Data protection declaration
Thank you very much for your interest in our company. Data protection is a very high priority for the management of hg medical GmbH, Gewerbegebiet 16, 82399 Raisting (hereinafter referred to as “hg medical”). It is generally possible to use hg medical’s internet pages without having to enter any personal data. However, if a person concerned would like to take advantage of special services from our company over our internet site, it may be necessary to process personal data. If it is necessary to process personal data and there is no legal basis for such processing, we generally obtain the consent of the person concerned, or “data subject.”
The processing of personal data, such as the name, address, E-mail address or telephone number of a data subject, is always conducted in compliance with the General Data Protection Regulation and in conformity with the national data protection provisions which apply to hg medical. Our company is using this data protection declaration to inform the public about the type, scale and purpose of the personal data we collect, use and process. This data protection declaration also informs data subjects of the rights they are entitled to.
As the party responsible for the processing, hg medical has implemented many technical and organisational measures to ensure the most seamless protection possible of the personal data processed via this internet site. But internet-based data transfers can still have security vulnerabilities, so it is never possible to guarantee absolute data protection. For this reason, every data subject has the option of providing us with their personal data by alternative means, such as telephone
hg medical’s data protection declaration is based on the definitions which were used by the EU legislator when the General Data Protection Regulation (GDPR) was enacted. Our data protection declaration is intended to be easily readable and understandable for the general public as well as for our customers and business partners. In order to ensure this, we would like to start out by explaining the terminology used.
We use the following terms (among others) in this data protection declaration:
a) Personal data
Personal data means all information relating to an identified or identifiable physical person (hereinafter referred to as a “data subject”). A natural person is deemed to be identifiable if he or she can directly or indirectly be identified, in particular by allocating an identifier such as a name to a code number, to location information, to online identification data or to one or more special features which express the natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.
b) Data subject
A data subject is any identified or identifiable physical person whose personal data is processed by a party responsible for the processing.
Processing means any procedure conducted with or without the help of automated methods or any such series of procedures in connection with personal data, such as the collection, recording, organisation, ordering, saving, adaptation or modification, readout, retrieval, use, disclosure via transfer, dissemination, comparison or linking, restriction, deletion or destruction.
d) Processing restriction
A processing restriction is the marking of saved personal data with the goal of restricting its future processing.
Profiling is any kind of automated processing of personal data which consists of using said personal data to evaluate certain personal aspects which apply to a physical person, in particular to analyse or predict aspects concerning the work performance, financial situation, health, personal predilections, interests, reliability, behaviour, place of residence or relocation of the physical person in question.
Pseudonymisation is the processing of personal data in a manner in which the personal data can no longer be allocated to the specific person in question without using additional information, as long as the information is kept separately and subject to technical and organisational measures which ensure that the personal data is not allocated to an identified or identifiable physical person.
g) Responsible party or party responsible for the processing
The responsible party or party responsible for the processing is the physical person or legal entity, authority, institution or other body which decides on the purposes and means of the processing of personal data, either on its own or together with others. If the purposes and means of this processing are defined by Union law or the law of the member states, the responsible party may define the specific criteria of its appointment under Union law or the law or the law of the member states.
The processor is a physical person or legal entity, authority, institution or other body which processes personal data on behalf of the responsible party.
The recipient is a physical person or legal entity, authority, institution or other body to whom personal data is disclosed, regardless of whether or not it is a third party. However, authorities which may receive personal data in the scope of a particular investigation mandate pursuant to Union law or the law of the member states are not considered to be recipients.
j) Third party
A third party is a physical person or legal entity, authority, institution or other body other than the data subject, the responsible party, processor and persons authorised to process the personal data under the immediate responsibility of the responsible party or processor.
Consent is any declaration of intent which the data subject has voluntarily and unambiguously made in an informed manner for the specific case in the form of a statement or other clear confirmatory action with which the data subject makes it clear that he/she agrees to the processing of the personal data concerning him/her.
