Contents

  1. Details of the controller and data protection contact details
  2. Data subjects
  3. Minors
  4. Categories and source of personal data, purposes, legal basis, categories of recipients, storage period
  5. Transfer of data to third countries
  6. Rights of data subjects
  7. Website and services offered via the website
    7.1. Contact form, getting in touch, service / technical hotline
    7.2. Requesting an offer for the 360° service
    7.3. Events
    7.4. Download function
    7.5. Newsletter and email advertising
    7.6. Job applicant selection procedure
    7.7. Online order form for ulrich medical products
    7.8. E-labeling platform
    7.9. Cookies and webtracking
    7.10. Website analysis with Matomo
    7.11. Security of our web server
    7.12. Profile pages on YouTube
    7.13. Profile pages on Xing and LinkedIn
    7.14. Online portal uPortal

1. Details of the controller and data protection contact details

Here at ulrich GmbH & Co. KG, we are responsible for collecting, processing and storing your data. You can out more about us at any time on our imprint by going to https://www.ulrichmedical.de/impressum/.

As we would like to give you a comprehensive overview of the processing of personal data within our group of companies, below we have provided an overview for you, which includes all our services in which we collect and process personal data.

Details of the controller
ulrich GmbH & Co. KG
Buchbrunnenweg 12
89081 Ulm
Tel.: +49 (0)731 9654-0
Email: info@ulrichmedical.com
https://www.ulrichmedical.de/impressum/

Data protection contact details
Email: datenschutz@it-sec.de

Below you will find the details of the other controllers in terms of Art. 26 GDPR:


Details of the controller
ulrich medical France SAS
25, Boulevard Victor Hugo – Aristote
31770 Colomiers
France

Tel.: +33 5 34 50 91 02
Email: info@ulrichmedical.fr
https://www.ulrichmedical.de/fr/mentions-legales/

Data protection contact details
Email: datenschutz@ulrichmedical.com

2. Data subjects

The following information is addressed to the following categories of natural persons:

  • Website visitors
  • Applicants
  • Event participators
  • Contact persons of business customers / retailers, interested parties or other communication partners who contact us
  • Subscribers to the newsletter
  • Employees

3. Minors

Our website is not targeted towards minors and we do not knowingly collect personal data from minors.
If persons under 16 years of age send personal data to us, this is only permitted if the legal guardian has given their own consent or has agreed to the consent of the young person. In this regard, we must be provided with the contact details of the parent or legal guardian in accordance with Art. 8 (2) GDPR so that we can be sure that the consent or approval of the parent or legal guardian has been given. This data as well as the minor’s data will then be processed according to this privacy policy.
If we discover that a minor under the age of 16 has sent personal data to us without the consent of their legal guardian or has been sent without the minor’s consent, then we will delete the data immediately.

4. Categories and source of personal data, purposes, legal basis, categories of recipients, storage period

Information on the categories of personal data that we process from you, the source of the personal data, the legal basis and purposes of the data processing as well as the recipient (categories) of the data have been compiled for you in section 7.
There you will also find information on the storage period: Your data will be stored until you withdraw your consent or until you object to further data processing, otherwise until it is no longer required for the intended purposes, subject to statutory retention periods or if we still need your data to establish, exercise or defend legal claims, Art. 17 (1) (a), (b), (c), (3) (b), (e) GDPR.

5. Transfer of data to third countries

If data transfers take place in third countries, i.e. outside the European Union, we will inform you about this in section 7. Such data transfers in third countries are secured by an adequacy decision of the EU Commission pursuant to Art. 45 GDPR or by appropriate safeguards pursuant to Art. 46 GDPR. If you call or otherwise contact foreign telephone numbers in non-EU countries as part of ordering processes (e.g. on the e-labeling platform), your personal data will be processed in accordance with the legal provisions applicable in the recipient country.

6. Rights of data subjects

You have a right to information, rectification or erasure of personal data pertaining to you or a right to restriction of data processing by the controller if certain conditions are met in accordance with Art. 15 to 18 GDPR. You also have the right to withdraw your consent to the processing of your personal data at any time with effect for the future (Art. 7 (3) GDPR). You may also object to the further processing of your data, which is based exclusively on the legitimate interest of the data controller in accordance with Art. 6 (1) (f) GDPR (Art. 21 (1) GDPR), provided that your particular personal situation gives rise to interests worthy of protection in the exclusion of data processing and that the data controller no longer has any compelling reasons worthy of protection for further data processing. Furthermore, you always have the right to object to the use of your data for the purposes of direct advertising with effect for the future (Art. 21 (2) GDPR). If the data processing is based on your consent pursuant to Art. 6 (1) (a), Art. 9 (1) (a) GDPR or pursuant to Art. 6 (1) b) GDPR on a contract with you and is carried out using automated procedures, you may request pursuant to Art. 20 (1) GDPR that the personal data stored about you be retained in a structured, common and machine-readable format or that it be transmitted to a third party designated by you.

