• DE
  • EN
    • Login

    Privacy policy

    Status: July 2023

    This English version of the Privacy Policy is provided for convenience only.
    The German version is legally binding.

    Data protection is very important to us and your trust is our highest priority. Therefore, we always treat your personal data confidentially and, of course, comply with all applicable statutory data protection regulations. We process your personal data only to the extent permitted by law or if you have given us your consent.

    In this Privacy Policy you will learn:

    • how we handle personal data on the internet,
    • which information about visitors to our website and customers of our online shop is collected and evaluated,
    • whether and how this information is used, shared, or otherwise processed.

    This Privacy Policy applies to your visit to our website https://proxyriders.com.

    1. Controller responsible for data processing

    The controller within the meaning of Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is:

    ProxyRiders GmbH
    Bavariafilmplatz 7, Gebäude 109
    82031 Grünwald

    Contact: hello@proxyriders.com

    Managing Directors: Jochen Plinta, Florian Schöppe

    2. Data protection contact details

    We have not appointed a Data Protection Officer, as we are not legally required to do so. For all matters relating to data protection, please contact us at datenschutz@proxyriders.com.

    3. Definitions

    3.1 Personal data

    Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

    This can include any data that can be related to you personally, e.g., name, address, email addresses, user behavior.

    3.2 Data subject

    A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

    3.3 Processing

    Processing means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

    3.4 Restriction of processing

    Restriction of processing means marking stored personal data with the aim of limiting its processing in the future.

    3.5 Profiling

    Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.

    3.6 Pseudonymization

    Pseudonymization means processing personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data are not attributed to an identified or identifiable natural person.

    3.7 Controller / person responsible for processing

    The controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

    3.8 Processor

    A processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

    3.9 Recipient

    A recipient is a natural or legal person, public authority, agency, or another body to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

    3.10 Third party

    A third party is a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

    3.11 Consent

    Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.

    3.12 Payment service providers

    Payment service providers are used for processing payments in connection with contracts that a data subject enters into with the controller.

    4. General information

    4.1 Type and scope of data collection

    When accessing our website or retrieving a file provided on our website, data is collected and processed. As a rule, this takes place only insofar as it is necessary to provide a functional website as well as its content and services. Furthermore, personal data is generally collected and used only with the consent of the data subject. An exception applies in cases where obtaining prior consent is not possible for factual reasons and processing is permitted by law.

    4.2 Legal bases

    If we obtain the data subject’s consent for processing operations, Art. 6(1)(a) GDPR serves as the legal basis.

    If personal data is processed to perform a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract, Art. 6(1)(b) GDPR serves as the legal basis.

    If processing is necessary to comply with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.

    If processing is necessary in order to protect vital interests of the data subject or of another natural person, Art. 6(1)(d) GDPR serves as the legal basis.

    If processing is necessary for the purposes of legitimate interests pursued by our company or by a third party, and the interests, fundamental rights and freedoms of the data subject do not override those interests, Art. 6(1)(f) GDPR serves as the legal basis.

    4.3 Data erasure and storage duration

    We will erase personal data processed for our own purposes as soon as knowledge of it is no longer necessary for fulfilling the purpose of storage. Erasure is replaced by blocking where statutory, regulatory, or contractual retention obligations prevent erasure or where there is reason to assume that erasure would impair legitimate interests of the data subject or where erasure is not possible or only possible with disproportionate effort due to the specific type of storage. Data will then be erased when the retention period required by the aforementioned provisions expires, unless continued storage is necessary for concluding or fulfilling a contract.

    All time limits begin at the end of the year in which the continuing obligation ends or the contract has been fully performed by both parties. If data is collected and stored for another process, the necessary period until erasure depends on the duration required to fulfill the relevant tasks and obligations.

    In addition, you can have your data blocked, corrected, or deleted at any time. Data will also be erased if you withdraw your consent to the collection, processing, and use of personal data. If withdrawal occurs during an ongoing business transaction, the data will be erased immediately after completion of that transaction.

    Further statutory obligations to erase or block data remain unaffected.

