Debido a la reciente fundación de ulrich medical España, la versión en español de nuestra política de privacidad está actualmente en construcción. Esperamos poder ponerla pronto a su disposición.
Hasta entonces, consulte la versión en inglés de nuestra política de privacidad.
1. Details of the controller and data protection officer
Here at ulrich GmbH & Co. KG, we are responsible for the collection, processing and storage of your data. As we would like to give you a comprehensive overview of the processing of personal data within our group of companies, below we have provided an overview for you, which includes all our services in which we collect and process personal data.
For reasons of simplicity alone, this document usually uses the masculine or a neutral form. ulrich medical is a cosmopolitan and tolerant company that is committed to the values of equality for all people. Gender or personal self-orientation are therefore irrelevant for ulrich medical.
Controller for the processing of the data is:
ulrich GmbH & Co. KG (for short: ulrich medical)
Buchbrunnenweg 12, 89081 Ulm, Germany
Tel.: +49 (0)731 9654-0
Email: info@ulrichmedical.com
Email: datenschutz@ulrichmedical.com
Below you will find the details of the other controllers in terms of Art. 26 GDPR:
ulrich medical España S.L
calle Arboleda, 14, Núm: AR038, 28031 Madrid, España
A Data Protection Officer has been appointed for our company:
systemzwo GmbH
Pfarrer-Weiß-Weg 10
89077 Ulm
Tel.: +49 (0)731 141160-0
Email: datenschutz@sz-group.de
2. Data subjects
The following information is addressed to the following categories of natural persons:
- Visitors to our websites
- Event participators
- Contact person for business customers/distributors, interested parties or other communication partners
- Subscribers to the newsletter
- Employees
- Users of our online portal uPortal at https://up.ulrichmedical.de/en
- Users of the ulrich medical Academy at https://academy.ulrichmedical.de/de
- Users of the e-labeling platform at https://ifu.ulrichmedical.com
- Visitors to ulrich medical
- Applicants
3. Minors
Our offers are not aimed at minors. We do not collect any personal data from minors. If persons under 16 years of age send personal data to us, this is only permitted if the legal guardian has given their own consent or has agreed to the consent of the young person. In this regard, we must be provided with the contact details of the parent or legal guardian in accordance with Art. 8 (2) GDPR so that we can be sure that the consent or approval of the parent or legal guardian has been given. This data as well as the minor’s data will then be processed according to this privacy policy. If we discover that a minor under the age of 16 has sent personal data to us without their parent or legal guardian having given their own consent or having agreed to the minor’s consent, then we will delete the data immediately.
There you will also find information on the storage period: Your data will be stored until you withdraw your consent or until you object to further data processing, or otherwise until it is no longer required for the intended purposes, subject to statutory retention periods or if we still need your data to assert, exercise or defend legal claims, Art. 17 (1) (a), (b), (c), (3) (b), (e) GDPR.
4. Data protection rights
Every data subject has the right to free information about their stored personal data, its origin and recipient as well as the purpose of processing in accordance with Article 15 of the GDPR, the right to rectification in accordance with Article 16 of the GDPR, the right to erasure in accordance with Article 17 of the GDPR and the right to restriction of processing in accordance with Article 18 of the GDPR. The restrictions set out in Sections 34 and 35 BDSG apply to the right of access and erasure.
Pursuant to Article 20 of the GDPR, you have a right to data portability. Accordingly, you have the right to have data that we process automatically on the basis of your consent or in order to perform a contract provided to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as this is technically feasible.
You may revoke any consent to the processing of personal data given before 25 May 2018 informally at any time.
Furthermore, pursuant to Article 21 of the GDPR, you have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Article 6 (1) (f) of the GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims. If you object to the processing of your data for direct marketing purposes, we will no longer process your personal data for these purposes. The objection may be made informally and must be addressed to the controller or the data protection officer.
In addition, you have the right to lodge a complaint with the data protection supervisory authority in accordance with Article 77 of the GDPR, Section 19 of the German Federal Data Protection Act (BDSG) if you believe that the data processing concerning you is unlawful.
To exercise your rights, you can send us an informal notification at datenschutz@ulrichmedical.com.
Furthermore, you have the right to lodge a complaint with the supervisory authority responsible for our company if you believe that the processing of your personal data violates data protection regulations, Article 77 GDPR. The supervisory authority responsible for us is:
The State Data Protection and Freedom-of-Information Officer of Baden-Württemberg
Königstrasse 10, 70173 Stuttgart
Tel.: +49(0)711 6155 41-0
Email: poststelle@lfd.bwl.de
5. Website and services offered via the website
Below you will find an overview of the processing of your personal data associated with our website www.ulrichmedical.de and the services offered via the website, which is connected with the use of our website www.ulrichmedical.de and the services offered via the website.
5.1. Contact form, getting in touch, service / technical hotline
Categories and origin of personal data: You can get in touch with us using the contact details provided on the website. You will also find contact forms on our website. If you would like to contact us about this, we require the following details from you:
- Form of address, academic title (optional)
- Name details (mandatory)
- The company, clinic, institution that you are a part of (mandatory)
- Email address (mandatory)
- Telephone number (mandatory)
- Details of your inquiry (type of inquiry, product – mandatory)
-
Town/city, postcode (mandatory)
-
Country (mandatory)
-
Free text inquiry (mandatory)
-
Preferred callback time (mandatory)
-
Order number (mandatory)
Legal basis: The legal basis for data processing is Article 6 (1) (b), (f) of the GDPR: Carrying out pre-contractual measures at the request of the data subject, performance of a contract to which the data subject is party, legitimate interest of the controller; in the case of consent, Art. 6 (1) (a) GDPR.
Purpose:
- Communication and data exchange
- Contract initiation and execution
- Implementation of the business relationship existing between the controller and the customers/distributors
Legitimate interest of the controller:
- Initiation and execution of contracts with customers/distributors
- Standardization and simplification of communication
- Optimization of operational processes and internal administration of our customer/distributor databases
- Data security
Categories of recipients: Access to your data is limited to the employees and service providers of the controller who require the data for the above-mentioned purposes. Your data will also be stored in a commissioned data center.
Data transfers to third countries: No data is transferred to third countries.
Storage period: Your data will be erased when it is no longer needed for the intended purpose in accordance with the general deletion guidelines set out in section 9.
5.2. ulrich medical Academy / Events
Categories and origin of personal data: You can take part in training courses and information events via the ulrich medical Academy. In order to be able to book events, an account for the ulrich medical Academy must be created. For registration, the following information will be requested:
- Title (optional)
- First name (optional)
- Last name (mandatory)
- Company/institution (optional)
- Email address (= user name) (mandatory)
- Telephone (optional)
- Street address (mandatory)
- Postcode, town/city (mandatory)
- Country (mandatory)
- Billing address if different from the above (optional)
- State whether employee of a certified distributor (optional)
- Password (mandatory)
A verification code will then be sent to the email address you have given, confirming your registration with the ulrich medical Academy.
If you have created an account, you can log in at any time by entering your username and password. The details provided when registering are stored under “My Data” and can be edited by you at any time. In addition, you can register for events without entering your details again, and you can see which courses you have already completed and which ones you have booked. You can use your account to download and watch videos from the Mediathek.
You also have the option of obtaining information about your events via push messages, so you can select whether you want to receive a reminder for your event. If you would like to receive push text messages, you will be asked for your mobile number. You can deactivate push notifications at any time via your account.
You can also request the deletion of your account and the associated data at any time via the login area or by sending a message to academy@ulrichmedical.com .
