Rein Medical GmbH
Monforts Quartier 23
E-mail address: firstname.lastname@example.org
Dr. Peter Kohrs
Data Protection Officer:
Sven Rahn / Sebastian Bedorf
Rahn Datenschutz GmbH
E-Mail: email@example.com / firstname.lastname@example.org
02161 - 277 173 0
Sebastian Bedorf: 02161 - 277 173 3
Sven Rahn: 02161 - 277 173 7
Types of data processed
- Master data (e.g. personal master data, names and addresses)
- Contact data (e.g. e-mail addresses, telephone numbers)
- Content data (e.g. texts, photos, videos)
- Usage data (e.g. web pages visited, interest in content, access times)
- Metadata/communication data (e.g. device information, IP addresses)
Persons who visit and use our web presence (hereinafter also referred to collectively as "users").
Purpose of processing activities
- To provide access to our web presence together with its functions and content
- To respond to queries and communicate with users
- Security measures
"Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations performed on personal data or sets of personal data, regardless of whether or not these operations are carried out with the assistance of automated procedures. This term is far-reaching and encompasses the submission of data to practically any form of treatment.
"Pseudonymization" means the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided this additional information is kept separately and subjected to technical and organizational measures to ensure that it is not attributed to an identified or identifiable natural person.
"Profiling" means any form of automated processing of personal data involving the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyse or predict aspects of that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
"Controller" means the natural or legal person, public authority, agency, institution or other body which, alone or jointly with others, determines the purposes for which the personal data is to be processed and the means employed to do so.
"Processor" means a natural or legal person, public authority, agency, institution or other body which processes personal data on behalf of the controller.
Applicable legal bases
The legal basis on which we obtain your consent to the processing of your data is Art. 6(1)(a) and Art. 7 GDPR.
The legal basis on which we process your data in order to render our services, implement contractual measures and respond to queries is Art. 6(1)(b) GDPR.
The legal basis on which we process your data in order to fulfil our legal obligations is Art. 6(1)(c) GDPR.
The legal basis in cases where the processing of personal data is necessary to protect the vital interests of the data subject or another natural person is Art. 6(1)(d) GDPR.
The legal basis in cases where personal data must be processed to perform a task carried out in the public interest or in the exercise of official authority vested in the controller is Art. 6(1)(e) GDPR.
The legal basis on which we process your data in connection with the pursuit of our legitimate interests is Art. 6(1)(f) GDPR.
The processing of data for purposes other than those for which it was collected is regulated in Art. 6(4) GDPR.
The processing of special categories of data (as described in Art. 9(1) GDPR) is regulated in Art. 9(2) GDPR.
As specified in the relevant legislation, we implement the technical and organizational measures required to guarantee an appropriate degree of risk protection while taking account of current developments in technology, implementation costs, the type, scope, circumstances and purpose of our data processing activities, the degree to which the rights and freedoms of natural persons are at risk, and the probability of occurrence.
These measures specifically include safeguarding data confidentiality, integrity and availability by controlling physical access to the data along with measures relating to data access, entry, transmission, availability and separation. We have also implemented processes to guarantee that the rights of data subjects are upheld, the data is erased, and appropriate action is taken if the data is found to be at risk. Moreover, we give due consideration to the protection of personal data by developing and selecting hardware, software and processes in compliance with the principle of data protection through technology engineering and privacy-friendly default settings.
Cooperation with processors, co-controllers and third parties
Should we disclose or transmit data to other persons and/or companies (contractors, co-controllers or third parties) or grant them access to the data in any other way during the course of our processing activities, this shall be effected solely on the basis of legal authorization (e.g. if the data has to be transmitted to third parties such as payment service providers so that the contract can be executed), if the data subject’s consent is obtained, if required to fulfil a legal obligation, or in order to serve our legitimate interests (e.g. when deploying representatives, utilizing web hosting services etc.).
