Data protection notice pursuant to the EU General Data Protection Regulation
Hahn Medical Systems GmbH
Last updated: May 2018
1. Name and contact data of the person responsible for processing as well as the data protection officer
Hahn Medical Systems GmbH
Phone: +49 (7071) 975 57 21
Fax: +49 (7071) 975 57 22
b) Data protection officer:
Hahn Medical Systems GmbH
Phone: +49 (7071) 975 57 21
Fax: +49 (7071) 975 57 22
2. Information about the categories and sources of personal data that we process
Your data communicated when contacting us via e-mail, fax, post or phone are stored by us in order to answer your questions. The disclosure of a valid e-mail address, fax or phone number or address in this process is necessary so that we know who is making the inquiry and to answer it. Data processing for the purposes of establishing contact and initiating business with us always takes place on the basis of your freely given consent (Art. 6 (1)(a) GDPR). The data produced in this context is deleted after storing it becomes unnecessary or we limit processing if statutory retention obligations exist.
Moreover, we process personal data that we receive from our clients in the course of our business relationship. Furthermore, we process – insofar as is necessary to deliver our services – personal data that we permissibly receive from other third parties (i.e. for the execution of orders, the performance of contracts or due to your given consent). Additionally, we process personal data that we permissibly collected from publicly available sources (i.e. commercial and association register, press, media, internet and record of debtors) and that we are authorised to process.
Relevant personal data in the interested party process, registration with a user account or when concluding a contract may be the following: Practice/name, address/other contact details (phone, e-mail address), gender, date of birth, payment details.
Within the framework of the business initiation phase and during the business relationship, particularly through personal, telephone, electronic or written contact initiated by you or us, further personal data, i.e. information about the contact channel, date, occasion and result; (electronic) copies of the correspondence as well as information about participation in direct marketing measures, arise.
3. Purpose of data processing and information regarding the legal basis
We process the previously mentioned personal data in accordance with the GDPR and the Federal Data Protection Act (BDSG):
a. For the fulfilment of contractual obligations (Article 6 (1)(b) GDPR)The processing of personal data takes place for the provision and sale of products or other contractual services to our clients or for the implementation of pre-contractual measures that are made upon your request. The purposes of data processing are primarily based on the specific service and may include, inter alia, correspondence, order processing, consultation/training and the provision of products and services. Further details regarding the purpose of data processing can be learned from the respective contractual documentation.
b. Within the framework of the balance of interests (Article 6 (1)(f) GDPR)Where required, we process your data beyond the actual fulfilment of the contract to safeguard our and third parties’ legitimate interests unless the interests or fundamental rights and fundamental freedoms of the person affected that require the protection of personal data prevail. Examples:
Consultation of and data exchange with credit agencies to fulfil credit or default risks
Assessment and optimisation of requirement analysis and direct customer approach procedures
Advertisement or market and opinion research insofar as they do not contradict the use of your data
Assertion of legal claims and defence in case of juridical disputes
- Guarantee of IT security and IT operation of Hahn Medical Systems GmbH
Prevention of criminal offences
Measure to secure buildings and plants (i.e. access control)
Measures to guarantee domiciliary rights
Measures for the business management and further development of services and products
c. On the basis of your consent (Article 6 (1)(a) GDPR) Insofar as you have given your consent to the processing of personal data for specific purposes, the legality of this processing shall be given on the basis of your consent. Any consent given can be revoked at all times. This also applies for the revocation of consent given to us prior to the validity of the EU General Data Protection Regulation, in other words prior to 25th May 2018. Please note that revocation is effective for the future only. Processing that took place prior to revocation is not affected by this.
d. On the basis of legal requirements (Article 6 (1)(c) GDPR) or in the public interest (Article 6 (1)(e) GDPR) Furthermore, we as a business are subject to diverse legal obligations, i.e. legal requirements (e.g. Commercial Code, tax laws). The purposes of processing include, inter alia, compliance with taxation provisions as well as the assessment and management of risks to our business.
4. Recipient of data
Within Hahn Medical Systems GmbH those bodies obtain access to your data that require this for compliance with our contractual and statutory obligations. Service providers and vicarious agents commissioned by us can also receive data for these purposes if they comply with our written data protection directives. These are primarily companies from the following listed categories.