If you wish to book a third-party event, you can click on a link on the ulrich medical Academy portal and will be redirected to the website of the third-party provider named there. Please also take a look at the privacy policy of the relevant provider. As the link from the Academy Portal takes you to the website of the third-party provider, at least your IP address is shared with the third-party provider.
Legal basis: The legal basis for data processing is primarily the consent you have granted pursuant to Article 6 (1) (a) of the GDPR. In individual cases, the legal basis may be the initiation and performance of a contract pursuant to Article 6, (1) (b) GDPR or the legitimate interest pursuant to Article 6 (1) (f) GDPR. We also require some data in order to comply with legal requirements pursuant to Article 6, (1) (c) of the GDPR, in particular the MDR.
Purpose:
- Event management
- Communication and data exchange
- Contract initiation and execution
- Implementation of the business relationship existing between the controller and the customers/distributors
- Ensuring the proper operation of a data processing system
- Issue of attendance certificates
Legitimate interest of the controller: - Initiation and execution of contracts with customers/distributors
- Standardization and simplification of communication
- Optimization of operational processes and internal management of our customer and distributor databases
- Data security
Categories of recipients: Access to your data is limited to the employees and service providers of the controller who are responsible for organizing the event.
Data transfers to third countries: No data is transferred to third countries.
Storage period: Your data will be deleted when it is no longer needed for the intended purpose. If the events are billable services, your data will be stored for as long as is necessary to prove that the task has been completed in accordance with the order placed. Certificates of participation issued by us are kept as commercial and business letters for a period of six years. In the case of special requirements (e.g. with regard to training on medical devices, instruction as defined by the German Hazardous Substances Regulations (GefStoffV)), longer retention periods may apply.
The deletion period for your data in the event of account inactivity is three years. In all other respects, the general deletion guidelines set out in section 9 shall apply.
5.3. Download function
Categories and origin of personal data: When downloading the documents made available to you under https://www.ulrichmedical.de/download/ the controller processes the following data:
- Log data including IP address with information about access to the documents
Legal basis: The legal basis for data processing is consent in accordance with Article 6 (1) (a) of the GDPR.
Purposes:
- Communication and data exchange
- Contract initiation and execution
- Implementation of the business relationship existing between the controller and the customers/distributors
- Ensuring the proper operation of a data processing system
- Optimization of operational processes and internal administration of our customer/distributor databases
- Data security
Categories of recipients: Access to your data is granted to the employees of the controller who require the data for the aforementioned purposes.
Data transfers to third countries: No data is transferred to third countries.
Storage period: Log data is kept for 3 months from the date of its creation. In all other respects, the General Deletion Policy pursuant to section 9 shall apply.
5.4. Newsletter and Premium Download Form
Categories and origin of personal data: You can subscribe to our newsletter via our websites. When doing so, the controller asks for the following data:
- Email address
- Form of address, academic title, name details (optional information)
- Company affiliation, department, position (optional)
- Interest (contrast injectors, spinal systems, anticoagulants, optional information)
We collect the following data for the premium download form:
- Email address
- First name, surname (optional)
- Facility, position, distributor, postcode, town/city
In order to confirm your email address and your consent, you will receive a separate email after sending the registration form.
(confirmation email). We will not register your consent until you have confirmed the activation link contained in this email (double opt-in procedure).
By confirming your registration under this activation link, you agree that we may send you, as the owner of this email address, the free newsletter with current information about our company, our products, promotions and events (product and service information, sector-related trade fair and event invitations, other information relating to the company or its products and services, emails used for market and opinion research) approx. 10-12 times per year.
In addition, you consent to your usage data being collected and evaluated on a personal basis (newsletter usage analysis).
You can revoke your consent to the creation of a personal user profile at any time via the profile editing form, which you can access via a link in the email footer of the newsletter.
We use the Evalanche software to provide our services. The provider is SC-Networks GmbH, Würmstrasse 4, 82319 Starnberg, Germany. The provider’s privacy policy can be found at https://www.sc-networks.de/datenschutz/.
Legal basis: The legal basis for data processing is your consent in accordance with Article 6 (1) (a) of the GDPR.
Purpose: Your email address and other personal data voluntarily provided by you will be used for the purpose of sending and personalizing the newsletter. The collection of usage data enables us to evaluate the success of our newsletter campaigns by means of statistical evaluations and to optimize our newsletter in order, for example, to present you with topics and offers that are better suited to your interests.
Categories of recipients: Only the employees and service providers of the controller who are used to operate the newsletter receive access to your data.
Data transfers to third countries: No data is transferred to third countries.
Storage period: If you have not reconfirmed the activation link contained in the confirmation email within the first two weeks, your data will be deleted. Usage analysis data is deleted after three months at the latest.
After your cancellation, data records that prove the double opt-in procedure, and thus your consent under data protection law, will be stored together with your withdrawal of consent for 3 years. During this time, however, your personal data will be blocked against further processing. In all other respects, the general deletion guidelines set out in section 9 shall apply.
5.5 Applications
Categories of personal data and origin of the data: When you apply for a job with us, your personal data will be processed. This applies to all forms of application and their communication channels.
In connection with applications, we process the following data:
- Name details
- Contact details
- Date of birth
- Position, activity
- Education and vocational training data, qualifications, curriculum vitae
- Salary expectations
- Information from an interview
Only in individual cases, if necessary, do we process special personal data within the meaning of Article 9 GDPR that you share with us (e.g. being severely disabled). This also applies to further data such as marital status, gender or religious affiliation, if you provide this information yourself in an application.
To process the data, we also use services provided by Cornerstone OnDemand Inc, 1601 Cloverfield Blvd, Suite 600 South, Santa Monica, California 90404, USA. Cornerstone’s privacy policy can be found at: https://www.cornerstoneondemand.com/de/client-privacy-policy/. In order to guarantee data protection in accordance with the provisions of the GDPR, we have also concluded a commissioned processing agreement with Cornerstone.
Legal basis: The legal basis for data processing is Article 6 (1) (b) of the GDPR and Section 26 of the German Federal Data Protection Act (BDSG), as the processing is necessary for deciding whether to enter into an employment relationship and to take steps prior to entering into a contract at the request of the data subject. The legal grounds may also be your consent pursuant to Article 6 (1) (a) of the GDPR or our legitimate interest pursuant to Article 6 (1) (f) of the GDPR.
Purpose:
- Applicant selection procedure, applicant selection management
- Contract initiation
- Communication and data exchange
- Personnel management and development
Categories of recipients: Your application data is processed by employees of the HR department. It is also passed on to the head of the department responsible for the position. If required by law, data is also transmitted to the works council.
Data transfers to third countries: Insofar as Cornerstone processes data not only on servers within the scope of the GDPR, but also, in particular, on servers in the USA, processing is permitted on the basis of the EU-US Data Policy Framework pursuant to Article 45 (3) GDPR, for which Cornerstone has been certified.
Storage period: Once the applicant selection process has been completed, your data will be stored for a period of four months. If no legal dispute is pending in connection with the application process, the data will be deleted. Otherwise, the data will be deleted following the legally binding end of a legal dispute.
With your express consent, we will add your application documents to our applicant pool. Your data will be deleted after 12 months. In all other respects, the general deletion guidelines set out in section 9 shall apply.
5.6. Online Order Form for Products
Categories and origin of personal data: You can order ulrich medical products via our website. For this purpose, we will ask for the following data via our online order form:
- Order date, order number (mandatory)
- Names of customer and contact person (mandatory)
- The company, clinic, institution that you are a part of (mandatory)
- Customer number (optional)
- Department (optional)
- Delivery/billing address (mandatory)
- Email address (mandatory)
- Telephone number (mandatory)
- Comments (optional)
- Information about the product (item number, description, quantity, price etc.)