    4.4 Data transfers

    Your data will only be transferred to third parties if we are legally obliged to do so, if transfer is required for the performance of the contractual relationship, or if you have expressly consented to the transfer beforehand.

    External service providers and partner companies, such as our online payment provider, receive your data only insofar as this is necessary to process your order. In these cases, the scope of transferred data is limited to the minimum required. Please also note the privacy notices of the respective providers. The respective service provider is responsible for the content of third-party services; within the limits of reasonableness, we review services for compliance with legal requirements.

    If our service providers come into contact with your personal data and act as processors within the meaning of Art. 28 GDPR, we ensure by means of a corresponding data processing agreement that they comply with data protection regulations in the same way.

    We endeavor to process your data within the EU/EEA. However, it may happen that we use service providers who process data outside the EU/EEA. In such cases, we ensure that an adequate level of data protection is established at the recipient prior to the transfer of your personal data. This means that, via EU standard contractual clauses or an adequacy decision such as the Trans-Atlantic Data Privacy Framework (TADPF), a level of data protection comparable to EU standards is achieved.

    In particular, the following categories of recipients may be considered:

    • Data protection supervisory authorities of the federal and state governments or of an EU Member State
    • Courts
    • Where applicable, lawyers; in the event of criminally relevant misuse, law enforcement authorities
    • Web analytics services
    • Hosting service providers
    • Cookie consent tool service providers

    4.5 Information about obligations of the data subject to provide data

    When using our website, you are under no statutory or contractual obligation to provide data.

    4.6 Automated decision-making including profiling

    Automated decision-making including profiling pursuant to Art. 22 GDPR does not take place.

    4.7 Data security

    We have implemented extensive technical and operational safeguards to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security procedures are reviewed regularly and adapted to technological progress.

    5. Provision of the website

    5.1 Type, scope and purpose of processing

    When using the website for informational purposes only (i.e., if you do not register or otherwise provide information), we collect only the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website and to ensure stability and security.

    Each time a user accesses a page from our website offering, access data is stored in a log file on our server. This data includes, for example:

    • browser type and version,
    • operating system used,
    • the page from which the data was requested (referrer URL),
    • content of the request (specific page),
    • IP address of the requesting computer, possibly anonymized,
    • date and time of the server request,
    • file name and URL,
    • amount of data transferred,
    • access status (file transmitted, file not found, etc.),
    • access method (GET, POST),
    • session ID,
    • language

    This data is evaluated exclusively for statistical purposes. It is not passed on to third parties for commercial or non-commercial purposes. The operator may store server log files for longer, disclose them, or access them subsequently only if permitted within the legal framework (e.g., in the event of suspected unlawful activities).

    We cannot draw any immediate conclusions about your identity from the data in the log file. This data is stored temporarily in the log file.

    5.2 Legal basis

    The legal basis for this processing is Art. 6(1)(f) GDPR.

    This data is technically required for us to display and provide our website.

    5.3 Storage duration

    For security reasons (e.g., to investigate misuse or fraud), the data is stored for a maximum period of 14 days and then deleted. Data whose further retention is required for evidentiary purposes is exempt from deletion until the incident has been fully clarified.

    For this purpose, the full IP address of the requesting computer is recorded, stored, and automatically anonymized seven days after the end of access.

    The collection of the aforementioned data is mandatory for operating the website. Therefore, the user has no possibility to object.

    5.4 Processors

    Data processing in the context of hosting services is carried out by our service provider Hetzner Online GmbH, Industriestr. 25, D-91710 Gunzenhausen, on servers located within the Federal Republic of Germany.

    5.4.1.

    For data processing for marketing purposes, we use the service provider biz2byte Service GmbH, Bavariafilmplatz 7, Gebäude 109, 82031 Grünwald.

    5.4.2.

    To obtain and manage your consents with regard to cookies, we use the service provider Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany.

    5.4.3.

    These service providers process personal data on our behalf and according to our instructions as so-called processors pursuant to Art. 28 GDPR. Corresponding data processing agreements have been concluded.