With regard to the transfer of data to third parties, attention should always be paid to the fact that we are only authorised to disclose information about you if (i) statutory provisions allow this (i.e. if transmission of data is necessary pursuant to Art. 6 (1)(b) GDPR for the contractual performance or to guarantee our legitimate interest pursuant to Art. 6 (1)(f) as for the use of agents, web hosts etc.), (ii) a statutory obligation exists, (iii) you have given your consent, (iv) and/or contract workers commissioned by us commonly guarantee compliance with the requirements of the GDPR and the Federal Data Protection Act (Art. 28 GDPR, § 62 BDSG).
Under these conditions, recipients of personal data may be, for example:
Public bodies and institutions in presence of a statutory or regulatory obligation.
Other institutions and contract workers to whom we disclose personal data for the implementation of the business relationship. In detail: Support/maintenance of EDP/IT applications, archiving, call centre services, controlling, data destruction, purchase/acquisition, hosting provider, customer management, letter shops, marketing, media technology, expense report, tax consulting services, telephone services, website management, web shop management, logistics, transactions. Other recipients of data may be bodies to whom you have given consent to transfer data.
5. Data transmission to a third country or to an international organisation
Transmission of data to countries outside the EU/the EEA (so-called third countries) or to international organisations takes place only insofar as is necessary to execute your orders, is prescribed by law (i.e. tax-law reporting regulations), you have given us consent or within the scope of order data processing. If service providers of a third country are commissioned, they are obliged – in addition to written instructions – to comply with the data protection level in Europe by means of agreement with EU standard contractual clauses. The current EU standard contractual clauses can be found at www.eur-lex.europa.eu.
6. Duration of data storage
We process and store your personal data for as long and insofar as is necessary for the fulfilment of our contractual and statutory obligations. It must be noted thereby that our business relationship is generally designed to constitute long-term collaboration. The data is regularly deleted if it is no longer necessary for the fulfilment of contractual or statutory obligations unless its – temporary – subsequent processing is necessary for the following purposes:
Fulfilment of commercial and fiscal retention periods: This includes the Commercial Code and tax code in particular. The stipulated periods for storing or documentation are two to ten years.
Preservation of evidence within the framework of the statute of limitation. Pursuant to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years whereby the regular limitation period is three years.
7. Data protection laws of persons affected
Every person affected has the right of disclosure pursuant to Article 15 GDPR, the right to correction pursuant to Article 16 GDPR, the right to deletion pursuant to Article 17 GDPR, the right to limitation of processing pursuant to Article 18 GDPR, the right to revoke pursuant to Article 21 GDPR as well as the right to data portability pursuant to Article 20 GDPR. The limitations pursuant to §§ 34 and 35 BDSG apply in regards to the right to disclosure and the right to deletion. Additionally, there is the right to appeal to a data protection authority (Article 77 GDPR in conjunction with § 19 BDSG).
You can revoke your given consent for the processing of personal data at all times. This also applies for the revocation of consent given to us prior to the validity of the EU General Data Protection Regulation, in other words prior to 25th May 2018. Please note that revocation is effective for the future only. Processing that took place prior to revocation is not affected by this. If you want to execute your right to revoke, it is possible to do so without a formal requirement; for instance, it is sufficient to send an e-mail to email@example.com.
8. Obligation to provide data
Within the framework of our business relationship, those personal data have to be disclosed that are necessary for the initiation and implementation of a business relationship and the fulfilment of the related contractual obligations or that we are legally obliged to collect. Without this data, we generally have to reject completion of the contract or execution of the contract or cannot process an existing contract any longer and have to terminate it if necessary.
9. Existence of automated decision making (including profiling)
We generally do not use fully automated decision making for the justification and execution of the business relationship pursuant to Article 22 GDPR. If we use these procedures in individual cases, you will be notified by us separately where legally required.
We process your data in a partly automated way with the aim of assessing certain personal aspects (profiling). For example, we use profiling in the following cases:
We use evaluation tools to purposely advise and inform you on products where appropriate. These allow for needs-oriented communication and advertisement including market and opinion research.
We use scoring of credit agencies within the framework of assessment of your creditworthiness where applicable. In the process, the possibility with which the client is able to meet their payment obligations according to the contract is calculated. Scoring is based on mathematically-statistically recognised and proven procedures. The calculated score values of credit agencies support us in decision making and are incorporated into the regular risk management of our business.