In principle, you have the right not to be subjected to an automated individual decision in accordance with Art. 22 (1) GDPR. If an automated individual decision is permissible under Art. 22 (2) (a) to (c) GDPR, data subjects are granted the following rights under Art. 22 (3) GDPR: The right to express one’s own point of view, the right to object to the intervention of a person on the part of the controller, the right to challenge the automated individual decision (right of appeal).

In order to exercise your rights, you can send us an informal message to the following contact details. Please also address the withdrawal of your consent, stating which declaration of consent you wish to withdraw, to this contact data: datenschutz@ulrichmedical.com

Furthermore, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of your personal data violates data protection regulations, Art. 77 GDPR. The supervisory authority responsible for us is:
The State Data Protection and Freedom-of-Information Officer of Baden-Württemberg
PO Box 10 29 32, 70025 Stuttgart
Königstrasse 10, 70173 Stuttgart
Telephone number: 07 11 / 61 55 41 – 0
Email address: poststelle@lfd.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de/

7. Website and services offered via the website

Below you will find an overview of the processing of your personal data associated with our website www.ulrichmedical.de and the services offered via the website, which is connected with the use of our website www.ulrichmedical.de and the services offered via the website.

7.1. Contact form, getting in touch, service / technical hotline

Categories of personal data and origin of the data:
You can get in touch with us using the contact details provided on the website. You will also find contact forms on our website. If you would like to contact us about this, we require the following details from you:

  • Form of address, academic title (optional)
  • Given names (mandatory)
  • The company, clinic, institution that you are a part of (mandatory)
  • Email address (mandatory)
  • Telephone number (mandatory)
  • Information about your query (type of query, product)
  • City (optional)
  • Country (optional)

Legal basis:
The legal basis for data processing is Art. 6 (1) (b), (f) GDPR: Implementation of pre-contractual measures at the request of the data subject, performance of a contract to which the data subject is a party, legitimate interest of the controller

Purposes:

  • Communication and data exchange
  • Contract initiation and execution
  • Execution of the business relationship existing between the responsible person and the customers/dealers

Legitimate interest of the controller:

  • Initiation and execution of contracts with customers/dealers
  • Standardization and simplification of communication
  • Optimization of operational processes and internal administration of our customer/dealer databases
  • Data security

Recipient (categories):
Access to your data is limited to the employees and service providers of the controller, who require the data for the above-mentioned purposes. Your data will also be stored in a commissioned data center.

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
Your data will be stored in accordance with the legal retention periods after the end of its purpose (e.g. answering your query) and then deleted.

7.2. Requesting an offer for the 360° service

Categories of personal data and origin of the data:
You can request an individual and non-binding offer for our services from us. We require the following data for this:

  • Given names (optional)
  • The company, clinic, institution that you are a part of (mandatory)
  • Address (mandatory)
  • Email (mandatory)
  • Telephone number (optional)
  • Date, signature (optional)
  • Stamp of the clinic/institution
  • Information about the desired service and product

If the company / clinic / institution you belong to has already concluded a maintenance contract with us, you can also contact us using the contact details of the service / technical hotline. Please refer to Section 7.1 for this

Legal basis:
The legal basis for data processing is Art. 6 (1) (b), (f) GDPR: Implementation of pre-contractual measures at the request of the data subject, performance of a contract to which the data subject is a party, legitimate interest of the controller

Purposes:

  • Communication and data exchange
  • Contract initiation and execution
  • Execution of the business relationship existing between the responsible person and the customers/dealers

Legitimate interest of the controller:

  • Initiation and execution of contracts with customers/dealers
  • Standardization and simplification of communication
  • Optimization of operational processes and internal administration of our customer/dealer databases

Recipient (categories):
Access to your data is limited to the employees and service providers of the controller, who require the data for the above-mentioned purposes. Your data will also be stored in a commissioned data center.

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
Offers, order confirmations or contracts (if the offer was accepted, it forms part of the contract) will be kept for 6 years after expiration of the purpose.