2. Name and address of the party responsible for processing
The responsible party as defined by the General Data Protection Regulation, other data protection laws in effect in the member states of the European Union and other provisions concerning data protection legislation is:
hg medical GmbH
Tel.: +49 88 07 – 214 343 – 0
Contact details of our data protection officer:
hg medical GmbH
The data subject may prevent cookies from being placed by our internet site at any time with a corresponding setting on the internet browser being used and thus permanently object to the placement of cookies. Furthermore, cookies which have already been placed can be deleted at any time using an internet browser or other software programs. This is possible in all conventional internet browsers. If the data subject deactivates the placement of cookies in the internet browser being used, then it is possible that not all of the functions of our internet site will be fully usable.
4. Collection of general data and information
hg medical’s internet site collects an array of general data and information each time the internet site is accessed by a data subject or an automated system. This general data and information is saved in the server’s log files. The following data may be collected: (1) the type and version of the browser used, (2) the operating system used by the accessing system, (3) the internet site from which an accessing system arrives at our internet site (known as the “referrer”), (4) sub-websites which are controlled by an accessing system on our internet site, (5) the date and time of access to the internet site, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information which serves to defend against potential attacks on our IT systems.
hg medical makes no conclusions about the data subject through the use of this general data and information. Instead, this information is needed in order to (1) properly deliver the contents of our internet site, (2) optimise the content of our internet site as well as advertising for it, (3) ensure the long-term functionality of our IT systems and internet site technology, as well as to (4) provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack. For that reason, this data and information anonymously collected by hg medical is evaluated statistically and otherwise with the aim of increasing data protection and data security at our company in order to ensure an optimum level of security for the personal data we process. The anonymous data of the server log files is stored separately from all of the personal data specified by a data subject.
5. Routine deletion and blocking of personal data
The party responsible for processing only processes and saves the data subject’s personal data for the period of time necessary to achieve the purpose of saving or if required by EU legislators or other legislators in laws and regulations which the party responsible for processing is subject to.
If the purpose of saving ceases to exist or if a term of storage stipulated by an EU or other legislator elapses, the personal data will routinely be blocked or deleted in accordance with the statutory provisions.
6. Rights of the data subject
a) Right to confirmation
Every data subject has the right granted by the EU legislator to demand confirmation from the party responsible for processing as to whether the personal data concerning him or her will be processed. If a data subject would like to assert this right to confirmation, he/she can contact an employee of the party responsible for processing for this purpose at any time.
b) Right to information
Every person affected by the processing of personal data has the right granted by the EU legislator to receive information free of charge about the personal data saved about his/her person from the party responsible for processing and a copy of this information. Furthermore, the European legislator grants the data subject disclosure on the following information:
- the purposes of processing
- the categories of personal data which are processed
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular in the case of recipients in non-member states or international organisations.
- if possible, the planned duration for which the personal data will be saved or, if this is not possible, the criteria for the determination of this duration
- the existence of a right to the correction or deletion of the personal data in question or to the restriction of processing by the responsible party or the existence of a right to object to this processing
- the existence of the right to file a complaint with a supervisory authority
- if the personal data are not collected from the data subject: All available information about the origin of the data
- the existence of an automated decision-making process, including profiling, pursuant to Article 22 Para. 1 and 4 GDPR and – at least in these cases – significant information about the logic involved and the consequences and the intended effects of such processing for the data subject
Furthermore, the data subject has a right to information as to whether personal data is transferred to a non-member state or to an international organisation. If this is the case, then the data subject is also entitled to receive information about the suitable guarantees in connection with the transfer.
If a data subject would like to assert this right to information, he/she can contact an employee of the party responsible for processing for this purpose at any time.
c) Right to correction
Every person affected by the processing of personal data has the right granted by the EU legislator to demand the immediate correction of incorrect personal data concerning them. Furthermore, the data subject is entitled to demand the completion of incomplete personal data – also by way of a supplementary declaration – in observance of the purpose of processing.
