Information requirements according to Art. 13 GDPR
The protection of your personal data is very important to us. We therefore process your personal data (in short “data”) exclusively based on the statutory provisions. With this Privacy Policy we would like to provide you with comprehensive information about the processing of your data in our company and the data protection claims and rights to which you are entitled in accordance with Article 13 of the European Data Protection Basic Regulation (EU GDPR).
Who is responsible for data processing and who can you contact?
The responsible party is
medi GmbH & Co. KG
Medicusstr. 1
D-95448 Bayreuth
Germany
Tel.: 0921 912-0
Fax: 0921 912-57
E-Mail: info@medi.de
Represented by the Managing Directors: Gerhard Kolb, Philipp Schatz, Dirk Treiber, Marcus Weihermüller
The company data protection officer is
ePrivacy GmbH
represented by Prof. Dr. Christoph Bauer
Große Bleichen 21
20354 Hamburg
Germany
E-Mail: datenschutz@medi.de
Customer and Supplier Data
Collection and storage of personal data; nature, purpose and use
When you enter into a contractual relationship with us, the following information is collected:
- Form of address, title, first name, last name
- Address
- E-mail address
- Telephone number (fixed line and/or mobile)
- Fax number, where applicable (if available and desired)
- Account data, where applicable
- Date of birth, where applicable
- Access data, where applicable (if required for the cooperation)
- Creditworthiness data, where applicable (as warranted and on a spot check basis)
- Result of sanctions review, where applicable
- Technical information (e.g. log data, IP address, location), where applicable
Additionally as warranted for patients/end users
- For made-to-measure production: personal measurement data, together with the indication, where applicable (health data)
- For complaints: Photos, also with health background information, where applicable, e.g. intolerances or the like (health data)
- For medi vision: date and time of the scan, software version of the app, measurement data and circumferences up to the waist, 3D model (file with anonymised (or randomised) name)
In addition, all information required for performing the contract with you will be collected.
The collected data may also include special categories of personal data within the meaning of Art. 9 GDPR. This includes, for example, data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data and data concerning health. The data collected for the purpose of performing the contract primarily include, for example, insurance documents, correspondence, medical certificates and findings, or the like. With your consent, such data may possibly be requested of third parties (e.g. the attending physician) or the data will be transmitted by third parties (e.g. the hospital).
Personal data and also special categories of personal data are collected
- in order to identify you as a customer or supplier;
- in order to advise you appropriately;
- in order to fulfil our contractual obligations to you;
- in order to fulfil our legal obligations;
- in order to conduct correspondence with you;
- in order to bill you or send you payment reminders;
- for purposes of reliable direct advertising;
- in order to assert any claims against you.
We process your personal data for purposes of your query or placement of an order with us as required for the aforementioned purposes to process your order and fulfil the obligations under the underlying contract (legal basis Art. 6, 1b GDPR).
If you have subscribed to a newsletter or participate in a sweepstake, the collection and processing of your data are based on your consent (legal basis Art. 6, 1a GDPR). You can revoke this consent for the future at any time without observing requirements of form.
Collected personal data will be stored until the expiration of the statutory retention period for merchants (6 or 10 years after the end of the calendar year in which the contractual relationship was terminated) and erased after that. By way of exception, this does not apply if we are required to retain the data for a longer period of time by reason of obligations under tax or commercial law (under the German Commercial Code, Criminal Code or Tax Code) or if you have consented to data storage for a longer period of time.
Applicants
What data do we process, and for what purposes?
We process the data you sent to us in connection with your application in order to examine your aptitude for the position in question (or possibly other available positions in our company) and to conduct the application process.
What is the legal basis?
The legal basis for processing your personal data in this application process is primarily Section 26 of the German Data Protection Law (BDSG) in the version applicable as of 25 May 2018. Accordingly, it is lawful to process the data needed in connection with the decision about establishing employment. If the data may be required for pursuing rights after the end of the application process, there may be data processing on the basis of the conditions set forth in Art. 6 GDPR, particularly to preserve justified interests under Art. 6, 1f GDPR. Our interest then consists of asserting claims or defending against them.
How long are the data stored?
In case of rejection, applicant data are deleted after six months. If you agree to additional storage of your personal data, we will add your data to our applicant pool. The data there are deleted after one year. If you are approved for a position during the application process, the data are transferred from the applicant data system to our personnel information system.
What recipients receive the data?