7.3. Events

Categories of personal data and origin of the data:
You can find out about events by clicking on https://www.ulrichmedical.de/veranstaltungsuebersicht/.

If you want to register for an event, you may have to switch to the websites of other operators and register directly with the provider. The respective operators of these websites or the organizers of the events are responsible for the content of their own privacy policies.

If you register for an event through us, we will ask you for the following data:

  • Name of the event (mandatory)
  • Title, if applicable (optional)
  • Given names (mandatory)
  • Company (mandatory)
  • Company address (mandatory)
  • Email (mandatory)
  • Telephone (optional)
  • Date, signature (mandatory)
  • Bank details, if applicable

Legal basis:
The legal basis for data processing is Art. 6 (1) (a), (b), (f) GDPR: Your consent, execution of the contract with you, legitimate interest of the responsible person.

Purposes:

  • Event management
  • Communication and data exchange
  • Contract initiation and execution
  • Execution of the business relationship existing between the responsible person and the customers/dealers
  • Ensuring the proper operation of a data processing system
  • Issue of certificates of participation, if applicable

Legitimate interest of the controller:

  • Initiation and execution of contracts with customers/dealers
  • Standardization and simplification of communication
  • Optimization of operational processes and internal administration of our customer/dealer databases
  • Data security
    Recipient (categories):
    Access to your data is limited to the employees and service providers of the controller who are responsible for organizing the event. Your data will also be stored in a commissioned data center.

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
Your data will be deleted after it is not longer needed for the intended purpose. If the events are billable services, your data will be stored for as long as it is necessary to prove that the task has been completed in accordance with the order. Confirmations of participation issued by us are kept as commercial and business letters for a period of 6 years. Due to possible irregularities (e.g. with regard to training on medical devices, instructions as defined by the GefStoffV), longer retention periods may also apply.

7.4. Download function

Categories of personal data and origin of the data:
When downloading the documents made available to you under https://www.ulrichmedical.de/download/ the controller processes the following data:

  • Log data with information on access to the documents
  • Data of the persons recorded in the documents

Legal basis:
The legal basis for data processing is Art. 6 (1) (a), (b), (f) GDPR: Your consent, execution of the contract with you, legitimate interest of the responsible person.

Purposes:

  • Communication and data exchange
  • Contract initiation and execution
  • Execution of the business relationship existing between the responsible person and the customers/dealers
  • Ensuring the proper operation of a data processing system

Legitimate interest of the controller:

  • Initiation and execution of contracts with customers/dealers
  • Standardization and simplification of communication
  • Optimization of operational processes and internal administration of our customer/dealer databases
  • Data security

Recipient (categories):
Access to your data is limited to the employees and service providers of the controller who are responsible for organizing the event. Your data will also be stored in a commissioned data center.

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
Log data is kept for 3 months from the date of its creation. The documents will be made public on the website until such time as consent is revoked and then they will be deleted, otherwise they will be deleted after they are no longer needed.

7.5. Newsletter and email advertising

Categories of personal data and origin of the data:
You can sign up to receive our newsletter on our website at https://up.ulrichmedical.de/home or under https://www.ulrichmedical.de/en. When doing so, the controller asks for the following data:

  • Email address

You can provide us with further data, but you do not have to do so:

  • Form of address, academic title, given names (optional information)
  • Company, department, job title position (optional)
  • Interest (contrast medium injectors, spinal systems, tourniquets)

If you register for our newsletter, we additionally collect the following data (newsletter usage analysis):

  • Usage data (time, number of clicks), see Section 7.9.
    To the extent permitted by law, we also use your data for email advertising.

Legal basis:
The legal basis for data processing is Art. 6 (1) (a) GDPR: Your consent.

In order to confirm your email address and your consent, you will receive a separate email after sending the registration form (confirmation mail). We will not register your consent until you have confirmed the activation link contained in this email (double opt-in procedure).

By confirming your registration under this activation link, you agree that we may send you, as the owner of this email address, the free newsletter with current information about our company, our products, promotions and events (product (training) and service information, sector-related trade fair and event invitations, other information relating to the company or its products and services, emails used for market and opinion research) approx. 10-12 times per year.
In addition, you consent to your usage data being collected and evaluated on a personal basis (newsletter usage analysis).

The legal basis for advertising by email is Art. 6 (1) (f) in conjunction with Recital 47 GDPR, § 7 (3) Unfair Competition Act.