    6. Cookies

    6.1 Type, scope and purpose of processing

    In addition to the data mentioned above, cookies are stored on your computer when you use our website. Cookies are stored on your hard drive for the duration of your visit and assigned to the browser you are using. Depending on your browser settings, the cookies may be deleted when you close the browser. Cookies cannot execute programs or transmit viruses to your computer. They are used to make the website offering more user-friendly, effective and secure overall.

    Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters through which websites and servers can be assigned to the specific internet browser in which the cookie is stored. This enables websites and servers to distinguish the individual browser of the data subject from other browsers that contain other cookies. A specific browser can be recognized and identified via the unique cookie ID.

    Most browsers are set to accept cookies automatically. You can configure your browser settings according to your wishes and, for example, reject the acceptance of third-party cookies or all cookies. Saving cookies can be completely disabled, or the browser can be set to notify you whenever cookies are sent. However, certain features of the website may then not work or may work only to a limited extent.

    You can manage cookies in common browsers here:

    Google: https://support.google.com/chrome/answer/95647?tid=311853917
    Safari: https://support.apple.com/de-at/guide/safari/sfri11471/mac?tid=311853917
    Firefox: https://support.mozilla.org/de/kb/cookies-und-website-daten-in-firefox-loschen?tid=311853917

    We use technically necessary cookies to make our offering more user-friendly, effective and secure. Technically necessary cookies are not strictly required to display the website. However, certain functions of the website, such as shopping cart, contact form, etc., cannot be used properly without these cookies. Therefore, the user has no right to object; these cookies can be deactivated by adjusting the respective browser settings. For example, we use cookies to identify you for subsequent visits if you have an account with us. Otherwise, you would have to log in again for each visit.

    In addition, we use cookies that enable an analysis of the browsing behavior of our website visitors (so-called analytics cookies). Cookies for reach measurement collect information about the way our website is used, e.g., page views or error messages. The use of analytics cookies serves to improve the quality of our websites and their content. Through analytics cookies we learn how the website is used and can thus continuously optimize our offering.

    The legal basis for the use of technically necessary cookies is our legitimate interest pursuant to Art. 6(1)(f) GDPR; the legal basis for all other cookies is your consent pursuant to Art. 6(1)(a) GDPR. You provide this consent by making an appropriate selection in our cookie banner at the beginning of your visit to our website.

    6.2 Transient cookies

    Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID with which various requests from your browser can be assigned to the same session. This allows your device to be recognized when you return to our website. Session cookies are deleted when you log out or close the browser.

    6.3 Persistent cookies

    Persistent cookies are automatically deleted after a specified period, which may differ depending on the cookie. You can delete cookies at any time in your browser’s security settings.

    6.4 Individual presentation of the cookies used

    A detailed presentation of the cookies and their storage duration can be found here.

    7. Contact via web form or email

    7.1 Contact form

    If you provide us with your personal data as part of an inquiry via our contact form, we use this data exclusively for the purpose for which you provided it.

    The data you provide (first name, last name, email address, optionally company) is stored by us in order to answer your questions. To the extent we request input via our contact form that is not necessary for contacting you, we always mark this as optional. This information helps us to specify your inquiry and to handle your request more efficiently.

    We delete the data arising in this context after storage is no longer necessary, or restrict processing if statutory retention obligations exist.

    At the time the message is sent, the following data is also stored:

    • the user’s IP address
    • date and time of registration

    Processing of personal data from the input form serves us solely for handling the contact request. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our IT systems.

    If the data is processed for the performance, initiation or termination of a contractual relationship, the legal basis is Art. 6(1)(b) GDPR; in all other cases, by using the contact form you grant us your consent pursuant to Art. 6(1)(a) GDPR.

    7.2 Email

    Alternatively, you can contact us via the email address provided. In this case, the personal data transmitted with the email will be stored.

    In this context, the data is not passed on to third parties. The data is used exclusively for processing the correspondence.