Furthermore, we also use temporary cookies for the optimisation of user friendliness, which are stored on your terminal device for a specified period. When visiting our website again to use our services, it is automatically recognised that you have visited before and what kind of entries and settings you have used so that you do not have to enter them again.
You can configure your browser settings to suit your preferences, such as accepting third party cookies or rejecting all cookies. Please note that you may not be able to use all our website’s functions in these cases.
11. Google Maps
We use the services of Google Maps on our web pages. As a result, we can display interactive maps directly on the website and enable you to conveniently use the map function. The legal basis for our use of the generated data in this context is Art. 6 paragraph 1 (1)(f) GDPR.
By visiting the website, Google receives the information that you have visited the corresponding subpage of our website. Moreover, the data mentioned under section 2(1) of this declaration is transmitted. This applies regardless of Google providing a user account that you are logged into or whether there is no user account. If you are logged in on Google, your data is assigned directly to your account. If you do not wish for assignment to take place with your Google profile, you have to log out of your Google user account beforehand. Google stores your data as a user profile and uses it for the purposes of advertisement, market research and/or needs-oriented design of their website. Such an evaluation particularly takes place (even for users that are not logged in) for the delivery of needs-oriented advertisement and to inform other users of the social network about your activities on our website. You have the right to revoke the establishment of such user profiles whereby you have to address Google to exercise this.
12. Google Analytics Remarketing
Our websites use the functions of Google Analytics Remarketing in connection with functions across multiple devices of Google AdWords and Google DoubleClick. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
This function enables linking of the advertisement target groups created by Google Analytics Remarketing to functions across multiple devices from Google AdWords and Google DoubleClick. In this way, interest-related, personal advertising messages that have been adjusted to you dependent on your previous usage and surfing behaviour on a terminal device (i.e. mobile phone) can also be shown on one of your other terminal devices (i.e. tablet or computer).
If you have given appropriate consent, Google will link your web and app browser history with your Google account for this purpose. In this way, the same personal advertisement messages can be shown on each terminal device on which you are logged in with your Google account. To support this function, Google Analytics collects google-authenticated user IDs that are temporarily linked to our Google Analytics data to determine and create target groups for advertising across multiple devices.
You can permanently revoke Remarketing/Targeting across multiple devices by disabling personal advertisement in your Google account; for this purpose, please follow this link: https://www.google.com/settings/ads/onweb/.
The summary of the collected data in your Google account takes place solely on the basis of your consent which you can give or revoke at Google (Art. 6 (1)(a) GDPR). In regards to data collection processes that are not connected to your Google account (i.e. because you do not have a Google account or because you have revoked consolidation), the collection of data is based on Art. 6(1)(f) GDPR.
The legitimate interest results in the interest of Hahn Medical Systems GmbH in the anonymised analysis of visitors to the website for advertisement purposes. Further information and data protection regulations can be found in Google’s data protection declaration at:https://www.google.com/policies/technologies/ads/.
13. Google AdWords and Google conversion tracking
This website uses Google AdWords. AdWords is an online advertising program of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”). We use so-called conversion tracking in the framework of Google AdWords. If you click on an advertisement by Google, a cookie for conversion tracking is set. Cookies are small text files that are stored on the user’s computer by the internet browser.
The cookies lose their validity after 30 days and do not serve to personally identify the user. If the user visits certain pages of this website and the cookie has not yet run out, Google and ourselves are able to recognise that the user has clicked on an advertisement and that he has been transferred to this page. Each Google AdWords customer receives a different cookie. The cookies cannot be traced by the websites of AdWords customers. Information collected by means of the conversion cookie serve to create conversion statistics for AdWords customers that opted for conversion tracking. The customers learn the total amount of users that have clicked on their advertisement and that have been forwarded to a page with a conversion tracking tag.
However, they do not receive any information that leads to the personal identification of the user.
The storage of “conversion cookies” takes place on the basis of Art. 6(1)(f) GDPR. Hahn Medical Systems GmbH has a legitimate interest in the analysis of user behaviour to optimise their web content as well as their advertisements.
If you do not wish to participate in tracking, you can revoke this usage by easily disabling the cookie of Google conversion tracking via the user settings in your internet browser. Then, you will not be included in conversion tracking statistics.
More information on Google AdWords and Google conversion tracking can be found in the data protection regulations of Google:https://www.google.de/policies/privacy/.
14. Google reCAPTCHA
Our digital offerings use Google’s reCAPTCHA service to protect us from spam and abuse. This purpose of this service is to discern whether an entry was made by a human being or improperly through automated machine processing.
