Data Protection

Data protection information and data protection declaration

Dear Madam or Sir,

thank you for your interest in BioConsult SH GmbH & Co. KG and for visiting our website. The protection of your personal data is of particular interest to us. In this data protection declaration, we inform you about the most important aspects of data processing during your visit to our Internet pages.

We process your data exclusively on the basis of the statutory provisions (General Data Protection Regulation – GDPR and the Federal Data Protection Act – BDSG as well as the Telemedia Act – TMG).

If there is no legal basis for processing your personal data, we always obtain the consent of the person concerned.

Personal data are for example name, address, e-mail address and phone number of a person concerned.

We have taken special protective measures for handling the data of visitors to our Internet pages. Nevertheless, we cannot guarantee complete protection, especially in the light of constant technical change. You can therefore also send us your data by other means at any time.

Which data is processed in detail and in which way it is used depends largely on the respective visitor. For the details please read the following text.

Chapter I – Data Processor

Provider and responsible body

BioConsult SH GmbH & Co. KG
Dr. Georg Nehls
Schobüller Str. 36
25813 Husum
Deutschland

Phone Number: +49 (0) 4841 77937-10
Fax Number: +49 (0) 4841 77937-19
www.bioconsult-sh.de

Author, responsible for content: Dr. Georg Nehls

Commercial register entry / official register: HRA 6160 FL

Place of jurisdiction: Flensburg

General manager: Dr. Georg Nehls

VAT ID Number: DE 815016803

Data protection officer

Karsten Klug

Lawyer and External data protection officer (TÜV certified)

Klug – Datenschutz-Consulting
Kaiser-Wilhelm-Str. 93
20355 Hamburg

Phone Number: +49 (40) 411 89 38 – 28
Fax Number: +49 (40) 411 89 38 – 37

mail@klug-datenschutz.de

Chapter II – Important Terms

Personal data (Art. 4 number 1 GDPR):

„any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;“

Data subject:

“is an identified or identifiable natural person.”

Processing (Art. 4 number 2 GDPR):

„Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;“

Restriction of processing (Art. 4 number 3 GDPR):

“Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future;”

Profiling (Art. 4 number 4 GDPR):

„Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;”

Pseudonymisation (Art. 4 number 5 GDPR):

“Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;”

Controller (Art. 4 number 7 GDPR):

„Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;“

Processor (Art. 4 number 8 GDPR):

„Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; “

Recipient (Art. 4 number 9 GDPR):

„Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;“

Third party (Art. 4 number 10 GDPR):

„third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;“

Consent (Art. 4 number 11 GDPR):

“consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

Chapter III – Information according to Sec. 13 German Telemedia Act

General data collection

When you visit our website http://bioconsult-sh.de/, the information is sent to the server of our website by the browser used on your end device. This information is only temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until it is automatically deleted:

IP address of the requesting computer
Date and time of access
Name and URL of the requested file
Referrer – URL = website from which the access is made
Browser used and if applicable your computer’s operating system
Name of your access provider
The purposes of the above-mentioned general data collection are:
To ensure a smooth connection to the website
To ensure a comfortable use of our website
Evaluation of system security and system stability

Other administrative purposes

The collection of data is based on a legitimate interest on our part in accordance with. Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest follows from the above-mentioned purposes for data collection. We expressly point out that we do not use any data for the purpose of drawing conclusions about your person.

Special data collection

(1) Cookies:

We do not use cookies on our website.

(2) Use of Vimeo plug-ins

For the integration of videos, we use the provider Vimeo. Vimeo is operated by Vimeo, Inc. 555 West 18th Street New York, New York 1001. On some of our Internet pages we use plug-ins from the provider Vimeo. When you open the Internet pages of our website that are equipped with such a plug-in, a connection to the Vimeo servers (www.vimeo.com) is established and the plug-in is displayed. This tells the Vimeo server which of our websites you have visited. If you are logged in to your Vimeo account as a member of Vimeo, Vimeo will assign this information to your personal user account. When using the plug-in, such as clicking the start button of a video, this information is assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the corresponding Vimeo cookies. For the purpose and scope of the data collection, the further processing and use of data by Vimeo, as well as your rights and setting options for the protection of your privacy, please refer to the Vimeo privacy policy: https://vimeo.com/privacy (currently only available in English).