The information under this section also applies to all orders placed by other means of communication (e.g. email, telephone, letter).
Legal basis: The legal basis for data processing is the implementation of pre-contractual measures at the request of the data subject, contractual fulfillment and the legitimate interest of the controller pursuant to Article 6 (1) (b) and (f) of the GDPR.
Purpose:
- Communication and data exchange
- Contract initiation and execution
- Implementation of the business relationship existing between the controller and the customers/distributors
Legitimate interest of the controller:
- Initiation and execution of contracts with customers/distributors
- Standardization and simplification of communication
- Optimization of operational processes and internal management of our customer and distributor databases
Categories of recipients: Access to your data is granted to the employees of the controller who require the data for the above-mentioned purposes.
Data transfers to third countries: No data will be transferred to third countries.
Storage period: The general deletion guidelines pursuant to section 9 apply.
5.7. Notification form
Categories and origin of personal data: Via our website, we offer you the opportunity to submit information about incidents of any kind in connection with the products we manufacture and distribute via a separate reporting form. Your data is processed in order to ensure that the report is processed properly:
- Contact details
- Functional data
- Product details
In individual cases, it may be necessary to process the health data of patients in order to deal with a matter properly. However, this is only done in compliance with the provisions of Article 9 GDPR.
Legal basis: In addition to the consent you have granted in accordance with Article 6 (1) (a) of the GDPR, the legal basis for processing is the compliance with legal requirements, in particular the MDR, in accordance with Article 6 (1) (c) of the GDPR. Special personal data is only processed with consent in accordance with Article 9 (2) (a) of the GDPR.
Purpose:
- Compliance with legal requirements
- Quality Assurance
- Warranty and warranty processing
Categories of recipients: Access to your data is granted to the employees of the controller who require the data for the above-mentioned purposes, in particular QM, Process Management and Technical Service.
Data transfers to third countries: No data will be transferred to third countries.
Storage period: The general deletion guidelines pursuant to section 9 apply.
5.8. Vimeo video content
Categories and origin of personal data: To display video content, we use the Vimeo platform provided by Vimeo LLC, which has its headquarters at 555 West 18th Street, New York, New York 10011.
The videos from Vimeo are integrated into some of our websites. When you access such a page on our website, a connection to the Vimeo servers is established. This transmits to the Vimeo server which of our websites you have visited. If you are logged in as a member of Vimeo, Vimeo will assign this information to your personal user account. By clicking the start button of a video, this information can also be assigned to an existing user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the corresponding Vimeo cookies.
We also use the "Do-not-Track" function of Vimeo (variable dnt=1) to disable tracking by default.
Further information on data processing and information on data protection by Vimeo can be found at https://vimeo.com/privacy
Legal basis: This service is used on the basis of your consent in accordance with Article 6 (1) (a) of the GDPR and Section 25 (1) of the TTDSG.
Purposes:
- Advertising and public image
- Information and training
Recipients (categories): Access to your data is granted to the Controller’s employees and service providers who are used to operate the website.
Data transfers to third countries: Vimeo also processes data in the USA as a third country. Insofar as data is processed by the provider not only on servers within the scope of the GDPR, but on servers in the USA, processing is permissible on the basis of the EU-US Data Policy Framework pursuant to Art. 45 (3) GDPR. The legal basis is also the consent you have granted pursuant to Article 6 (1) (a) of the GDPR.
Storage period: The storage period of the data we manage is based on our general deletion policy in accordance with section 9.
5.9. eIFU e-labeling platform
Categories and origin of personal data: You can download user manuals and product information materials via the eIFU e-labeling platform at https://ifu.ulrichmedical.com. We collect information about the download:
- Time and type of download
- User IP addresses
- Document information
When you use the eIFU website, your IP address is also forwarded to the provider of the eIFU platform, Qarad B.V., Cipalstraat 3, 2440 Geel, Belgium. A data processing agreement exists with this company. The privacy policy can be found at https://qarad.com/privacy-policy/.
Legal basis: The legal basis for data processing is the consent you have granted in accordance with Article 6 (1) (a) of the GDPR. Otherwise, in individual cases, the initiation and performance of a contract pursuant to Article 6 (1) (b) of the GDPR and our legitimate interest pursuant to Article 6 (1) (f) of the GDPR may also be considered as the legal basis.
Purpose:
- Communication and data exchange
- Contract initiation and execution
- Implementation of the business relationship existing between the controller and the customers/distributors
Categories of recipients: Access to your data is granted to employees who require the data for the above-mentioned purposes.
Data transfers to third countries: No data is transferred to third countries.
Storage period: The general deletion guidelines pursuant to section 9 apply.
5.10. Cookies and cookie consent tool
Categories and origin of personal data: When you visit our website, a cookie banner (cookie consent tool) asks you whether you agree to or reject the use of cookies and similar technologies (tracking pixels, web beacons, etc.). You can also make an individual selection. In the event of rejection, however, a cookie is also set for technical reasons, stating that you have objected to the use. This is deleted when you leave the website. Furthermore, there are technically necessary cookies that are required for the proper operation of the websites and their services.
We use the consent tool "Real Cookie Banner" to manage the cookies and similar technologies used and to obtain consent in this regard. Details about how "Real Cookie Banner" works and how it processes data can be found at
<a href="https://devowl.io/de/rcb/datenverarbeitung/" rel="noreferrer" target="_blank">https://devowl.io/de/rcb/datenverarbeitung/</a>.
The provision of personal data is not required by contract or necessary for the conclusion of a contract. You are not obliged to provide the personal data.
The cookies used on our website do not cause any damage to your device (e.g. PC, mobile phone, tablet) and do not contain viruses. Cookies serve to make our website more user-friendly, effective and secure. Individual cookies are also used for statistical analysis of usage. Cookies are small text files that are stored on your device and stored by your browser. Most of the cookies we use are so-called session cookies. These are automatically deleted when you leave our website. Other cookies remain stored on your device until you delete them or the deletion rule takes effect. These cookies enable us to recognize your browser the next time you visit. The storage period of cookies that are not deleted immediately after the session (session cookies) is generally 365 days, unless a different storage period is specified in this privacy policy.
If you completely exclude the use of cookies, you cannot use individual functions in our online portal – including the option of cookie-based opt-out from tracking. If necessary, please allow the opt-out cookies of the services for which you wish to prevent tracking.
Please also bear in mind that deleting all cookies will also delete opt-out cookies. You may therefore have to reset them. Cookies are also browser-bound, i.e. they must always be set separately for each browser you use on each device you use.
Legal basis: With your consent, the legal basis for the use of cookies is Article 6 (1) (a) of the GDPR and Section 25, (1) of the TTDSG. In the case of cookies or plug-ins that are essential for the operation and security of the website against attacks and misuse, the legal basis is our legitimate interest in accordance with Article 6 (1) (f) of the GDPR, Section 25, (2) sentence 2 of the TTDSG.
Cookies that are not technically necessary will only be set after you have given your express consent, Article 6 (1) (a) GDPR, which you can withdraw at any time.
Purpose:
Cookies that are technically necessary:
- Checking the authorization of actions
- Authentication of the requesting user of our services
- Securing our web server in order to defend against attacks, for example
- Ensuring the functionality of our services.
Cookies that are not technically necessary:
- Recognizing user preferences and identifying particularly popular areas of our services in order to optimize them.
- Ensuring user-friendliness by facilitating navigation, better user guidance and individual performance presentation
- Public image and advertising
Categories of recipients: Access to your data is granted to the employees of the controller who are used to operate the websites and their services.