    The legal basis for processing data transmitted in the course of sending an email is Art. 6(1)(f) GDPR. If the email contact aims at concluding or performing a contract, an additional legal basis is Art. 6(1)(b) GDPR.

    8. Registration and ordering in the online shop

    8.1 Type, scope and purpose of processing

    On our website, we offer users the opportunity to register by providing personal data and to create a customer account. The data is entered into an input mask and transmitted to us and stored.

    We store your data required for contract performance in your customer account until you permanently delete your access. We also store the voluntary data you provide for the duration of your use of the portal unless you delete it earlier. In addition, we store data for fulfilling legal obligations until the end of the statutory retention period.

    Personal data may be transferred to third parties insofar as this is necessary for contract performance. This includes the payment service provider used by us.

    Your registration provides access to content on the website that you cannot access without registration. Purchasing our services is possible only after registration and creating a customer account, since you manage the application via the customer account and receive information required for contract performance.

    After successful registration, you receive a personal password-protected login and can view and manage the data you have stored.

    We use the so-called double opt-in procedure for registration, i.e., your registration is not complete until you have confirmed it via a confirmation email sent to you for this purpose by clicking the link contained therein. If you do not confirm within 24 hours, your registration will be automatically deleted from our database.

    8.2 Legal basis

    Registration serves the performance of a contract to which the user is a party or the implementation of pre-contractual measures; therefore, the legal basis for processing is Art. 6(1)(b) GDPR.

    8.3 Options to object

    Users may cancel their registration at any time. You can change the data stored about you at any time.

    If the data is required for performing a contract or for pre-contractual measures, premature deletion is only possible insofar as no contractual or statutory obligations prevent deletion.

    8.4 Payment service provider

    8.4.1

    For payment processing we use the payment service provider Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street Lower Grand Canal Dock, Dublin, D02 H210, Ireland (“Stripe”). Stripe enables various payment methods, such as credit card payments or direct debit.

    8.4.2

    For each payment transaction, Stripe receives data required for processing electronic payment transactions, such as the information you provide during the ordering process together with information about your order (name, address, account number, bank sort code, possibly credit card number, invoice amount, currency and transaction number). Processing by Stripe is necessary for payment processing and thus for contract performance. The legal basis is Art. 6(1) sentence 1(b) GDPR. This data is deleted after the statutory retention obligations expire.

    8.4.3

    Stripe may transfer data to group companies in the USA. Since July 13, 2023, the European Commission has assessed the level of data protection in the USA as adequate. Data transfer to the USA takes place both on the basis of the Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR and on the basis of the adequacy decision TADPF.

    8.4.4

    Further information on data processing by Stripe can be found here: https://stripe.com/at/privacy?tid=311853917

    9. Website analytics / marketing

    9.1 Type, scope and purpose of processing

    For analysis and optimization purposes, we use various services described below. This allows us, for example, to analyze how many users visit our website, which information is most in demand, or how users find our offering. Among other things, we collect data about which website a data subject came from (so-called referrer), which subpages were accessed, or how often and for how long a subpage was viewed. This helps us to make our offerings more user-friendly and to improve them. The data collected is not used to personally identify individual users. Anonymous or at most pseudonymous data is collected.

    For the purposes pursued by data processing, there is a legitimate interest in direct marketing.

    9.2 Google Tag Manager

    We use Google Tag Manager, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

    Google Tag Manager enables us to centrally manage website tags via an interface (e.g., to integrate analytics tools such as Google Analytics and other Google marketing services into our online offering and to manage them from one place).

    Due to integration via our tagging proxy, the Tag Manager does not come into contact at any time with data arising from visits to the website.

    10. Cookie consent tool

    We use the consent management service Usercentrics, Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany (Usercentrics). Usercentrics is a consent management tool through which we can obtain, manage and document website users’ consent to data processing. This enables us to comply with the requirements of the GDPR and the Telecommunications Digital Services Data Protection Act (TDDDG).

    Usercentrics is used by us as a processor pursuant to Art. 28 GDPR; a corresponding data processing agreement has been concluded.