Purposes:
Your email address and other personal data voluntarily provided by you will be used for the purpose of sending and personalizing the newsletter.

The collection of usage data enables us to evaluate the success of our newsletter campaigns by means of statistical evaluations and to optimize our newsletter in order, for example, to present you with topics and offers that are better suited to your interests.

Your data will be used for the purpose of sending and personalizing promotional emails.

This is to inform you of our additional services or products, such as those you have already purchased from us (e.g. via our online order form).

Our legitimate interest is to promote sales or demand amongst our existing customers.

Recipient (categories):
Access to your data is limited to the employees and service providers of the controller, who are used to operate the newsletter. Your data will also be stored in a commissioned data center.

Data transfers to third countries:
Data is not transferred to third countries.

Right to object:
Naturally, you can object to the processing of your data for advertising purposes at any time with effect for the future, Art. 21 (2) GDPR, without incurring any costs other than the transmission costs according to the basic tariffs:
Email: datenschutz@ulrichmedical.com
Tel.: +49 (0) 731 9654-0

Storage period:
If you have not confirmed the activation link contained in the confirmation email within the first 2 weeks, your data provided via the registration form will be deleted.

Otherwise your data will be stored until the withdrawal of your consent.

Usage data for the newsletter usage analysis will not be stored for longer than 2 weeks to a maximum of 3 months.

If you withdraw your consent, we will remove your email from the newsletter distribution list so that the newsletter will no longer be sent to you and delete the remaining usage data collected on you.

You can revoke your consent to the creation of a personal user profile at any time via the profile editing form, which you can access via a link in the email footer of the newsletter.

Data records that prove the double opt-in procedure, and thus your data protection consent, will be kept together with this for 6 years after your withdrawal. During this time, however, your personal data will be blocked against further processing.

If you object to the use of your data for advertising purposes, we will remove your data from the email distribution list so that email advertising will no longer be sent to you.

Your objection will be retained for another 6 years. During this period, your personal data will however be blocked against any further processing for advertising purposes.

If you object to the use of your data for advertising purposes, we will remove your data from the email distribution list so that email advertising will no longer be sent to you.

Your objection will be retained for another 6 years. During this period, your personal data will however be blocked against any further processing for advertising purposes.

7.6. Job applicant selection procedure

Categories of personal data and origin of the data:
You can view our job offers and apply for a position with us accordingly by email or directly on our website under https://www.ulrichmedical.de/karriere via our application form. We process the following data for this:

  • Name details
  • Form of address
  • Email address or telephone number
  • Job number or position that you’re applying for
  • Your cover letter, curriculum vitae, relevant job references, certificates of professional qualifications and further training, school, university and vocational training certificates
  • Salary expectations/desired salary
  • Information from a job interview, if applicable
  • Current certificate of enrollment, if you are applying for a working student job
  • If you’re applying for an internship, please indicate the training period and area of training

Legal basis:
The legal basis for data processing is Art. 6 (1) (b) GDPR, § 26 German Federal Data Protection Act: Necessity of the decision on the establishment of an employment relationship, implementation of pre-contractual measures at the request of the data subject.

Purposes:

  • Applicant selection procedure, applicant selection management
  • Preparation of a contract
  • Communication and data exchange
  • Ensuring the functionality of the application form
  • Ensuring the proper operation of a data processing system
  • Data security

Recipient (categories):
Your application data will be received by the HR department and will only be forwarded to the department responsible for the respective position or to the persons in charge of the processing.

You can send us your application by email or via our application form. Please note that applications that you send us by email are sent unencrypted.

We use IT service providers for the secure transmission of your data via the application form to us.
Your data will also be stored in a commissioned data center.

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
After the applicant selection process has been completed, your data will be kept for 3 months and then deleted, unless we have concluded an employment contract with you. If we include your application documents in our pool of applicants, we will inform you accordingly. When we let you know about this, you can actively agree to the further storage of your documents. Your consent will expire after 12 months at the latest and your data will then be deleted.

7.7. Online order form for ulrich medical products

Categories of personal data and origin of the data:
You can order ulrich medical products via our website. For this purpose, we will ask for the following data via our online order form:

  • Order date, order number (mandatory)
  • Names of customer and contact person (mandatory)
  • The company, clinic, institution that you are a part of (mandatory)
  • Customer number (optional)
  • Department (optional)
  • Delivery/billing address (mandatory)
  • Email address (mandatory)
  • Telephone number (mandatory)
  • Comments (optional)
  • Information about the product (item number, description, quantity, price etc.)