Data transfers to third countries: In the case of individual cookies, data is transferred to a third country. Insofar as data is processed not only on servers within the scope of the GDPR, but also, in particular, on servers in the USA, processing is permissible on the basis of the EU-US Data Policy Framework pursuant to Art. 45 (3) GDPR. The legal basis is also the consent you have granted pursuant to Article 6 (1) (a) of the GDPR.
Storage period: You will find the storage period for each cookie listed in the cookie overview. You can also delete cookies in advance by making the appropriate settings in your browser or completely prevent cookies from being activated in the first place
5.11. Google Ads conversion tracking
Categories and origin of personal data:
We use Google Ads conversion tracking. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ads enables us to display advertisements in the Google search engine or on third-party websites if the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be displayed using Google’s existing user data (e.g. location data and interests) (target group targeting).
With the help of conversion tracking, we can identify whether the user has carried out certain actions. For example, we can evaluate which buttons on our website were clicked how often and which products were viewed or purchased particularly often.
We only receive statistical evaluations from Google and do not process any personal data ourselves. We only know the total number of users who clicked on our ads and what actions they carried out. This allows us to identify which of the advertising measures used are particularly effective. We do not receive any further information with which we can personally identify users.
We have no control over how Google uses the data collected by the conversion tracking tool. According to Google, the data is encrypted and stored on secure servers. You can find more information about Google Conversion Tracking in Google’s privacy policy: https://policies.google.com/privacy?hl=de.
Legal basis: This service is used on the basis of your consent in accordance with Article 6 (1) (a) of the GDPR and Section 25 (1) of the TTDSG.
Purposes:
- Advertising and public image
Categories of recipients: Access to your data is limited to the employees and service providers of the controller who are responsible for the operation of the website and tracking procedures.
Data transfers to third countries: Insofar as data is processed by the provider not only on servers within the scope of the GDPR, but in particular also on servers in the USA, processing is permissible on the basis of the EU-US Data Policy Framework pursuant to Art. 45 (3) GDPR. The legal basis is also the consent you have granted pursuant to Article 6 (1) (a) of the GDPR.
Storage period: In most cases, conversion cookies expire after 30 days and do not transmit any personal data. The cookies called “Conversion’ and “_gac’ (which is used in conjunction with Google Analytics) have an expiry date of 3 months.
5.12. Website analysis with Google Analytics 4
Categories and origin of personal data: We use the tool Google Analytics 4 to design our website in line with needs. The provider is Google LLC, based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data controller for the use of services within the scope of the GDPR is Google Ireland Limited, with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. Google’s privacy policy can be found at https://policies.google.com/privacy?hl=de.
This is a web analysis service in which usage information is transmitted to our web server and stored:
- IP address This is only processed in abbreviated form and is therefore anonymized.
- Cookie identifiers
- Pseudo-anonymized location (based on the anonymized IP address
- Date and time
- Name of the site that has been called up
- URL of the site that has been called up
- URL of the site that was previously visited (as far as this is permitted)
- Screen resolution
- Local time
- Files that were clicked and downloaded
- External links
- Page load time
- Country, region, city (with low accuracy on the basis of IP address)
- Main language of the browser
- User agent of the browser
- Interactions with forms (but not their content)
If you wish to prevent your data from being processed for analysis purposes, you can object to this at any time by clicking on the cookie banner. In this case, an opt-out cookie without usage data is stored in your browser.
Legal basis: This service is used on the basis of your consent in accordance with Article 6 (1) (a) of the GDPR and Section 25 (1) of the TTDSG.
Purposes:
- Recording and analysis of the use of our website
- Security of data processing
Categories of recipients: Access to your data is granted to the employees of the controller who are deployed for the aforementioned purposes and for the operation of the website.
Data transfers to third countries: Data is only transferred to third countries using anonymized data.
Storage period: Our general deletion policy pursuant to section 9 applies to the storage period.
5.13. Security of our web server
Categories of personal data and origin of the data: When you visit our website, we collect the following information for the security of our web server
- Called up page of our web offer
- IP address, shortened by the last three digits
- Date and time the website was called up, type of end device used
- Browser settings, operating system used
- Language settings
Legal basis: The legal grounds for data processing are compliance with a legal obligation pursuant to Article 6 (1) (c) of the GDPR and our legitimate interest pursuant to Article 6, (1) (f) of the GDPR.
Purposes:
- Checking the authorization of actions
- Authentication of the requesting user of our services
- Securing our web server in order to defend against attacks, for example
- Ensuring the functionality of our services.
Categories of recipients: Access to your data is granted to employees of the IT department and IT service providers of the controller who are used for the above-mentioned purposes.
Data transfers to third countries: No data is transferred to third countries.
Storage period: Log files with IP addresses are stored for 7 days after the termination of the respective connection for the purpose of recognition, containment and elimination of faults or to detect misuse. If actual indications of an abuse case are established within the scope of the data analysis, the log files are kept in the specific case for the preservation of evidence until the conclusion of the legal proceedings set in motion.
6. Online portal uPortal
6.1. Registration at the online portal
Categories of personal data and origin of the data: You can register on the online portal at https://up.ulrichmedical.de/up/registrierung to receive further services. The controller will ask you for the following data:
- User name
- Name details
- Postcode, town/city
- ulrich medical customer number
- Email address
- Password
Legal basis: As a rule, the legal basis is your consent in accordance with Article 6 (1) (a) of the GDPR, and in individual cases also the processing of the usage agreement with you that enables you to use the online portal free of charge in accordance with Article 6 (1) (b) of the GDPR, as well as our legitimate interest in accordance with Article 6 (1) (f) of the GDPR.
Purposes of data processing:
- Contract initiation and processing and the associated setting up and operation of a user account
- User management
- Implementation of the declarations of consent you have issued
- Communication and data exchange
- IT administration, ensuring the proper operation of a data processing system
- Maintenance or restoration of the security of electronic communications networks and services or detection of technical defects and errors in the transmission of electronic communications
- Compliance with mandatory quality of service requirements for electronic communications
- The detection or termination of fraudulent or abusive uses of electronic communications services or contracts relating thereto
Recipients (categories): Access to your data is granted to employees and service providers of the controller who are used for the above-mentioned purposes and to operate the online portal.
Data transfers to third countries: No data is transferred to third countries.
Storage period: The storage period of the data we manage is based on our general deletion policy in accordance with section 9.
6.2. Operation of your user account
Categories and origin of personal data: You have the option of setting up a user account for our services. After successful registration, the controller will set up a user account for you. The following functions are available to you via this user account:
- Log in to your user account
- Creating your user profile and making changes to your user account
- Use of our webinar archive
- Download function to enable you to download the documents provided in the online portal
- Use of the form provided for news submission, incl. upload function
- Use of the form provided to order advertising material
- Use of the form provided to register for an event
- Use of the contact form for help and support requests
- Use of the alert function for news items
- Use of the upload function for contrast media injector log files (for authorized technicians)
The following data is processed after you have entered it:
- NAV person contact number (mandatory)
- NAV company contact number (mandatory)
- ulrich medical customer number (mandatory)
- Email address (mandatory)
- Form of address (optional)
- Academic title (optional)
- Name details (mandatory)
- Role, if applicable (service technician, medical technician, application specialist) (mandatory)
- Training on product, if applicable (Max, CT motion, CT motion USA, CD 200x, tourniquet) (mandatory)
- Company (mandatory)
- Department (optional)
- Position (optional)
- Postcode, town/city (optional)
- Country (optional)
- Responsible ulrich employee (optional)
- Authorizations (mandatory)
- User name (mandatory)
- Password (mandatory)
- Log data (information about log-ons, log-offs, access, entries, transfers, deletions), log files as well as corresponding time information (date, time) when you log in/out as a user
- Evaluation of contrast media injector log files
Legal basis: As a rule, the legal basis for data processing is your consent in accordance with Article 6 (1) (a) of the GDPR. In individual cases, the processing is also based on the performance of the user agreement with you pursuant to Article 6 (1) (b) GDPR, which enables you to use the online portal free of charge, our legitimate interest pursuant to Article 6 (1) (f) GDPR and the fulfillment of the legal obligation pursuant to Article 6 (1) (b) GDPR to ensure the security of your data.