We use a specialised software vendor for the application process. They work for us as a service provider and may also receive knowledge of your personal data in connection with maintaining and updating the systems. We have made what is known as a commissioned data processing agreement with this vendor, which ensures that data processing takes place in a lawful manner. Your applicant data are viewed by the personnel department after your application is received. Suitable applications are then forwarded internally to those in the department responsible for the available position. Further steps are then discussed. Within the company, only persons requiring access to your data for the proper sequence of our application procedure have such access fundamentally.
Where are the data processed?
The data are processed exclusively in computer centres in the Federal Republic of Germany.
Participants of competitions and surveys
If you participate in a competition / a survey by medi, the following information will be collected:
- Form of address, where applicable
- title, where applicable
- first name, where applicable
- last name Address, where applicable
- E-mail address, where applicable
- employer’s company name, where applicable
- employer’s customer number, where applicable
- employer’s address, where applicable
- Telephone number (fixed line and/or mobile), where applicable
- Date of birth, where applicable
The data which is collected may also include special categories of personal data within the meaning of Article 9 GDPR. This includes, for example, health data.
The collection of the personal data and the special categories of personal data takes place
- in order to identify you as a participant;
- in order to contact you.
The processing of the personal data takes place during your participation in a competition or a survey by medi and is necessary for the specified purposes for processing the competition / the survey (legal basis Article 6 1b GDPR).
If you participate in a competition / a survey, the data collection and processing is based on your consent (legal basis Article 6 1a GDPR). This consent may be revoked at any time without any formal requirements.
The provided data will be saved, used and processed for the shipping of the prize. The collected data will be saved for the duration of the competition / survey respectively collected personal data will be saved for a maximum period of three years.
Transfer of data to third parties
Customers & Suppliers
We transmit your personal data to third parties only to the extent required to fulfil the contractual relationships with you. This particularly includes the transfer of data to service providers engaged by us (so-called job processors) or other third parties whose activity is necessary for contractual performance (with regard to suppliers: logistics service providers, printing company, service providers for canteen & catering, if the case may be architects; with regard to customers: logistics service providers, IT service providers, customer support software providers, sales service providers, payment service providers, field service, trainers & coaches). In the relationship with these third parties, it will be assured that the third parties may only use the transferred data for the aforementioned purposes.
Applicants
We use a specialised software vendor for the application process. They work for us as a service provider and may also receive knowledge of your personal data in connection with maintaining and updating the systems. We have made what is known as a commissioned data processing agreement with this vendor, which ensures that data processing takes place in a lawful manner.
Participants of competitions and surveys
We transmit your personal data to third parties only insofar as this is necessary for the processing of a transaction with you. This may include, in particular, any forwarding of information to service providers authorised by medi GmbH & Co. KG (so-called processors) or other third-parties whose activities are necessary for the purpose of contract execution (survey providers, logistics service providers, IT service providers). Vis-a-vis these third-parties, it is ensured in every instance that the data forwarded may only be used by said third-parties for the stated purposes.
Your rights as a data subject
You as the data subject affected by the data processing have various rights:
- Right of revocation: You can revoke the consents you have granted to us at any time. In that case, the data processing performed on the basis of your revoked consent will no longer be continued in the future.
- Right to information: You can demand information from us about your personal data we process. This applies particularly to the purposes of data processing, the categories of personal data, possibly the categories of recipients, the storage period, possibly the origin of your data and possibly the existence of automated decision making, including profiling and where applicable, conclusive information about the related details.
- Right to rectification: You can demand the rectification of your incorrect or incomplete personal data stored with us.
- Right to erasure: You can demand the erasure of your personal data stored with us insofar as the processing of the data is not necessary for exercising the right of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing: You can demand the restriction of processing of your personal data if you contest the accuracy of the data or if the processing is unlawful but you oppose the erasure of the data. You also have this right when we no longer need the data, but they are required by you for the establishment, exercise or defence of legal claims. In addition, you have this right when you have objected to the processing of your personal data.
- Right to data portability: You can demand that we give you the personal data you have provided to us in a structured, commonly used and machine-readable format. Alternatively, you can demand that we transmit the personal data you have provided to us directly to another controller, to the extent this is possible.
- Right to complain: You can complain to a data protection supervisory authority if (for example) you believe that we are processing your personal data unlawfully. You have the right to complain to a data protection supervisory authority about our processing of your personal data. The data protection supervisory authority with jurisdiction over us is:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 27
91522 Ansbach
Germany
Phone: +49 (0) 981 53 1300
E-mail: poststelle@lda.bayern.de
Right to object
If we process your personal data on the basis of a legitimate interest, you have the right to object to this processing. If you wish to exercise your right to object, you only need to notify us in text form. This means you can send us a letter, fax or e-mail. You can find our contact data in Section 1 of this data protection information.