Legal basis:
The legal basis for data processing is Art. 6 (1) (b), (f) GDPR: Implementation of pre-contractual measures at the request of the data subject, performance of a contract to which the data subject is a party, legitimate interest of the controller.

Purposes:

  • Communication and data exchange
  • Contract initiation and execution
  • Execution of the business relationship existing between the responsible person and the customers/dealers

Legitimate interest of the controller:

  • Initiation and execution of contracts with customers/dealers
  • Standardization and simplification of communication
  • Optimization of operational processes and internal administration of our customer/dealer databases

If necessary, we may use your data to the extent permitted by law to inform you by email (even without your express consent) about additional services or products, such as those you have already purchased from us. You can find more information in Section 7.12.

Recipient (categories):
Access to your data is limited to the employees and service providers of the controller, who require the data for the above-mentioned purposes. Your data will also be stored in a commissioned data center.

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
Offers, order confirmations or contracts (if the offer was accepted, it forms part of the contract) will be kept for 6 years after expiration of the purpose.

7.8. E-labeling platform

Categories of personal data and origin of the data:
You can download user manuals via the e-labeling platform. We only collect information about the download itself in this regard:
• Date
• Name of the manufacturer whose document has been downloaded
• Document key code
• Document UDI number
• Document reference number
• Document description
• Document name
• Document number
• Region
• Version and language

Legal basis:
The legal basis for data processing is Art. 6 (1) (b), (c) GDPR: Implementation of pre-contractual measures at the request of the data subject, performance of a contract to which the data subject is a party and fulfillment of legal obligations to which the controller is subject.

Purposes:

  • Communication and data exchange
  • Contract initiation and execution
  • Execution of the business relationship existing between the responsible person and the customers/dealers

If necessary, we may use your data to the extent permitted by law to inform you by email (even without your express consent) about additional services or products, such as those you have already purchased from us. You can find more information in Section 6.10

Recipient (categories): See section 6.1

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
Offers, order confirmations or contracts (if the offer was accepted, it forms part of the contract) will be kept for 6 years after expiration of the purpose.

7.9. Cookies and webtracking

Categories of personal data and origin of the data:
The following cookies are used by us – provided you allow this and have not set one or more opt-out cookies – for the purpose described in more detail below:

You can set your browser so that it informs you about the placement of cookies. This makes the use of cookies transparent for you.

Legal basis:
The legal basis for data processing is Art. 6 (1) (c) in conjunction with Art. 32 and Art. 6 (1) (f) GDPR: Legitimate interest, legal obligation.

Cookies that are not technically necessary will only be set after your express consent, Art. 6 (1) (a) GDPR, which you can withdraw at any time. As part of our cookie information on our website you have agreed to the following declaration in this regard:
“In order to optimize our website for you and to be able to continuously improve it, we use cookies and tracking procedures. You can find more information about the cookies and web tracking procedures we use as well as your consent to these procedures in our privacy policy. However, cookies that are not technically necessary and our tracking software will only be activated after you have given your consent by clicking on “Allow all cookies” or selecting individual web tracking procedures and then “Allow selection”. You will find the storage period for each cookie listed in the cookie overview. You can also delete cookies in advance by making the appropriate settings in your browser or completely prevent cookies from being activated in the first place.”

Purposes:
Cookies that are technically necessary:

  • Checking the authorization of actions
  • Authentication of the requesting user of our services

Legitimate interest of the controller:

  • Securing our web server in order to defend against attacks, for example
  • Ensuring the functionality of our services.

Cookies that are not technically necessary:

  • Recognize user preferences and identify particularly popular areas of our services in order to optimize them.
  • Ensuring user-friendliness by facilitating navigation, better user guidance and individual performance presentation
  • Public image and advertising

Recipient (categories):
Access to your data is limited to the employees and service providers of the controller who are responsible for the operation of the website and tracking procedures. Your data will also be stored in a commissioned data center.

Data transfers to third countries:
The transfer of data associated with the placement of Google/YouTube cookies to the USA as a third country without an adequate level of data protection is permitted by your consent within the cookie banner: I agree to the use of cookies, although I have been informed that the data will be transferred to the USA and I cannot sufficiently exercise my right to a legal hearing there according to European regulations and therefore an adequate level of data protection cannot be guaranteed.