Purpose of data processing:
- Contract initiation and processing and the associated setting up and operation of a user account
- User management
- Implementation of the declarations of consent you have issued
- Communication and data exchange
- IT administration, ensuring the proper operation of a data processing system
- Maintenance or restoration of the security of electronic communications networks and services or detection of technical defects and errors in the transmission of electronic communications
- Compliance with mandatory quality of service requirements for electronic communications
- The detection or termination of fraudulent or abusive uses of electronic communications services or contracts relating thereto
Categories of recipients: Access to your data is granted to employees and service providers of the controller who are used for the above-mentioned purposes and to operate the online portal.
Data transfers to third countries: No data is transferred to third countries.
Storage period: Log data is kept for 3 months from the date of its creation. Log files with IP addresses are stored for 7 days after the termination of the respective connection for the purpose of recognition, containment and elimination of faults or to detect misuse. If actual indications of an abuse case are established within the scope of the data analysis, the log files are kept in the specific case for the preservation of evidence until the conclusion of the legal proceedings set in motion.
In all other respects, the general deletion policy pursuant to section 9 applies.
6.3. Using the webinar archive, downloading documents
Categories and origin of personal data: When using our webinar archive or downloading the documents made available to you in the online portal, the controller processes the following data:
- Log data with information on access to the webinars and documents
- Data of those persons who are recorded in the webinars (name details, job title, function, image data, sound recordings, company affiliation) and documents.
Legal basis: As a rule, the legal basis for data processing is your consent in accordance with Article 6 (1) (a) of the GDPR. In individual cases, the processing is also based on the performance of the user agreement with you pursuant to Article 6 (1) (b) GDPR, which enables you to use the online portal free of charge, our legitimate interest pursuant to Article 6 (1) (f) GDPR and the fulfillment of the legal obligation pursuant to Article 6 (1) (b) GDPR to ensure the security of your data.
Purposes of data processing:
- Communication and data exchange
- Contract initiation and execution
- Implementation of the business relationship existing between the controller and the customers/distributors
- Ensuring the proper operation of a data processing system
Legitimate interest of the controller:
- Initiation and execution of contracts with customers/distributors
- Standardization and simplification of communication
- Optimization of operational processes and internal administration of our customer/distributor databases
- Data security
Categories of recipients: Access to your data is granted to employees and service providers of the controller who are used for the above-mentioned purposes and to operate the online portal.
In some cases, we use YouTube, a Google service to display video content such as our webinars, to display content to you. To protect your privacy, we have activated the extended data protection mode so that only an anonymized IP address is transmitted to Google. As a precautionary measure, we also refer to the information about YouTube provided in this privacy policy.
We also use Vimeo, a service provided by Vimeo Inc, to show you video content such as our webinars. In order to protect your privacy, we have integrated the service using local preview. As a precautionary measure, we also refer to the information on Vimeo provided in this privacy policy.
Data transfers to third countries: The controller does not transfer data to third countries.
Storage period: Log data is kept for 3 months from the date of its creation. The webinars and documents will be published on the portal until the consent is withdrawn and then deleted. Otherwise, the Controller’s general data erasure policy pursuant to section 9 applies.
6.4. Forms (news submission, event registration, contact form, log file upload form for contrast media injectors)
Categories and origin of personal data: When using the forms provided through the service, the controller processes the following data of the data subject:
- News submission, incl. upload function:
- Advertising materials order
- Registration for an event
- Knowledge training
- Use of the contact form for help and support requests:
- Web activities
Legal basis: As a rule, the legal basis for data processing is your consent in accordance with Article 6 (1) (a) of the GDPR. In individual cases, the processing is also based on the performance of the user agreement with you pursuant to Article 6 (1) (b) GDPR, which enables you to use the online portal free of charge, our legitimate interest pursuant to Article 6 (1) (f) GDPR and the fulfillment of the legal obligation pursuant to Article 6 (1) (b) GDPR to ensure the security of your data.
Purpose of data processing:
- Event management
- Communication and data exchange
- Contract initiation and execution
- Implementation of the business relationship existing between the controller and the customers/distributors
- Ensuring the proper operation of a data processing system
Legitimate interest of the controller:
- Initiation and execution of contracts with customers/distributors
- Standardization and simplification of communication
- Optimization of operational processes and internal administration of our customer/distributor databases
- Data security
Categories of recipients: Access to your data is granted to employees and service providers of the controller who are used for the above-mentioned purposes and to operate the online portal.
Data transfers to third countries: The controller does not transfer data to third countries.
Storage period: The Controller’s general data erasure policy pursuant to section 9 applies.
6.5. Surveys via SurveyMonkey
Categories and origin of personal data: You can also take part in surveys we offer on our portal. We process the following data from you for this purpose:
- Your ratings, answer data that you give in the survey
- Survey results/analysis results from SurveyMonkey
This data is only collected and processed in anonymous form. If you participate in the survey, you will be directed to the SurveyMonkey website. SurveyMonkey also processes data from you:
- Source from which you were directed to the SurveyMonkey website
- Cookie identifiers
- Page tags
- Device and browser data
- Protocol data including IP address
- Usage data generated when using SurveyMonkey services
- Information from third parties, for example, if you have given these third parties permission to submit your information to SurveyMonkey, or if you have made this information publicly available online
The service provider we use is SurveyMonkey Europe UC,
2 Shelbourne Buildings, 2nd Floor, Shelbourne Road, Ballsbridge, Dublin 4, Ireland.
Information about SurveyMonkey’s processing of data can be found at:
- https://www.surveymonkey.de/mp/legal/privacy-policy/#three-two-respondent https://www.surveymonkey.de/mp/legal/survey-page-cookies/
- https://www.surveymonkey.de/mp/legal/privacy-policy/#pp-section-1
- https://www.surveymonkey.de/mp/legal/cookies/
Legal basis: The legal basis for data processing is your consent in accordance with Article 6 (1) (a) of the GDPR.
Purpose of data processing: Carrying out the customer satisfaction survey in order to improve our uPortal and the services offered
Categories of recipients: Access to your data is granted to the employees and service providers of the controller who are used for the aforementioned purposes and for the operation of the service.
Data transfers to third countries: SurveyMonkey also processes data in the USA as a third country. Insofar as data is processed by the provider not only on servers within the scope of the GDPR, but on servers in the USA, processing is permissible on the basis of the EU-US Data Policy Framework pursuant to Art. 45 (3) GDPR. The legal basis is also the consent you have granted pursuant to Article 6 (1) (a) of the GDPR.
Storage period: The Controller’s general data erasure policy pursuant to section 9 applies.
6.6 Online order form for ulrich medical products
Categories and origin of personal data: You can order ulrich medical products via the uPortal. For this purpose, we will ask for the following data via our online order form:
- IP address from which the site is accessed
- Order date, order number (mandatory)
- Names of customer and contact person (mandatory)
- The company, clinic, institution that you are a part of (mandatory)
- Customer number (optional)
- Department (optional)
- Delivery/billing address (mandatory)
- Email address (mandatory)
- Telephone number (mandatory)
- Comments (optional)
- Information about the product (item number, description, quantity, price etc.)