    Consent data includes the following data:

    • date and time of the visit and/or consent/decline,
    • device information

    The data is processed for the purpose of complying with legal obligations and the associated documentation of consents and thus on the basis of Art. 6(1)(c) and (f) GDPR. Local storage is used for storing the data.

    Consent data is stored for 1 year. The data is stored in the European Union. Further information about the data collected and contact options can be found at https://usercentrics.com/privacy-policy/.

    11. Rights of data subjects

    You have the following rights regarding the personal data concerning you:

    11.1 Right of access

    Any data subject affected by the processing of personal data may request confirmation from the controller as to whether personal data relating to them is being processed.

    If such processing exists, you may request the following information from the controller:

    • purposes of processing
    • categories of personal data being processed
    • recipients or categories of recipients to whom the personal data have been or will be disclosed
    • planned duration for which the personal data will be stored or, if this is not possible, the criteria used to determine that period
    • existence of a right to rectification or erasure of personal data, a right to restriction of processing by the controller, or a right to object to such processing
    • existence of a right to lodge a complaint with a supervisory authority
    • all available information about the source of the data, if the personal data are not collected from the data subject
    • existence of automated decision-making including profiling pursuant to Art. 22(1) and (4) GDPR and—at least in these cases—meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject

    The data subject also has the right to be informed whether personal data concerning them are transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

    For data processing for scientific, historical or statistical research purposes:
    This right of access may be restricted insofar as it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and such restriction is necessary for the fulfillment of those purposes.

    11.2 Right to rectification

    Data subjects have a right to rectification and/or completion vis-à-vis the controller if the personal data concerning them is inaccurate or incomplete. The controller must carry out rectification without undue delay.

    11.3 Right to restriction of processing

    Under the following conditions, data subjects may request restriction of processing of their personal data:

    • if the accuracy of the personal data is contested for a period enabling the controller to verify the accuracy,
    • if the processing is unlawful and the data subject opposes erasure and requests restriction instead,
    • if the controller no longer needs the personal data for the purposes of processing, but the data subject requires it for the establishment, exercise or defense of legal claims, or
    • if the data subject has objected to processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the controller’s legitimate grounds override those of the data subject.

    If processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.

    If restriction has been applied, the data subject will be informed before the restriction is lifted.

    11.4 Right to erasure

    11.4.1 Obligation to erase

    The data subject may request that personal data concerning them be erased without undue delay, and the controller is obliged to erase such data without undue delay where one of the following grounds applies:

    • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on which the processing is based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal ground for processing;
    • the data subject objects to processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for processing, or the data subject objects pursuant to Art. 21(2) GDPR;
    • the personal data have been unlawfully processed;
    • erasure is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject;
    • the personal data have been collected in relation to the offer of information society services pursuant to Art. 8(1) GDPR.
    11.4.2 Information to third parties

    Where the controller has made the personal data public and is obliged pursuant to Art. 17(1) GDPR to erase the personal data, the controller, taking account of available technology and implementation costs, shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, that personal data.

    11.4.3 Exceptions

    The right to erasure does not apply to the extent that processing is necessary:

    • for exercising the right of freedom of expression and information;
    • for compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
    • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    • for the establishment, exercise or defense of legal claims.

    11.5 Right to be informed

    If the data subject has exercised the right to rectification, erasure, or restriction of processing, the controller is obliged to notify all recipients to whom the personal data have been disclosed of such rectification or erasure or restriction, unless this proves impossible or involves disproportionate effort. The data subject has the right to be informed about those recipients.

    11.6 Right to data portability

    Data subjects have the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used and machine-readable format. They also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    • the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR, and
    • the processing is carried out by automated means.

    In exercising this right, data subjects also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.

    11.7 Right to object

    Data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions.

    The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

    Where personal data is processed for direct marketing purposes, data subjects have the right to object at any time to processing of personal data concerning them for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

    If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

    11.8 Right to withdraw consent

    Data subjects have the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

    11.9 Right to lodge a complaint with a supervisory authority

    Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement, if they consider that the processing of personal data relating to them infringes the GDPR.