If a data subject would like to assert this right to correction, he/she can contact an employee of the party responsible for processing for this purpose at any time.
d) Right to deletion (right to be forgotten)
Every person affected by the processing of personal data has the right granted by the EU legislator to demand the responsible party to immediately delete the personal data concerning them if one of the following grounds applies and if the processing is unnecessary:
- The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
- The data subject revokes his/her consent, which the processing pursuant to Art. 6 Para. 1 (a) GDPR or Art. 9 Para. 2 (a) GDPR was based on, and there is no other legal basis for processing.
- The data subject files an objection to the processing pursuant to Art. 21 Para. 1 GDPR and there are no justified grounds for the processing which take precedence, or the data subject objects to the processing pursuant to Art. 21 Para. 2 GDPR.
- The personal data were processed unlawfully.
- The deletion of personal data is necessary to fulfil a legal obligation under EU law or the law of the member states which the responsible party is subject to.
- The personal data was collected in relation to information society services offered pursuant to Art. 8 Para. 1 GDPR.
If one of the above-mentioned reasons applies and a data subject would like to initiate the deletion of personal data saved at hg medical, he/she can contact an employee of the party responsible for processing for this purpose at any time. The employees of hg medical will ensure that the deletion request is followed up on without delay.
If the personal data was published by hg medical and if our company is, as responsible party pursuant to Art. 17 Para. 1 GDPR, required to delete the personal data, then hg medical shall take appropriate measures (including technical ones) in consideration of the available technology and implementation costs to inform other parties responsible for data processing which process the published personal data that the data subject of these other parties responsible for processing has demanded the deletion of all links to this personal data or copies or replicas thereof, as long as processing is not necessary. The employee of hg medical will initiate the necessary measures on a case-by-case basis.
e) Right to restrict processing
Every person affected by the processing of personal data has the right granted by the EU legislator to demand the responsible party to restrict processing if one of the following prerequisites applies:
- The correctness of the personal data is disputed by the data subject for a duration which makes it possible for the responsible party to check the correctness of the personal data.
- The processing is unlawful, the data subject rejects the deletion of the personal data and demands restricted use of the personal data instead.
- The responsible party no longer requires the personal data for the purposes of processing, but the data subject requires it to assert, exercise or defend legal claims.
- The data subject has filed an objection to the processing pursuant to Art. 21 Para. 1 GDPR and it is not yet certain whether the justified grounds of the responsible party outweigh those of the data subject.
If one of the above-mentioned prerequisites is present and a data subject would like to demand the restriction of personal data saved at hg medical, he/she can contact an employee of the party responsible for processing for this purpose at any time. The employee of hg medical will initiate the restriction of processing.
f) Right to data portability
Every person affected by the processing of personal data has the right granted by the EU legislator to receive the personal data concerning him/her which was provided to a responsible party by the data subject in a structured, conventional and machine-readable format. He/she also has the right to transfer this data to another responsible party without restriction by the responsible party to whom the personal data was provided if the processing is based on consent pursuant to Art. 6 Para. 1 (a) GDPR or Art. 9 Para. 2 (a) GDPR or on an agreement pursuant to Art. 6 Para. 1 (b) GDPR and the processing is conducted via automated methods, if the processing is not necessary to complete a task in the public interest or is carried out in the exercising of official authority which was transferred to the responsible party.
Furthermore, the data subject, in exercising his/her right to data portability pursuant to Art. 20 Para. 1 GDPR, has the right to effect that the personal data is transferred directly from one responsible party to another, as long as is technically feasible and as long as the rights and freedoms of other persons are not infringed upon by doing so.
The data subject may contact an employee of hg medical at any time to assert the right to data portability.
g) Right to objection
Every person affected by the processing of personal data has the right granted by the EU legislator to file an objection to the processing of personal data concerning him or her carried out based Art. 6 Para. 1 (e) or (f) GDPR at any time for reasons resulting from his/her particular situation. This also applies to profiling based on these provisions.
hg medical will no longer process the personal data in the case of an objection unless we can demonstrate urgent reasons for the processing which are worthy of protection and override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.