Legal basis: The legal basis for data processing is your consent in accordance with Article 6 (1) (a) of the GDPR.
Purposes of data processing:
- Communication and data exchange
- Contract initiation and execution
- Implementation of the business relationship existing between the controller and the customers/distributors
Legitimate interest of the controller:
- Initiation and execution of contracts with customers/distributors
- Standardization and simplification of communication
- Optimization of operational processes and internal administration of our customer/distributor databases
Categories of recipients: Access to your data is granted to the employees and service providers of the controller who are used for the aforementioned purposes and for the operation of the service.
Data transfers to third countries: Data is not transferred to third countries.
Storage period: The Controller’s general data erasure policy pursuant to section 9 applies.
6.7. News alert and alert tracking
Categories and origin of personal data: With the News Alert, you are automatically informed when new articles relevant to you are available in the uPortal. We process the following data from you for this purpose:
- Email address
- Purchased products
- User role
- Country of user
- Alert frequency
In order to comply with legal obligations, we must prove that external partners have taken note of the safety-relevant updates in self-study. For this reason, we track which users clicked on the link in the news alert email in order to open and read the full text version in the uPortal. We process the following data from you for this purpose:
- User (name / ID)
- Email address
- Time of access
- Selected premium
Legal basis: The legal basis for data processing is your consent in accordance with Article 6 (1) (a) of the GDPR.
Furthermore, we are legally obliged in accordance with Article 6 (1) (c) of the GDPR in conjunction with Regulation (EU) 2020/561 and Regulation (EU) 2017/745, Annex I, Chapter III, 23.1. on the requirement for manufacturers to provide and update all relevant information about the safety and performance of the product to the respective contractual partner, e.g. via a website, and to provide evidence that partners have taken note of the relevant information.
This also applies in accordance with Article 6 (1) c) of the GDPR in conjunction with DIN EN ISO 13485:, chapter 4.2.4 d), f), h) with the legitimate interest in ensuring the availability of valid versions of applicable documents, controlling their distribution and preventing the unintended use of obsolete documents.
Purpose of data processing: Your personal data will be used for the purpose of sending and personalizing news alerts. This will keep you informed about important, and in some cases security-relevant, updates to our products and associated documents.
We require this evaluation in conjunction with the requirements of MDR Annex I, Chapter III, 23.1 and DIN EN ISO 13485, Chapter 4.2.4, according to which we must provide evidence that we have informed our partners about safety-relevant product updates, for example.
Categories of recipients: Access to your data is limited to employees and service providers of the controller who are used to operate the newsletter.
Data transfers to third countries: No data is transferred to third countries.
Storage period: The Controller’s general data erasure policy pursuant to section 9 applies.
7. Social media platforms
7.1. Profile pages on YouTube
Joint Controller: There is joint responsibility for the provision and use of services on YouTube within the meaning of Article 26 GDPR.
YouTube is part of Google and is therefore subject to the privacy policy and principles of Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA, 94043 USA.
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland is the controller for data processing of persons living within the European Union/EEA and Switzerland.
The platform operator’s data protection officer can be contacted using the following web form: https://support.google.com/policies/troubleshooter/7575787?hl=de
Categories and origin of personal data:
Data that we process from registered visitors to our fan page:
User ID that you registered with, approved profile data (e.g. name, profession, addresses, contact details and, if applicable, special categories of personal data such as religious affiliation, health data, etc.), data generated when sharing content, exchanging messages and communicating, data required for contract processing at the request of registered visitors; otherwise, we only process pseudonymized data such as statistics and analyses of interaction with our fan page and the posts, pages, videos and other content provided via the fan page (page activity, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, town/city, language), evaluations of the success and background of our advertisements, other analyses and measurements.. We are unable to match the pseudonymized data with the corresponding identifying features (e.g. name details). This means it is not possible for us to identify individual visitors, who therefore remain anonymous to us.
Data that we process from non-registered visitors to our fan page:
Pseudonymous data such as statistics and insights into how our fan page, posts, pages, videos and other content interacts with our fan page (page activity, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, town, language), evaluations of the success and background of our advertisements, other analyses and measurements. We are unable to match the pseudonymized data with the corresponding identifying features (e.g. name details). This means it is not possible for us to identify individual visitors, who therefore remain anonymous to us.
Data that we process from our website visitors:
By integrating the YouTube button (pure link) on our website, the IP addresses of our website visitors are not transmitted to the platform operator.
Data which the platform operator processes about registered and non-registered visitors to our fan page as well as our website visitors can be taken from the following link:
https://policies.google.com/privacy/update?hl=de&gl=de
Legal basis for data processing: The legal basis for processing is the consent you have granted in accordance with Article 6 (1) (a) of the GDPR.
The legal basis on which the platform operator bases the data processing can be found on the following link:
https://policies.google.com/privacy/update?hl=de&gl=de
Purposes of data processing: We process the data for the following purposes:
- Public image and advertising
- Communication and data exchange
- Event management
- Contract initiation and processing, if applicable
Categories of recipients: The only people who have access to the data processed by us are our employees and service providers who maintain our fan page and who require the data for the above-mentioned purposes. If the data subjects post their data publicly on our fan page, these data can be accessed by other registered (and possibly also non-registered) visitors.
The categories of recipients to whom the platform operator discloses the data or allows registered visitors to disclose their data, as well as information on intra-group data exchange, can be found on the following link: https://policies.google.com/privacy/update?hl=de&gl=de https://policies.google.com/privacy/update?hl=de&gl=de
Data transfers to third countries: Google also processes data in the USA as a third country. Insofar as data is processed by the provider not only on servers within the scope of the GDPR, but on servers in the USA, processing is permissible on the basis of the EU-US Data Policy Framework pursuant to Art. 45 (3) GDPR. The legal basis is also the consent you have granted pursuant to Article 6 (1) (a) of the GDPR.
Storage period: The storage period of the data we manage is based on our general deletion policy in accordance with section 9.
7.2. Profile pages on LinkedIn and LinkedIn lead generation (lead-gen forms)
Joint Controller: There is joint responsibility for the provision and use of services on LinkedIn within the meaning of Article 26 of the GDPR.
The platform is operated by LinkedIn Corporation, 1000 W. Maude Avenue Sunnyvale, CA 94085 USA. LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, is the controller for data processing of persons living in the European Union (EU) and the European Economic Area (EEA) as well as in Switzerland.
The platform operator’s data protection officer can use the following web form to https://www.linkedin.com/help/linkedin/ask/TSO-DPO be contacted.
Data subjects can find information about the available personalization and data protection settings here:
https://privacy.linkedin.com/de-de/faq
https://privacy.linkedin.com/de-de/einstellungen
Categories and origin of personal data: Data that we process from registered visitors to our fan page:
User ID or user name under which the data subjects have registered, approved profile data (name, email address, telephone number), ProFinder profile data, education, professional experience, salary expectations, photo, location data, knowledge and confirmation of knowledge, professional achievements (e.g. issue of a patent, professional recognition, projects), including, if applicable, special categories of personal data, data arising from the sharing of content, the exchange of messages and communication, data required in the context of the preparation and execution of contracts upon request of registered visitors, other data and content published, provided, distributed, posted or uploaded freely by the data subjects on LinkedIn or via their LinkedIn account.
Apart from this, we only process pseudonymous data such as statistics and insights into how people interact with our fan page, the posts, pages, videos and other content provided on it (page activities, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements.