Should we disclose, transfer or otherwise grant access to your data to other companies in our group, this will be effected for administrative purposes, serve a legitimate interest and be based on one of the legal provisions.
Transfer of data to third countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or to make use of third party services or disclose/transfer data to other persons or companies, this shall be effected solely for the purpose of fulfilling our (pre)contractual obligations, on the basis of your consent, in order to fulfil a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual authorizations, we shall only process or leave the data in a third country if the legal requirements are met. This means that the processing is effected e.g. on the basis of specific guarantees, such as the officially recognized equivalent level of data protection (e.g. for the USA through the Privacy Shield) or compliance with officially recognized specific contractual obligations.
Rights of data subjects
By law, you have the right to request confirmation that relevant data is being processed and to obtain information on this data together with other information and a copy of the data being processed.
Pursuant to the statutory provisions, you as a data subject reserve the right to demand the completion of the relevant data concerning you, or the correction of the relevant incorrect data concerning you.
Pursuant to the statutory provisions, you as a data subject reserve the right to demand that the relevant data concerning you be deleted immediately, or alternatively to demand a restriction of the processing of the relevant data concerning you in accordance with the statutory provisions.
You as a data subject reserve the right to demand that the relevant data concerning you, which you have made available to us, is in turn provisioned to you, in accordance with the statutory requirements and to request its transmission to other data controllers.
Pursuant to the statutory provisions, you also as a data subject reserve the right to file a complaint with the competent supervisory authority.
Right of withdrawal
You have the right to withdraw your consent with future effect.
Right to object
You have the right to object to the future processing of your personal data as specified by law. This right to object may in particular be exercised to prevent your data being used for direct advertising purposes.
Erasure of data
The data processed by us shall be deleted or restricted in accordance with statutory requirements. Unless explicitly stated in this Data Protection Statement, the data stored by us shall be deleted as soon as it is no longer necessary for its intended purpose and the deletion does not conflict with any statutory storage requirements.
Insofar as the data is not deleted because it is required for other and statutory permitted purposes, its processing shall be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example to data that must be kept for commercial or tax reasons.
We request you to inform yourself regularly about the content of our Data Protection Statement. We shall update the Data Protection Statement as soon as changes to our implemented data processing, makes an update necessary. We shall notify you as soon as such changes require your participation (e.g. granted consent) or other individual notification.
Upon contacting us (for example, by contact form, e-mail, telephone or via social media), the information of the user, which is required to process the contact request and its processing pursuant to Art. 6 (1) lit. b. (within the framework of contractual / pre-contractual relationships), Art. 6 (1) lit. f. (other requests) of the General Data Protection Regulation (GDPR) , is processed. The information provided by the users can be stored in a Customer Relationship Management System ("CRM System") or comparable request organization.
We delete the requests, insofar as they are no longer required. We cross-check the requirement every two years; Furthermore, the statutory archiving obligations apply.
We herewith inform you by means of the following information about the content of our newsletter as well as the registration, shipping and statistical evaluation procedures as well as your right of objection. By subscribing to our newsletter, you declare your granted consent to receiving it and to the processes described.
Newsletter content: We only send newsletters, e-mails and other electronic messages containing advertising (hereinafter “newsletter(s)”) with the recipient’s consent or where permitted by law. Insofar as the content of a newsletter is concretely described in the context of an application for the subscription of a newsletter, it is authoritative for the granted consent of the user. Our newsletters also contain information about ourselves and our services.
Double opt-in and logging: Persons wishing to subscribe for our newsletters are required to complete a so-called double opt-in procedure. This means after registering, you shall receive an e-mail, requesting you to confirm your registration This confirmation is necessary to prevent people from registering with e-mail addresses other than their own. The registration for the newsletter shall be logged in order to prove the registration process according to the statutory requirements. This includes the storage of the logon and the confirmation time, as well as the IP address. Likewise, changes to your data stored with the shipping service provider shall be logged.