If hg medical processes personal data to conduct direct advertising, the data subject has the right to file an objection to the processing of the personal data for the purposes of such advertising at any time. This also applies to profiling, if it is in connection with such direct advertising. If the data subject objects to hg medical’s processing for direct advertising purposes, hg medical will no longer process the personal data for these purposes.
Moreover, the data subject has the right, for reasons resulting from his/her particular situation, to file an objection to the processing of the personal data concerning him/her which hg medical carries out for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 Para. 1 GDPR, unless such processing is necessary to fulfil a task in the public interest.
The data subject may consult any employee of hg medical or other employee directly to exercise the right of objections. Furthermore, it is up to the data subject to exercise his/her right of objection via automated methods in which technical specifications in connection with the use of information society serves, regardless of Directive 2002/58/EC.
h) Automated decisions in individual cases, including profiling
Any person affected by the processing of personal data has the right granted by the EU legislator not to be subject to a decision exclusively based on automated processing – including profiling – which has a legal effect on him/her or could compromise him/her in a similar manner unless the decision (1) is necessary for the conclusion or fulfilment of an agreement between the data subject and the responsible party or (2) is permissible based on statutory regulations of the EU or its member states to whom the responsible party is subject, and said statutory regulations contain appropriate measures to protect the rights and freedoms as well as the legitimate interests of the data subject or (3) is made with the express consent of the data subject.
If the decision is (1) necessary for the conclusion or fulfilment of a contract between the data subject and the responsible party or (2) made with the express consent of the data subject, then hg medical will take suitable measures to protect the rights, freedoms and legitimate interests of the data subject, which at minimum include the right to have a person intervene on behalf of the responsible party, to present his/her own position and to contest the decision.
If the data subject would like to assert rights relating to automated decisions, he/she may consult an employee of the party responsible for processing at any time.
i) Right to revocation of consent under data protection law
Every person affected by the processing of personal data has the right granted by the EU legislator to revoke consent to the processing of personal data at any time.
If the data subject would like to assert this right to revoke his/her consent, he/she can contact an employee of the party responsible for processing for this purpose at any time.
7. Data protection provisions on the application and use of Google Analytics (with anonymization function)
The party responsible for processing has integrated the Google Analytics component (with anonymization function) on this internet site of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland. (“Google“). Google Analytics is a web analysis service. Web analysis is the gathering, collection and evaluation of data on the behaviour of visitors to internet sites. Among other things, a web analysis service gathers data on the internet site from which a data subject has arrived at another internet site (known as the “referrer”), which sub-site of the internet site is accessed or how often, and for what dwell time a sub-site is viewed. Web analysis is predominately used to optimise an internet site and for cost-benefit analysis of internet advertising.
Transfer to a third country
Google Ireland Limited is an affiliate of Google LLC. Google LLC is located in the United States (1600 Amphitheatre Parkway, Mountain View, CA 94043) and is certified under the U.S. Privacy Shield Agreement, which ensures compliance with EU privacy standards.
The party responsible for processing uses the extension “_gat._anonymizeIp” for web analysis via Google Analytics. This extension is used by Google to abbreviate and anonymize the IP address of the data subject’s internet connection if our internet pages are being accessed from another member state of the European Union or another state party to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse the flows of visitors to our internet site. Among other things, Google uses the data and information obtained to evaluate the use of our internet site in order to compile online reports which show the activities on our internet sites and to provide further services related with the use of our internet site.
Google Analytics places a cookie on the data subject’s IT system. Cookies have already been defined above. Placing the cookie enables Google to analyse the use of our internet site. Through each access to one of the individual pages of this internet site which the party responsible for processing makes and which a Google Analytics component is integrated into, the internet browser on the data subject’s IT system automatically initiates data to be transferred to Google for the purpose of online analysis. In the scope of this technical procedure, Google receives knowledge of personal data such as the IP address of the data subject which Google uses for such purposes as to trace the origin of the visitors and clicks and enable commission calculations to be followed.