If you don´t want that any data will be transferred to Vimeo, please do not click on the videos. The right to use and transfer your data is Art. 6 Para. 1 lit a) GDPR and your consent to do so. If you click on the videos you will accept, that your data will be transferred to the US, though there is not the same data protection level. Perhaps you are not able to enforce your rights of the GDPR opposite to Vimeo completely.

Chapter IV – Processing Framework

Purposes and legal basis

(1) We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG):

To fulfill contractual obligations according to Art. 6 Para. 1 lit b) GDPR. The processing of data is carried out to provide services within the framework of the contracts or to carry out pre-contractual measures, which are available on request. The purposes of data processing are primarily based on the respective use of our Internet pages. For example, whether contact data are entered in the contact form.

As part of the balancing of interests in accordance with Art. 6 para. 1 lit. f) GDPR. The processing of personal data is carried out in order to safeguard the legitimate interests of the person responsible or of a third party, unless the interests or fundamental rights and freedoms of the data subject outweigh the protection of personal data, especially if the data subject is a child. “Third party” shall mean any natural or legal person, public authority, agency or any other body, apart from the data subject, the controller, the processor and the persons who are authorized to process the personal data under the direct authority of the controller or the processor. The legitimate interests of the controller or a third party are in particular:

Ensuring a smooth connection to the website
Ensuring comfortable use of our website
Evaluation of system security and system stability
Other administrative purposes
Examination and optimization of procedures for the purpose of addressing customers directly,
Advertising or market and opinion research, unless you have objected to the use of your data,
Assertion of legal claims and defense in legal disputes,
Ensuring IT security and IT operations,
Prevention and investigation of criminal offenses,
Measures for building and plant security (e.g. access controls),
Measures to ensure the domestic authority
Measures for business management and further development of services and products,

On the basis of your consent in accordance with Art. 6 Para. 1 lit a) GDPR. If you have given us your consent to process personal data for specific purposes (e.g. when using the contact form), the legality of this processing is based on your consent. You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were issued to us before the GDPR became valid, i.e. before May 25, 2018. The revocation does not affect the legality of the data processed until the revocation is declared.

Due to legal requirements according to Art. 6 Para. 1 lit c) GDPR or in the public interest according to Art. 6 Para. 1 lit. e) GDPR. As a GmbH & Co. KG, we are subject to various legal obligations (e.g. tax laws).

Data sources and data categories

(1) We process personal data that we receive and may process within the framework of a contract.

(2) In addition, we process – insofar as necessary for the execution of a contract – personal data which we permissibly obtain from publicy accessible sources (e.g. debtor registers, land registers, commercial and association registers, press, internet) or which are legitimately transmitted to us by other third parties that we obtain from other third parties (e.g. information from the register of residents).

(3) Relevant personal data are for example personal data (name, address and other contact data, date of birth, place of birth and nationality), legitimation data (e.g. identity card data), and authentication data (e.g. signature). In addition, this can also include order data (e.g. payment order), data from the fulfillment of our contractual obligations (e.g. invoice data), information about your financial situation (e.g. creditworthiness data, origin of assets), advertising and sales data, and documentation data (e.g. contact form) as well as other data comparable to the categories mentioned.

Storage period

(1) We process and store your personal data as long as it is necessary for the fulfillment of our contractual and legal obligations. Please note that the duration of the storage of personal data by our members always depends on the individual case. The regular storage period of personal data is 10 years, subject to the following instructions.

(2) If the personal data are no longer necessary for the fulfillment of contractual or legal obligations, they are regularly deleted, unless their – temporary – further processing is necessary. In this case, further processing may be considered in particular for the following reasons:

a) Fulfillment of commercial and tax law obligations in accordance with the German Commercial Code (HGB) and the German Fiscal Code (AO), the periods for retention respectively documentation are two to ten years.

b) Preservation of evidence within the framework of the legal statute of limitations. According to Sec. 195 ff. BGB, these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.