We are unable to match the pseudonymized data with the corresponding identifying features (e.g. name details). This means it is not possible for us to identify individual visitors, who therefore remain anonymous to us.
Data that we process from non-registered visitors to our fan page:
Pseudonymous data such as statistics and insights into how our fan page, posts, pages, videos and other content interacts with our fan page (page activity, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, town, language), evaluations of the success and background of our advertisements, other analyses and measurements.
We are unable to match the pseudonymized data with the corresponding identifying features (e.g. name details). This means it is not possible for us to identify individual visitors, who therefore remain anonymous to us.
Data that we process from our website visitors:
By integrating the LinkedIn button (pure link) into our website, the IP addresses of our website visitors are not transferred to the platform operator.
Data we process in connection with the use of Lead Generation Forms:
We use the product marketing solutions of LinkedIn Corporation, 1000 W Maude, Sunnyvale, CA 94085, USA and its representative in the European Union, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
LinkedIn transmits personal data to us using a form (LinkedIn Lead Gen Form). Lead Gen Forms are already pre-filled with LinkedIn profile data that allow members to submit their data, which is publicly visible on the network, with just a few clicks. The inquiries generated through the forms are passed directly to our supported CRM HubSpot. These are generally:
- First and last name
- Email address
We receive the data from the data subjects directly or from the platform operator. Where the platform operator obtains the data of the data subjects and which rules apply to processing can be found in the following link: https://www.linkedin.com/legal/privacy-policy
Legal basis for data processing: The legal basis for processing is the consent you have granted in accordance with Article 6 (1) (a) of the GDPR.
The legal basis on which the platform operator bases the data processing can be found in the following link: https://www.linkedin.com/legal/privacy-policy
Purposes of data processing: We process the data for the following purposes:
- Public image and advertising
- Communication and data exchange
- Event management
- Contract initiation and processing, if applicable
For Lead Gen Forms:
- Using Lead Gen Forms for acquiring new customers
- Addressing potential new customers in a more targeted manner.
- Communication and data exchange
- Contract initiation and execution
Categories of recipients: The only people who have access to the data processed by us are our employees and service providers who maintain our fan page and who require the data for the above-mentioned purposes.
Data transfers to third countries: LinkedIn also processes data in the USA as a third country. Insofar as data is processed by the provider not only on servers within the scope of the GDPR, but on servers in the USA, processing is permissible on the basis of the EU-US Data Policy Framework pursuant to Art. 45 (3) GDPR. The legal basis is also the consent you have granted pursuant to Article 6 (1) (a) of the GDPR.
Storage period: The storage period of the data we manage is based on our general deletion policy in accordance with section 9.
In the case of lead-gen forms, the data you enter remains with us until you ask us to delete it, revoke your consent to its storage, or the purpose for the data storage no longer applies (e.g. as soon as we no longer need the data for the execution or processing of an existing contractual relationship), unless we are legally obliged to retain it for a longer period.
LinkedIn states that the lead data there is automatically deleted from the LinkedIn servers after 90 days. Further information on LinkedIn’s data storage can also be found in the following link: https://www.linkedin.com/legal/privacy-policy
7.3. Profile pages on XING
Joint Controller: There is joint responsibility for the provision and use of services on XING within the meaning of Article 26 of the GDPR.
The platform is operated by New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany.
The data protection officer of the platform operator can be contacted using the following web form https://www.xing.com/settings/privacy/data/disclosure.
Data subjects can find information about the available personalization and data protection settings here: https://privacy.xing.com/de/datenschutzerklaerung
Categories and origin of personal data: Data that we process from registered visitors to our fan page:
User ID or username under which the data subjects have registered, approved profile data (name, email address, telephone number), education, professional experience, salary expectations, photo, location data, knowledge and confirmation of knowledge, professional achievements (e.g. issue of a patent, professional recognition, projects), including, if applicable, special categories of personal data, data arising from the sharing of content, the exchange of messages and communication, data required in the context of the preparation and execution of contracts at the request of registered visitors, other data and content published, provided, distributed, posted or uploaded freely by the data subjects on XING or via their XING account.
Apart from this, we only process pseudonymous data such as statistics and insights into how people interact with our fan page, the posts, pages, videos and other content provided on it (page activities, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements.
We are unable to match the pseudonymized data with the corresponding identifying features (e.g. name details). This means it is not possible for us to identify individual visitors, who therefore remain anonymous to us.
Data that we process from non-registered visitors to our fan page:
Pseudonymous data such as statistics and insights into how our fan page, posts, pages, videos and other content interacts with our fan page (page activity, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, town, language), evaluations of the success and background of our advertisements, other analyses and measurements.
We are unable to match the pseudonymized data with the corresponding identifying features (e.g. name details). This means it is not possible for us to identify individual visitors, who therefore remain anonymous to us.
Data that we process from our website visitors:
By integrating the Xing button (pure link) on our website, IP addresses of our website visitors are not transferred to the platform operator.
Data that the platform operator processes about registered and non-registered visitors to our fan page can be found by clicking the following link: https://privacy.xing.com/de/datenschutzerklaerung
Legal basis for data processing: The legal basis for processing is the consent you have granted in accordance with Article 6 (1) (a) of the GDPR.
The legal basis on which the platform operator bases the data processing can be found in the following link:
https://privacy.xing.com/de/datenschutzerklaerung
Purposes of data processing: We process the data for the following purposes:
- Public image and advertising
- Communication and data exchange
- Event management
- Contract initiation and processing, if applicable
Categories of recipients: The only people who have access to the data processed by us are our employees and service providers who maintain our fan page and who require the data for the above-mentioned purposes.
Data transfers to third countries: We do not transfer any data obtained via the platform to third countries.
For information on the transfer of data from the platform operator, please refer to its privacy policy: https://privacy.xing.com/de/datenschutzerklaerung/wer-erhaelt-daten-zu-ihrer-person/drittlaender
Storage period: The storage period of the data we manage is based on our general deletion policy in accordance with section 9.
For information on the storage and deletion of data by the platform operator, please refer to its privacy policy: https://privacy.xing.com/de/datenschutzerklaerung
8. Further processing in the context of a business relationship or contact
8.1. Visitor management
Categories and origin of personal data: If you visit our company, you must register electronically. The following personal data is processed:
- Name details
- Company name
- Contact with the controller and duration of the visit
Legal basis: The legal basis for the processing of personal data is your consent in accordance with Article 6 (1) (a) of the GDPR.
Purpose of processing: Protection of personal data, trade and business secrets and IT security, which the controller must ensure by means of this access and input control measure (logging).
Categories of recipients: Only employees of the controller who need it to complete their tasks have access to the visitor list.
Data transfers to third countries: No data is transferred to third countries.
Storage period: The data is stored for 3 months and then deleted, unless individual data is required for legal prosecution by the controller.
8.2. Video surveillance
Categories and origin of personal data: Video surveillance takes place at various points on the controller’s premises. In the context of video surveillance, we process the following personal data:
- Image data
Legal basis: The data is processed in accordance with Article 6 (1) (f) of the GDPR for the legitimate interest of the controller. The controller has the following legitimate interests in data processing:
- Protection of the controller’s property and assets
- Protection of people in large publicly accessible areas (e.g. car parks).
- Access control as a technical, organizational measure within the meaning of Art. 32 GDPR:
Purposes: Personal data is processed for the purpose of securing evidence in the event of an attempted or committed criminal offense, investigating criminal offenses, preventive measures to prevent criminal offenses and data security.
Categories of recipients: The management of the controller will have access to your data in the presence of a member of the works council if there are reasonable grounds for suspicion. In addition, IT employees have access rights for maintenance work and technical checks.