The cookies save personal information such as time of access, the location from which the access originated and the frequency of visits to our internet site from the data subject. Each time our internet sites are visited, this personal data, including the IP address of the internet connection used by the data subject, is sent to Google in the United States of America. Google saves this personal data in the United States of America. Google may pass this personal data gathered via the technical procedure to third parties in certain circumstances.
The data subject may prevent cookies from being placed by our internet site (as described above) at any time with a corresponding setting on the internet browser being used and thus permanently object to the placement of cookies. Such a setting in the internet browser used would also prevent Google Analytics from placing a cookie on the data subject’s IT system. Furthermore, a cookie which has already been placed by Google Analytics can be deleted at any time using the internet browser or other software programs.
Further information and Google’s applicable data protection provisions can be found under https://www.google.de/intl/de/policies/privacy and http://www.google.com/analytics/terms/de.html. Google Analytics is explained in greater detail under this link https://www.google.com/intl/de_de/analytics/.
Our website uses plug-ins from the site YouTube, which is operated by Google. The pages are operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.
If you visit one of our pages with a YouTube plug-in or use the app, a connection to YouTube’s servers will be established. In the process, the YouTube server will be informed which of our pages you have visited.
If you are logged into your YouTube account, you allow YouTube to allocate your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.
YouTube is used in the interest of presenting our online offers in an appealing manner. This constitutes a legitimate interest as defined by Art. 6 Para. 1 (f) GDPR.
9. Legal basis of processing
Art. 6 I (a) GDPR serves our company as a legal basis for processing procedures in which we obtain consent for a particular purpose for processing. If the processing of personal data is necessary to fulfil an agreement to which the data subject is party, as is the case with processing procedures which are necessary to deliver goods or provide other services or services in return, then the processing is based on Art. 6 I (b) GDPR. The same applies to processing procedures which are necessary for conducting pre-contractual measures, such as in cases of enquiries about our products or services. If our company is subject to a legal obligation which requires it to process personal data, such as for the fulfilment of fiscal obligations, then the processing is based on Art. 6 I (c) GDPR. In rare cases, it may be necessary to process personal data to protect vital interests of the data subject or other natural person. For instance, this would be the case if a visitor were to be injured on our company premises and his/her name, age, health insurance data or other vital information would have to be sent to a physician, hospital or other third party. In such case, the processing would be based on Art. 6 I (d) GDPR. Finally, the processing procedures could be based on Art. 6 I (f) GDPR. Processing procedures which are not covered by any of the previous legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, as long as the interests do not outweigh the basic rights and basic freedoms of the data subject. We are allowed to conduct such processing procedures in particular because they were specifically mentioned by the EU legislator. The legislator is of the view that a legitimate interest could be assumed if the data subject is a customer of the responsible party (Recital 47 Sentence 2 GDPR).
10. Legitimate interests in processing which are pursued by the responsible party or a third party
If the processing of personal data is based on Article 6 I (f) GDPR, it is our legitimate interest to perform our business activities for the good of all of our employees and shareholders.
11. Duration for which the personal data is saved
The statutory retention period in question is the criterion for the duration of saving personal data. Once this period has elapsed, the relevant data will be routinely deleted unless they are still needed to fulfil or initiate a contract.
12. Statutory or contractual provisions on the provision of personal data; necessity for the conclusion of the contract, obligation of the data subject to provide personal data; potential consequences of failing to provide
We inform you that the provision of personal data is in part prescribed by law (e.g. fiscal regulations) or may result from contractual provisions (such as information on the contractual partner). When concluding a contract, it is sometimes necessary for a data subject to provide us with personal data which will have to be processed by us as a result. For instance, the data subject is required to provide us with personal data when our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded. The data subject must contact one of our employees before providing personal data. Our employee will inform the data subject on an individual basis whether the provision of the personal data is required by law or by contract or whether it is necessary to conclude the contract, whether there is an obligation to provide the personal data and what consequences failure to provide the personal data would have.
13. Existence of automated decision-making
As a conscientious company, we do not make use of automated decision-making or profiling.