Polish version of our website)

On our website, we offer the option to pay using BLIK, a service of Polski Standard Płatności sp. z o.o., ul. Czerniakowska 87A, 00-718 Warsaw, Poland.

The BLIK system is embedded in and used as part of your mobile banking app. You enter the BLIK code and confirm the transaction with your PIN in the banking app. You do not need to log into your online banking or provide any bank card details.

If you select this payment method, Polski Standard Płatności sp. z o.o. shall be the controller that is responsible under privacy law for processing your data because BLIK handles the payments directly with the customers, which means it does not process the payment data based on instructions.

This data processing by BLIK is neither legally nor contractually obligatory. Disclosure of these personal data is however necessary in order to pay using BLIK. Nevertheless, you always have the option to select a different payment method.

If the described communications to BLIK involve the processing of personal data, this shall only be performed for the purposes of payment processing, which falls under performance of a contract as per Article 6(1)(b) GDPR (for contracts with individuals) or as per Article 6(1)(f) GDPR (for contracts with legal entities).

For further information on data privacy at BLIK, please visit:

https://blik.com/media/PRIVACY_POLICY_AND_COOKIES_POLICY.pdf

Privacy notice regarding the use of PayPal

On our website, we offer the option to pay using payment service provider PayPal (PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg and/or PayPal Inc., 2211 N 1st St., San Jose, CA 95131, United States). PayPal is an online payment service provider. It processes payments using what are known as “PayPal accounts”, which are virtual personal or corporate accounts. In addition, PayPal offers the option to make virtual payments using credit cards if a user does not have a PayPal account.

If you select this payment method, PayPal shall be the controller that is responsible under privacy law for processing your data because PayPal handles the payments directly with the customers, which means it does not process the payment data based on instructions.

In this process, PayPal collects or otherwise receives the following data:

Users who want to register with PayPal must first link an existing bank account to PayPal. To set up their account, they must enter their country of origin, first and last name, email and password.

If businesses use PayPal as a payment option, the software collects information on the transactions. This generally includes

the payment amount
user device details (such as IP address)
technical usage data, and
geolocation data on the user.

PayPal also reserves the right to collect personal data on the purchaser. According to PayPal, this could include

First and last name
Address
Phone number
Email, and
Account number.

For various services, such as payment by direct debit, PayPal runs a credit check to ensure your willingness and ability to pay. For this purpose, it discloses your details (name, address, date of birth, bank account details) to credit agencies. We have no influence over this process and only receive the result of whether the payment was processed or denied or is pending verification.

Processing of the aforementioned data is neither legally nor contractually obligatory. Disclosure of these personal data is however necessary in order to pay using PayPal. Nevertheless, you always have the option to select a different payment method.

PayPal may also process your data in the United States. Please note that the European Court of Justice has found that the United States currently lacks an adequate level of data protection. For data subjects, this may involve various risks related to data processing security.

If the described communications to PayPal involve the processing of personal data, this shall only be performed for the purposes of payment processing, which falls under performance of a contract as per Article 6(1)(b) GDPR (for contracts with individuals) or as per Article 6(1)(f) GDPR (for contracts with legal entities).

For further information on data privacy at PayPal, please visit: https://www.PayPal.com/en/webapps/mpp/ua/privacy-full

Privacy notice regarding the use of Klarna (only available on the Swedish version of our website)

On our website, we offer payment options using the company Klarna AB. Klarna is a Swedish online payment service provider. It processes payments for store operators. Klarna also provides other services, such as buyer protection and identity and credit checks.

In the ordering process, if you choose the ‘Klarna Financing’ or ‘Klarna Pay in 30 days’ service by Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden, as the payment option, Klarna automatically receives the personal data needed to complete the Financing purchase or ‘Pay in 30 days’ purchase and conduct any identity or credit checks.

If you select one of these payment methods, Klarna shall be the controller that is responsible under privacy law for processing your data because Klarna handles the payments directly with the customers, which means it does not process the payment data based on instructions.