Storage period:
You will find the storage period for each cookie listed in the cookie overview. You can also delete cookies in advance by making the appropriate settings in your browser or completely prevent cookies from being activated in the first place
If you completely exclude the use of cookies, you cannot use individual functions in our online portal – including the option of cookie-based opt-out from tracking. If necessary, please allow the opt-out cookies of the services for which you wish to prevent tracking.
Please also bear in mind that deleting all cookies will also delete opt-out cookies. You may therefore have to reset them. Cookies are also browser-bound, i.e. they must always be set separately for each browser you use on each device you use.

7.10. Website analysis with Matomo

Categories of personal data and origin of the data:
We use the Matomo tool to design our Internet presence (website, uPortal) according to your needs. This is a so-called web analysis service.
It transmits usage information to our web server and stores the:

  • IP address

This is only processed in abbreviated form and is therefore anonymized.

  • Cookie ID, see Section 6.9
  • Pseudo-anonymized location (based on the anonymized IP address
  • Date and time
  • Name of the site that has been called up
  • URL of the site that has been called up
  • URL of the site that was previously visited (as far as this is permitted)
  • Screen resolution
  • Local time
  • Files that were clicked and downloaded
  • External links
  • Duration of the page setup
  • Country, region, city (with less precision due to IP address)
  • Main language of the browser
  • User agent of the browser
  • Interactions with forms (but not their content)

Legal basis:
The legal basis for data processing is Art. 6 (1) (c) in conjunction with Art. 32 and Art. 6 (1) (f) GDPR: Legitimate interest, legal obligation.

If you wish to prevent your data from being processed for analysis purposes, you can object to this at any time by clicking on the cookie banner. In this case a so-called opt-out cookie without usage data is stored in your browser, which means that Matomo does not collect any session data.

Purposes:
Recording and analysis of the use of our website

Recipient (categories):
See section 6.1

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
See section 6.9

7.11. Security of our web server

Categories of personal data and origin of the data:
When you visit our website, we collect the following information for the security of our web server

  • Called up page of our web offer
  • IP address, shortened by the last three digits
  • Date and time the website was called up, type of end device used
  • Browser settings, operating system used
  • Language settings

Legal basis:
The legal basis for data processing is Art. 6 (1) (f), (c) in conjunction with Art. 32 GDPR: Legitimate interest of the controller, legal obligation

Purposes:

  • Checking the authorization of actions
  • Authentication of the requesting user of our services

Legitimate interest of the controller:

  • Securing our web server in order to defend against attacks, for example
  • Ensuring the functionality of our services.

Recipient (categories):
Access to your data is limited to the employees of the IT department and service providers of the controller, who are used for the above-mentioned purposes. Your data will also be stored in a commissioned data center.

Data transfers to third countries:
Data is not transferred to third countries.

Storage period:
Log files with IP addresses are stored for 7 days after the termination of the respective connection for the purpose of recognition, containment and elimination of faults or to detect misuse. If actual indications of an abuse case are established within the scope of the data analysis, the log files are kept in the concrete case for the preservation of evidence until the conclusion of the legal proceedings set in motion.

7.12. Profile pages on YouTube

Social network: YouTube
Controller with whom our ‘fan page’ is jointly operated (‘platform operator’):
Google LLC
1600 Amphitheatre Pkwy
Mountain View
CA, 94043 USA

Controller for data processing of persons living within the European Union/EEA and Switzerland:
Google Ireland Ltd.
Gordon House, Barrow Street, Dublin 4
Ireland

Data protection contact details:
Data protection contact details can be found in Section 3.
The data protection officer of the platform operator can be contacted via the following web form: https://support.google.com/policies/troubleshooter/7575787?hl=de

Categories of data subjects:
Visitors to our fan page who are registered in the social network as well as those who are not registered, possibly also website visitors. We inform the data subjects that they use YouTube and its functions on their own responsibility. This applies in particular to the use of interactive functions (e.g. sharing, rating).

Categories of personal data:
Data that we process from non-registered visitors to our fan page:
Pseudonymous data such as statistics and insights into how our posts, pages, videos and other content interacts with our fan page (page activity, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements about ….
We are not able to link the pseudonymous data to the corresponding allocation feature (e.g. name details). This means it’s not possible for us to identify individual visitors, who therefore remain anonymous to us.

Data that we process from our website visitors:
By integrating the YouTube button (pure link) on our website, the IP addresses of our website visitors are not transmitted to the platform operator.
For more details, see Section 7.8

Data which the platform operator processes about the registered and non-registered visitors of our fan page as well as our website visitors, can be taken from the following link:
https://policies.google.com/privacy/update?hl=de&gl=de
The platform operator may use various analysis tools for evaluation.