Subscription data: Insofar as you wish to subscribe for the newsletter, it is sufficient if you enter your e-mail address. Optionally, we request you to provide a name, for the purpose a personal salutation in newsletter.
The shipment of the newsletter and the associated performance measurement is effected on the basis of the granted consent of the recipients pursuant to Art. 6 (1) lit. a, Art. 7 of the General Data Protection Regulation (GDPR) in conjunction with § 7 (2) no. 3 of the German Fair Trade Practices Act (UWG) or insofar as granted consent is not required, based on our legitimate interests in direct marketing pursuant to Art. 6 (1) lit. f. of the General Data Protection Regulation (GDPR) in conjunction with § 7 (3) of the German Fair Trade Practices Act (UWG).
The logging of the registration process is based on our legitimate interests pursuant to Art. 6 (1) lit. f of the General Data Protection Regulation (GDPR). We have legitimate interests in deploying a user-friendly and secure newsletter system, which serves our legitimate business interests as well as meets the expectations of users and concomitantly permits us to provide proof of granted consent.
Termination / Revocation- You can terminate the receipt of our newsletter at any time, which means revoke your granted consent. You shall find an “Unsubscribe” link at the bottom of every newsletter. We are entitled to store the e-mail addresses provided for up to three years before deleting them; this is intended to serve our legitimate interest in being able to provide evidence that the subscriber's consent was once obtained. The purpose for which this data is processed is limited to the repudiation of possible claims. An individual request for cancellation is possible at any time, provided that at the same time the former existence of a granted consent is confirmed.
Newsletter - Rapidmail
The shipping service provider may deploy the data of the recipients in pseudonymous form, which means without assignment to a user, to optimize or improve its own services, e.g. for the technical optimization of the shipment and the presentation of newsletters or for statistical purposes. However, the shipping service provider does not deploy the data of our newsletter recipients for customised addressing purposes, nor pass the data on to third partie.
Newsletter - Performance measurement
The newsletters entail a so-called "web beacon", which is a pixel-sized file, which upon opening the newsletter is retrieved from our server, or respectively from the server of the shipping service provider, insofar as we use a shipping service provider. Within the framework of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and time of the retrieval is collected.
This information is used to improve the technical performance of services based on the technical specifications or target groups and their reading habits, based on their locations (which can be determined using the IP address) or retrieval times. The statistical surveys also include determining whether the newsletters are opened, when they are opened, as well as which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, the surveillance of individual users is neither our intention, nor that of the shipping service provider, insofar as a shipping service provider is deployed. The evaluations on the contrary serve to enable us to recognize the reading habits of our users and to tailor our content to them or to send different content according to the interests of our users.
A separate revocation of the performance measurement is unfortunately not possible, in such a case, the entire newsletter subscription must be terminated.
Hosting and e-mail services
We deploy hosting services in order to provision the following: infrastructure and platform services, computing capacity, storage and database services, e-mail shipment, security, and technical maintenance services, which we deploy in order to operate this online offering.
In doing so, we or our hosting provider processes stock data, contact data, content data, contract data, usage data, meta and communication data of customers, prospects and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer pursuant to Art. 6 (1 ) lit. of the General Data Protection Regulation (GDPR) in conjunction with Art. 28 of the General Data Protection Regulation (GDPR). (Conclusion of order processing contract).
Generation of access data and log files
We, or our hosting provider, collects on the basis of our legitimate interests within the meaning of Art. 6 (1) lit. f. of the General Data Protection Regulation (GDPR), data on every access to the server on which this service is located (so-called server log files). The access data includes the name of the retrieved web page, file, date and time of retrieval, volume of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Logfile information is stored for security purposes (for example, to investigate abusive or fraudulent activities) for a maximum of 7 days and then deleted. Data whose further retention is required for evidential purposes is excluded from the deletion until the final clarification of the incident.