In this process, Klarna collects or otherwise receives the following data:

first and last name
title
address
date of birth
gender
email
IP address
phone number
cell phone number

In addition, this also includes data needed to process a Financing purchase and data related to the order, such as

quantity
article number
invoice amount and tax rate
billing information
bank details
card number, expiration date, CCV code
information on the goods/services
historical information
information on your past purchases
payment history
any denied payments
financial information
information on any debts and payment notes
information on your interaction with Klarna Checkout
website loading times
download errors and methods used to exit the displayed page
information on electronic communication
confirmations of receipt
device details
geographic information

Klarna also needs some of these data to obtain information from credit agencies for the purposes of identity and credit checks. Please note that we do not have any influence over this process. In addition, Klarna may disclose your personal data to other companies in the Klarna Group, service providers and subcontractors where necessary to meet its contractual obligations to you or to these parties. For a list of the credit agencies Klarna uses, please visit: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/en_uk/credit_rating_agencies

In its decision to conclude, perform or terminate a contractual relationship, Klarna states that it also collects and uses information on the past payment behavior of the purchaser and probability values for this behavior in the future. To calculate these scores, Klarna uses scientifically proven mathematical and statistical methods. For this, Klarna uses information such as your address details. If this calculation finds that your credit rating is insufficient, Klarna will notify you of this immediately.

Klarna states that it stores the data only for as long as needed for the specific purpose of the processing.

Processing of the aforementioned data is neither legally nor contractually obligatory. Disclosure of these personal data is however necessary in order to pay using Klarna. Nevertheless, you always have the option to select a different payment method.

Klarna may also process your data in the United States. Please note that the European Court of Justice has found that the United States currently lacks an adequate level of data protection. For data subjects, this may involve various risks related to data processing security.

If the described communications to Klarna involve the processing of personal data, this shall only be performed for the purposes of payment processing, which falls under performance of a contract as per Article 6(1)(b) GDPR (for contracts with individuals) or as per Article 6(1)(f) GDPR (for contracts with legal entities).

For further information on data privacy, such as which data are collected for which purposes, please visit: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/en_us/privacy

Privacy notice for the use of iDEAL (only available on the Dutch version of our website)

On our website, we offer the option to pay using iDEAL, a service of Currence Holding B.V, Gustav Mahlerplein 33-35, 1082 MS Amsterdam, the Netherlands. iDEAL offers a direct and secure payment method by bank transfer. Customers choosing to pay using iDEAL must log into their iDEAL account to confirm the payment. Customers can only pay with iDEAL if they have access to online banking with a participating Dutch bank. Customer choosing to pay with iDEAL are redirected to one of the participating Dutch banks.

If you select this payment method, Currence Holding B.V. shall be the controller that is responsible under privacy law for processing your data because iDEAL handles the payments directly with the customers, which means it does not process the payment data based on instructions.

If you pay using iDEAL, iDEAL collects various transaction details and forwards them to your selected bank. Aside from the data needed for the payment, iDEAL may also collect other data in the transaction process.

Processing of the aforementioned data is neither legally nor contractually obligatory. Disclosure of these personal data is however necessary in order to pay using iDEAL. Nevertheless, you always have the option to select a different payment method.

If the described communications to iDEAL involve the processing of personal data, this shall only be performed for the purposes of payment processing, which falls under performance of a contract as per Article 6(1)(b) GDPR (for contracts with individuals) or as per Article 6(1)(f) GDPR (for contracts with legal entities).

For further information on data privacy at iDEAL, please visit: https://www.ideal.nl/en/disclaimer-privacy-statement/

Privacy notice regarding the use of Apple Pay

Our website also uses online payment service provider Apple Pay. The provider of the Apple Pay method is Apple Inc. (Infinite Loop, Cupertino, CA 95014, USA).

If you select this payment method, Apple shall be the controller that is responsible under privacy law for processing your data because Apple handles the payments directly with the customers, which means it does not process the payment data based on instructions.