We receive the data from the data subjects directly or from the platform operator.

Origin of the data:
The following link shows where the platform operator receives the data of the data subjects from: https://policies.google.com/privacy/update?hl=de&gl=de
We have no influence or effective means of controlling whether the procurement of data by the platform operator is permissible.

We process the data based on the following legal bases:
o Art. 6 (1) (a) GDPR: Consent of data subjects
o Art. 6 (1) (b) GDPR, if applicable: Fulfillment of a contract with the data subject or implementation of pre-contractual measures at the request of the data subject
o Art. 6 (1) (f) GDPR legitimate interest
o Simplification of communication and data exchange by complementing existing communication channels, such as the website, press releases, print products and events, with the fan page; promotion of sales of our products and services or of demand as well as recruitment of new talent through transparent presence and regular contributions to
o optimize our fan page

We only process special categories of personal data, if at all, on the following legal basis:
o Art. 9 (2) (a) GDPR: Consent of data subject

Art. 9 (2) (e) GDPR: The data subject has clearly made the personal data public

Legal basis of the data processing:
The legal basis on which the platform operator bases the data processing can be found on the following link:
https://policies.google.com/privacy/update?hl=de&gl=de

If the data subjects are tracked by collecting their data, whether by using cookies or comparable techniques or by storing their IP address, the platform operator will obtain the consent of the data subjects in advance. In particular, the platform operator is obliged to inform the data subject for what purposes and on what legal basis the first call up of a fan page generates entries in the so-called Local Storage, even for non-registered visitors, and whether the personal data of non-registered visitors (e.g. IP address or other data that condense into personal data) are also used to create profiles. We have no influence or effective means of controlling whether data processing is permitted by the platform operator.

We process the data for the following purposes:

  • Public image and advertising
  • Communication and data exchange
  • Event management
    Contract initiation and processing, if applicable

Purposes of data processing:
Information about the purposes for which the platform operator processes the data can be found on the following link: https://policies.google.com/privacy/update?hl=de&gl=de

We have no influence over the purposes for which the platform operator actually uses the data. We also have no effective means of controlling this.

Storing and deleting data is the duty of the platform operator. The information can be found on the following link: https://policies.google.com/privacy/update?hl=de&gl=de

Storage period:
We have no influence over how the platform operator determines the regular deletion periods and how the data is deleted. We also have no effective means of controlling this.

The only people who have access to the data processed by us are our employees and service providers who maintain our fan page and who require the data for the above-mentioned purposes. If the data subjects post their data publicly on our fan page, these data can be accessed by other registered (and possibly also non-registered) visitors.

Categories of recipients:
The categories of recipients to whom the platform operator discloses the data or allows registered visitors to disclose their data, as well as information on intra-group data exchange, can be found on the following link: https://policies.google.com/privacy/update?hl=de&gl=de

We have no influence on the disclosure of data to individual recipients by the platform operator. We also have no effective means of controlling this.

If the data subjects post their data publicly on our fan page, these data can be accessed by other registered (and possibly also non-registered) visitors.

Data transfers to third countries:
As part of the operation of our fan page, the data is also processed by Google LLC. The transfer of data associated with the placement of Google/YouTube cookies to the USA as a third country without an adequate level of data protection is secured by the conclusion of standard data protection clauses. However, we wish to expressly point out that currently in the USA your basic rights from Art. 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (GRChr) are not adequately considered.

The platform operator will transfer the data to the United States, Ireland and any other country in which Google conducts business, regardless of the residence of the data subjects, and will store and otherwise process the data there. Related data transfers to third countries are secured by an adequacy decision of the EU Commission in accordance with Art. 45 GDPR or by suitable guarantees in accordance with Art. 46 GDPR:
https://policies.google.com/privacy/update?hl=de&gl=de

We have no influence over data transfers to third countries made by the platform operator. We also have no effective means of controlling this.

If the data subjects are tracked by the collection of their data, whether through the use of cookies or comparable techniques or through the storage of their IP address, the platform operator is obliged under the terms of the agreementwithin the meaning of Art. 26 (1) GDPR to provide them with information about this. In particular, the platform operator is obligated to inform the data subjects of the purposes and legal basis if, after calling up a subpage within our fan page, session cookies are stored with different lifetimes, among other things.
The information can be found on the following link:
https://policies.google.com/privacy/update?hl=de&gl=de
The platform operator may use various analysis tools for evaluation.