To determine this, Google will place a cookie in your browser when you use the reCAPTCHA service and will collect and process the following data:
Referrer URL (address of the page where reCAPTCHA is used);
Browser, browser size and resolution, browser plug-ins, date, language setting;
Mouse or touch events within the reCAPTCHA box;
Association with a Google account (if you are logged in to Google when using the reCAPTCHA service, it will be recognised and associated).
Your input behaviour (e.g. response to the reCAPTCHA question, input speed in the form fields, sequence in which the user selects the input fields) is used to improve pattern recognition at Google.
The legal basis for the use of reCAPTCHA is Art. 6 paragraph 1 (1)(f) GDPR. Naturally, you can object to future data collection by Google’s reCAPTCHA service on our web pages. Unfortunately, you will then no longer be able to use all our digital offers’ functions.
15. Google Web Fonts
Our pages use so-called Web Fonts for the uniform presentation of fonts, which are provided by Google. When visiting a page, your browser loads the web fonts required in your browser cache to display texts and fonts correctly.
For this purpose, the browser used has to connect to the Google servers. Google hereby learns that our website has been visited via your IP address. The usage of Google Web Fonts takes place in the interest of a uniform and appealing presentation of our online offering. This presents a legitimate interest according to Art. 6(1)(f) GDPR.
If your browser does not support Web Fonts, a standard font will be used by your computer.
Further information on Google Web Fonts can be found under https://developers.google.com/fonts/faq/ and in the data protection declaration of Google: https://www.google.com/policies/privacy/.
For the inclusion of videos, our websites use the provider YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When visiting a page with embedded videos, your IP address is sent to YouTube and cookies are stored on your computer. However, we have integrated our YouTube videos with the expanded data protection mode (in this case YouTube still contacts the Google DoubleClick service, however, personal data is not assessed according to the data protection declaration of Google). Thus, YouTube does not store any information of visitors unless they watch the video. If you click the video, your IP address is transmitted to YouTube and YouTube learns that you have watched the video. If you are logged in on YouTube, this information will also be assigned to your user account (you can prevent this by logging out of YouTube before watching the video). We do not have any information on the possible collection and use of your data through YouTube and we do not have any influence on it. Please find further information on nature, purpose and extent as well as the further processing and usage of your data by YouTube in the data protection notices of YouTube underhttps://policies.google.com/privacy?hl=de&gl=de. There, you can also find further information regarding your relevant rights and the settings options for the protection of your privacy.
Possibility to object: To prevent YouTube from collecting information about you during a visit on our websites, you can log out of YouTube at the start of a visit to our sites and can delete a possibly present cookie of YouTube in the browser used.
17. Social media plug-ins
So-called “social media plug-ins” are technologies that enable you as a user to make certain content known to members of social networks via a direct connection. For you to achieve this, our websites have social media plug-in functions for the networks Xing, LinkedIn, Facebook, Twitter and Google+. Our use of social media plug-ins is based on Art. 6 Paragraph 1 (1)(f) GDPR.
To protect your privacy, we offer you these social plug-ins as a so-called two-click solution. This is a technical solution that basically prevents data (e.g. IP address) from being transmitted to the social networks Xing, LinkedIn, Facebook, Twitter and Google+ when our website is opened. This means that the buttons of the aforementioned networks’ social plug-ins are deactivated by default. They will only be activated when you click on the respective social media plug-in for the first time. The plug-in’s content will be transmitted from the social networks to your browser and integrated into our website from there. When you click on the respective social media plug-in for the second time, you can then fully use the functions such as “Recommend”.
This activation will be stored in your browser for up to eight weeks. You can deactivate the function at any time by clicking on the individual buttons or by deleting the cookies in your browser.
If you are a Xing, LinkedIn, Facebook, Twitter or Google+ user and you do not want these social networks to collect data when you use our website, you must log out before visiting our company’s website and before activating the social plug-in. You can also block social plug-ins with various add-ons for your browser.
Please note the following points concerning the respective plug-ins:
You can recognise the function buttons of XING with terms such as “XING” or the large green “X” on a white background. With the help of these buttons, it is possible to share an article or page of this offer on XING or to participate in discussions of Hahn Medical Systems GmbH or their digital offers on XING. When a user accesses a page on this website and activates the XING button, the browser will establish a direct connection to XING’s servers. The XING button’s content will be transmitted directly from XING to the user’s browser.