In this case, the payment details you entered are provided to Apple. Payment using the Apple Pay function on your mobile terminal with iOS, watchOS or macOS charges a bank card stored with Apple Pay. For the purposes of payment processing, Apple encrypts and forwards the data you enter in the order process and the information on your order. Apple then encrypts these data again with a developer-specific key before transferring the data to the payment service provider for the bank card stored in Apple Pay, to complete the payment. The encryption ensures that only the website used to make the purchase can access the payment details. After payment, Apple sends the account number of your device and a transaction-specific, dynamic security code to the original website, to confirm successful payment.

Apple reserves the right to retain anonymized transaction data, including the approximate amount of the purchase, the approximate date and approximate time, and whether the transaction was successfully completed. Apple uses the anonymized data to improve Apple Pay and other Apple products and services.

If you use Apple Pay on an iPhone or Apple watch to complete a purchase made over Safari on a Mac, the Mac and the authorization device communicate over an encrypted channel on Apple servers. Apple does not process or store any of these data in a form that could identify you personally. In your iPhone settings, you can disable the option to use Apple Pay on your Mac. For this, go to “Wallet & Apple Pay” and uncheck “Allow Payments on Mac”.

Processing of the aforementioned data is neither legally nor contractually obligatory. Disclosure of these personal data is however necessary in order to pay using Apple Pay. Nevertheless, you always have the option to select a different payment method.

Apple also processes your data in the United States. Please note that the European Court of Justice has found that the United States currently lacks an adequate level of data protection. For data subjects, this may involve various risks related to data processing security.

If the described communications to Apple involve the processing of personal data, this shall only be performed for the purposes of payment processing, which falls under performance of a contract as per Article 6(1)(b) GDPR (for contracts with individuals) or as per Article 6(1)(f) GDPR (for contracts with legal entities).

For further information on data privacy and Apple Pay, please visit https://support.apple.com/en-us/HT203027

7.3. Data sources

We will process personal data we have received from you over the course of our business relations. As far as this is necessary in order to provide our service, we process personal data that we duly obtain from publicly accessible sources (records of debtors, land registers, trade and association registers, press, Internet) or that we are legitimately sent by other third parties (a credit agency or an address service provider).

8. Retention period and criteria for determining such period

We will store your data for the term of the existing contract and, once the contract entered into with you has ended, for a period until the statutory retention obligations expire. We will anonymize or delete this data again once the statutory retention obligations, which primarily reflect commercial and tax law (in particular Section 147 of the Abgabenordnung (German Fiscal Code) and Section 257 of the HGB (German Commercial Code)), have expired.

We will store your data for advertising purposes until you object to such use or we are no longer permitted by law to send promotional material to you. We will store your other data as long as we need it to fulfill the specific purpose (such as performance or processing of the contract) and will delete it once the purpose ceases to apply.

9. Information about your rights as a data subject

CARFAX Europe GmbH, Barthstraße 2-10, 80339 Munich, Germany, is responsible for processing your data, unless otherwise stated.

You can obtain information from us at any time (Article 15 GDPR) regarding the data stored about you and request that it be rectified (Article 16 GDPR) where there are errors. You can also request that processing be restricted (Article 18 GDPR), request that data you give us be provided (Article 20 GDPR) in a machine-readable format (data portability) or that your data be erased (Article 17 GDPR) provided it is no longer required.

Furthermore, you have the right to object to the use of your data, which is based on public or legitimate interests (Article 21 GDPR), at any time.

If we process your data on the basis of your consent, you may withdraw this consent at any time with effect for the future (Article 7(3) GDPR). Once we have received your withdrawal, we will no longer process your data for the purposes covered by the consent.

If you wish to exercise your rights as a data subject, please contact:

CARFAX Europe GmbH Barthstraße 2-10 80339 Munich, Germany privacy@carfax.eu

10. Right to lodge a complaint with a supervisory authority

In addition, you can contact a supervisory authority at any time to lodge a complaint. The Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision), P.O. Box 1349, 91504 Ansbach, Germany, is the competent authority for us. Alternatively, you can contact your local supervisory authority.

Munich, January 2024