Data transfers to third countries: No transmission of data to third countries will take place.
Storage period: The data is stored for four days and then automatically deleted, unless it is required for legal prosecution by the controller.
8.3. Business relationship
Categories and origin of personal data: We process personal data as part of our business relationships with our customers and suppliers. Business relationships exist in the form of the purchase and sale of goods as well as the commissioning and provision of services and, in individual cases, work or labor services. The following data is processed:
- Business contact details
- Qualifications and certificates
- Ordering and billing data
- Payment details
- Proof of payment
We ensure that our suppliers always handle the data in accordance with the provisions of the GDPR. Where necessary, we conclude commissioned data processing agreements with our suppliers in accordance with Article 28 of the GDPR or agreements on joint controllers in accordance with Article 26 of the GDPR. Otherwise, we ensure that there is either an adequacy decision by the EU Commission in accordance with Article 45 (3) of the GDPR, e.g. in the form of the EU-US Data Privacy Framework for the USA, which the supplier has undertaken to apply, or that suitable safeguards can be identified in accordance with Article 46 of the GDPR. Processing is only carried out in exceptional cases on the basis of Article 49 of the GDPR under the conditions specified therein, in particular an appropriate guarantee of data protection by the supplier.
Legal basis: The legal basis for processing is Article 6 (1) (b) of the GDPR if a contract is concluded directly with a natural person as a customer, otherwise our legitimate interest pursuant to Article 6 (1) (f) of the GDPR in the initiation and performance of contracts with legal entities or public bodies. If you have given us your consent, the processing is based on Article 6 (1) (a) of the GDPR.
Purposes: The purpose of processing is the initiation or performance of a contractual relationship between us and our customers or suppliers. The purpose is also to comply with legal requirements (e.g. MDR, counter-terrorism list check, GDPR).
Categories of recipients: Only the employees of the controller who are responsible for fulfilling the purpose will have access to your data.
Data transfers to third countries: As a rule, data is not transferred to third countries. If a third country is the subject of the business relationship, data may be transferred on a case-by-case basis.
Storage period: The deletion of data is carried out in accordance with our general deletion policy pursuant to section 9.
8.4. Email, telephone, fax
Categories and origin of personal data: If you contact us by email, telephone or fax, we process the personal data you provide to us.
Legal basis: Processing takes place if there is a legitimate interest in the processing (Article 6 (1) (f) GDPR), you have consented to the processing of your data (Article 6 (1) (a) GDPR), the processing is necessary for the initiation, establishment, content-related design or change of a legal relationship between you and us (Article 6 (1) (b) GDPR), another legal provision permits processing or mandatory legal provisions, in particular commercial or tax law, make processing necessary.
Purpose:
- Initiation or performance of a business relationship
- Processing your inquiry
Categories of recipients: Access to the data is granted to the employees of the controller who require the data for the above-mentioned purposes.
Data transfers to third countries: No data is transferred to third countries.
Storage period: Your data will be erased in accordance with the general deletion guidelines pursuant to section 9.
8.5. Microsoft Teams
Categories and origin of personal data: We use Microsoft Teams. Microsoft Teams is a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052–6399, USA. Further information on the processing of your data when using Software Teams can be found at: https://privacy.microsoft.com/de-de/privacystatement and at https://news.microsoft.com/de-de/datenschutz-und-sicherheit-in-microsoft-teams-nutzer.
If you participate in an online meeting via Teams as an external participant, you will receive an access link via email from the meeting host. When registering for the online meeting, your IP address will be transmitted and you will also need to provide your name, although you have the option of using an alias.
Legal basis: The legal basis for the processing of personal data is Article 6 (1) (a) of the GDPR. If special categories of personal data within the meaning of Article 9 (1) of the GDPR, for example within the documents that you provide, the legal basis is Article 9 (2) (a) of the GDPR. Article 6 (1) (f) of the GDPR serves as the legal basis for the processing of data relating to contact persons at external bodies. We are interested in improving the organization and communication with our contacts and reducing the number of tools used to date. If our contact person is a direct contractual partner and a natural person, Article 6 (1) (b) of the GDPR is the legal basis. You may revoke your consent formally at any time with effect for the future. If you withdraw your consent, the documents will also be deleted from Microsoft Teams.
Purpose: We use the Microsoft Teams tool to hold online meetings, video conferences and/or webinars and, if necessary, to exchange documents with participants.
Categories of recipients: Access to the data is granted to the employees of the controller who require the data for the above-mentioned purposes. As a rule, personal data processed in connection with the storage of documents in Microsoft Teams is not disclosed to third parties unless it is specifically intended for disclosure. Please note that content from stored documents as well as in face-to-face meetings is often used to communicate information to customers, interested parties or third parties and is therefore intended to be passed on.
Data transfers to third countries: Insofar as Microsoft processes data not only on servers within the scope of the GDPR, but also, in particular, on servers in the USA, processing is permitted on the basis of the EU-US Data Policy Framework pursuant to Art. 45 (3) GDPR, for which Microsoft is certified.
Storage period: Your data will be erased in accordance with the general deletion guidelines pursuant to section 9.
8.6. To fulfill our duty of care
Categories and origin of personal data: When using the first-aid kit, the personal data of employees and visitors is processed. We will request the data directly from you. The following personal data is collected from you:
- Names of the injured party
- First aid provider details
- Address (if applicable)
- Nationality (if applicable)
- Result of data matching including time information
Legal basis: The person in charge must provide an accident logbook and this is required by the employer’s liability insurance association. The legal basis for the processing of this personal data is the fulfilment of legal obligations pursuant to Article 6 (1) (c), Article 9 (2) (b) and (g), of the GDPR, Section 26 (3) of the BDSG, Section 24, (6) sentence 1 of the GDVUV Regulation 1, Section 24 (6) of the BGV A 1.
Purpose: The purpose of data processing is the obligation to provide proof to the employer’s liability insurance association.
Categories of recipients: Access to your data is only granted to the personnel management staff of our own employees and employees entrusted with occupational health and safety.
Data transfers to third countries: No transmission of data to third countries will take place.
Storage period: Your data will only be stored for as long as it is necessary to provide evidence to the employer’s liability insurance association: The accident logbook must be kept available for five years.
9. Erasure of data
Personal data is deleted in accordance with our general deletion policy at the latest 30 days after the expiry of the shortest statutory or other period listed below. If a longer retention period is not relevant, the data will be deleted after the shortest period has elapsed; in particular, if a longer period specified by law is relevant, the data will be deleted after this period has elapsed. Special deletion provisions also in accordance with this privacy policy take precedence over the general provisions.
- The data will be deleted if you ask us to delete it or if you revoke your consent.
- The data will be deleted when it is no longer needed for the intended purpose.
- Deletion takes place after termination of the employment or work relationship.
- If the customer or supplier has expressly consented to longer data storage, deletion shall take place after 12 months.
- Furthermore, data shall be deleted no later than one month after the failure to initiate a contract.
- Furthermore, the data will be deleted 12 months after the last contract was concluded. This does not apply to customer accounts of a user account set up for the customer.
- The data will be deleted after a guarantee or exclusion period has expired.
- The data will be deleted once the statutory warranty or product liability period has expired.
- If a legal dispute is pending between you and us, the deletion will take place once it has come to a legally binding end.
- After expiry of the statutory period for business correspondence, the data is deleted after six years.
- If it is necessary to retain the data for evidential purposes under commercial, tax or social security law, the deletion period is 10 years.
- Data collected for the purpose of fulfilling the requirements of the MDR will be deleted after 30 years at the latest.