The function buttons of LinkedIn can be recognised with terms such as “LinkedIn” or “in”. With the help of these buttons, it is possible to share an article or page of this offer on LinkedIn or to follow Hahn Medical Systems GmbH or their digital offers on LinkedIn. When a user accesses a page on this website and activates the LinkedIn button, the browser will establish a direct connection to the LinkedIn servers. The LinkedIn button’s content will be transmitted directly from LinkedIn to the user’s browser.
You can recognise Facebook buttons by the words “facebook” or a stylised “thumbs up” or by a blue or white “small f” on a white or blue background.
Our company has no control over the amount of data Facebook collects using this button. However, we would like to inform you about this as far as possible:
Activating the plug-ins will notify Facebook that a user has called up the offer’s corresponding page. If the user is logged into Facebook, Facebook can associate the visit to their Facebook account. If users interact with the plug-ins, by pressing the Like button or using the Share function for example, the corresponding information will be transmitted directly from your browser to Facebook and stored there. It is still possible for Facebook to obtain and store a user’s IP address even if they are not Facebook members. Facebook states that only an anonymised IP address will be stored in Germany. The purpose and scope of data collection and Facebook’s further processing and use of the data as well as the relevant rights and settings options for the protection of users’ privacy can be found in Facebook’s privacy notice: https://www.facebook.com/privacy/explanation.
If you are a Facebook member and do not want Facebook to use this service to collect data about you and link it to your membership information stored by Facebook, you must log out of Facebook. You can also block Facebook social plug-ins with various add-ons for your browser.
You can recognise Twitter buttons by terms such as “Twitter” or “Follow”, combined with a stylised blue bird. With the help of these buttons, it is possible to share an article or page of this offer on Twitter or to follow Hahn Medical Systems GmbH or their digital offers on Twitter. When a user accesses a page on this website and activates the Twitter button, the browser will establish a direct connection to the Twitter servers. The Twitter button’s content will be transmitted directly from Twitter to the user’s browser.
You can recognise the Google+ button by the characters “+1”, “G+” or “g+” on a white or a coloured background. When a user accesses a page on this website and activates the Google “+1” button, the browser will establish a direct connection to Google’s servers. The content of the “+1” button will be transmitted by Google directly to your browser and integrated into the website from there.
Our company has no control over the amount of data Google collects using this button. However, we would like to inform you about this as far as possible:
According to Google, no personal data will be collected without the button being clicked. Such data, including the IP address among others, will only be collected from logged-in members and processed. Users can find information concerning the purpose and scope of data collection and Google’s further processing and use of the data as well as your rights in this regard and settings options for the protection of your privacy in Google’s privacy notice concerning the “+1” button: https://policies.google.com/technologies/partner-sites
18. Topicality of and changes to the data protection declaration
This data protection declaration is current as of May 2018. Due to the further development of our website, our offers or due to changed statutory or official requirements, it may become necessary to change this data protection declaration. We may always request the respective current data protection declaration.
Information on your right to revoke pursuant to Art. 21 GDPR
1. Right to revoke according to each individual case
Due to reasons arising from your specific situation, you have the right to revoke the processing of your personal data which takes place due to Art. 6 (1)(e) GDPR (data processing in the public interest) and Art. 6 (1)(f) GDPR (data processing on the basis of balance of interests) at any time; this also applies for profiling based on this regulation according to Art. 4 (4) GDPR. If you exercise your right to revoke, your personal data will no longer be processed by us unless we can prove compelling protection-worthy reasons for the processing which prevail with regard to your interests, rights and freedoms, or the processing serves the enforcement, execution or defence of legal claims.
2. Right to revoke processing of data for the purpose of advertisement
In individual cases, we process your personal data to carry out direct advertising. You have the right to revoke the processing of your personal data for the purpose of such advertisement at any time; this also applies to profiling insofar as it is linked to such direct advertising. If you exercise your right to revoke processing for the purpose of direct advertising, your personal data will no longer be processed by us for these purposes.
3. You can exercise your right to revoke without a formal requirement and should address this to: Hahn Medical Systems GmbH, Paul-Ehrlich-Straße 11, 72076 Tübingen, Phone: 07071 – 975 57 21, Fax: 7071 – 975 57 22, e-mail: firstname.lastname@example.org