Obligation to provide data

(1) The provision of personal data is required to justify the conclusion of a contract and to carry out an order.

(2) Failure to provide the data may result in the fact that a contract cannot be established.

Automated decision making and profiling

(1) As a matter of principle, we do not use fully automated decision making in accordance with Art. 22 GDPR to establish and execute a contract. If we use these procedures in individual cases, we will inform you separately, if this is required by law.

(2) An automated processing of your personal data with the aim of evaluating certain personal aspects (profiling, Art. 4 number 4 GDPR) does not take place in our company.

Chapter V – Transfer of data and foreign reference

Recipients or categories of recipients

(1) Within our company, access to your data is granted to those entities that need it in order to fulfill our contractual and legal obligations. Service providers and vicarious agents employed by us may also receive data for this purpose, if they comply with applicable confidentiality obligations. These are companies in the following categories: IT services, logistics, printing services, telecommunications, debt collection, advice and consulting as well as sales and marketing.

(2) With regard to the transfer of data to recipients outside BioConsult SH GmbH & Co. KG, it should first of all be noted that our employees are obliged to maintain secrecy regarding all membership-related facts and evaluations. We may only pass on information about you, if required by law, if you have given your consent or if the information is required for contractual purposes. Under these conditions, recipients of personal data may be, for example:

Public bodies and institutions (e.g. authorities),
Courts,
Opponents and their legal representation in legal disputes and
Other parties involved in a contract or pre-contractual relationship.

(3) Other data recipients may be those entities for which you have given us your consent to transfer data.

Chapter VI – Rights of Data Subjects

Special data protection rights

(1) Every data subject has the right of information in accordance with Art. 15 GDPR, the right of correction in accordance with Art. 16 GDPR, the right of deletion in accordance with Art. 17 GDPR, the right to restrict processing in accordance with Art. 18 GDPR and the right to data transferability according to Art. 20 GDPR. Every data subject has the right to object in accordance with Art. 21 GDPR.

(2) With regard to the right of information and the right of deletion, the restrictions according to Sec. 34 and 35 of the Federal Data Protection Act (BDSG) shall apply.

Right of appeal

In addition to the previous information, you have the right of appeal to a competent data protection supervisory authority (Art. 77 GDPR in conjunction with Sec. 19 BDSG).

Revocation of Consent

(1) You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were issued to us before the GDPR became valid, i.e. before May 25, 2018.

(2) Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

Chapter VII – Change of data protection declarations and data protection information

Data protection law in particular is in a state of flux. Due to this and in order to ensure that our data protection declaration always complies with the current legal requirements, we reserve the right to change this data protection declaration at any time. This also applies in the case the data protection declaration has to be adapted due to new or revised services, for example new services. The new data protection declaration will then apply the next time you visit our website.

Information about your right of objection according to Art. 21 GDPR

Right of objection in individual cases

(1) According to Art. 21 GDPR, you have the right to object at any time for reasons that arise from your particular situation to the processing of personal data concerning you, which is based on Art. 6 Para. 1 lit. e) GDPR (data processing in the public interest) and Art. 6 Para. 1 lit. f) GDPR (data processing on the basis of a weighing of interests); this also applies to profiling based on this provision within the meaning of Art. 4 number 4 GDPR.

(2) If you object, your personal data will no longer be processed unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Right to object to the processing of data for direct marketing purposes

(1) In individual cases we process your personal data in order to carry out direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising.

(2) If you object to processing for the purposes of direct marketing we will no longer process your personal data for these purposes.

The objection can be made informally and should be addressed to:

BioConsult SH GmbH & Co. KG

Dr. Georg Nehls
Schobüller Str. 36
25813 Husum
Deutschland

Phone Number: +49 (0) 4841 77937-10
Fax Number: +49 (0) 4841 77937-19