Logic and scope involved in a profiling or an automated individual decision based on the collected data
We have no influence over the use of these kinds of tools via the platform operator and have not been informed of any such potential use. If tools such as these are used by the platform operator for our fan page, we have neither commissioned nor supported this in any way. We are also not provided with the data obtained during the analysis. Furthermore, we have no way of preventing or stopping the use of such tools on our fan page, nor do we have any other effective means of controlling this.

The joint controllers must grant the data subjects various rights with regard to the processing of their data, which they can assert directly against the platform operator. The rights to which data subjects are entitled can be found in Section 6.
Rights of data subjects Subsequently, data subjects can assert their rights directly against the platform operator:
https://support.google.com/policies/troubleshooter/7575787?visit_id=636832497483186206-2169122297&hl=de&rd=2

Additional information on social networks and how data subjects can protect their data can also be found here: https://www.youngdata.de/

7.13. Profile pages on Xing and LinkedIn

Social network:
LinkedIn
Xing

We wish to point out that LinkedIn and Xing lare just a couple of the several options there are for contacting us or receiving information from us. Alternatively, the information provided on our LinkedIn account can also be accessed on our website.

The controller with whom our site is jointly operated (‘platform operator’):
LinkedIn Corporation,
1000 W. Maude Avenue Sunnyvale,
CA 94085 USA

Controller for data processing of persons living in the European Union (EU), the European Economic Area (EEA) and Switzerland:
LinkedIn Ireland Unlimited Company
Wilton Place
Dublin 2
Ireland

Data protection contact details: Data protection contact details can be found in Section 3.

The data protection officer of the platform operator can be contacted under the following online form https://www.linkedin.com/help/linkedin/ask/TSO-DPO or at the following address:
Jonathan Adams
Senior Privacy Counsel
LinkedIn Corporation
Legal Department – Privacy
1000 W. Maude Ave.
Sunnyvale, California 94085

Categories of data subjects:
Visitors to our site who are registered in the social network as well as those who are not registered, possibly also website visitors
We wish to inform the data subjects of the fact that they use Xing and LinkedIn and their functions on their own responsibility. This applies in particular to the use of interactive functions (e.g. sharing, rating).

Categories of personal data:
Data that we process from registered visitors to our fan page:
User ID or user name under which the data subjects have registered, approved profile data (name, email address, telephone number), ProFinder profile data, education, professional experience, salary expectations, photo, location data, knowledge and confirmation of knowledge, professional achievements (e.g. issue of a patent, professional recognition, projects), including, if applicable, special categories of personal data, data arising from the sharing of content, the exchange of messages and communication, data required in the context of the preparation and execution of contracts upon request of registered visitors, other data and content published, provided, distributed, posted or uploaded freely by the data subjects on LinkedIn or via their LinkedIn account.
Apart from this, we only process pseudonymous data such as statistics and insights into how people interact with our fan page, the posts, pages, videos and other content provided on it (page activities, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements.
We are not able to link the pseudonymous data to the corresponding allocation feature (e.g. name details). This means it’s not possible for us to identify individual visitors, who therefore remain anonymous to us.

Data that we process from non-registered visitors to our fan page:
Pseudonymous data such as statistics and insights into how our fan page, posts, pages, videos and other content interacts with our fan page (page activity, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, town, language), evaluations of the success and background of our advertisements, other analyses and measurements.
We are not able to link the pseudonymous data to the corresponding allocation feature (e.g. name details). This means it’s not possible for us to identify individual visitors, who therefore remain anonymous to us.

We are not able to link the pseudonymous data to the corresponding allocation feature (e.g. name details). This means it’s not possible for us to identify individual visitors, who therefore remain anonymous to us.

Data that we process from our website visitors:
By integrating the LinkedIn button (pure link) into our website, the IP addresses of our website visitors are not transferred to the platform operator.

Data that the platform operator processes about the registered and non-registered visitors of our fan page can be found by clicking the following link:
https://www.linkedin.com/legal/privacy-policy
The platform operator may use various analysis tools for evaluation.

We have no influence over the use of these kinds of tools via the platform operator and have not been informed of any such potential use. If tools such as these are used by the platform operator for our fan page, we have neither commissioned nor supported this in any way. We are also not provided with the data obtained during the analysis. Furthermore, we have no way of preventing or stopping the use of such tools on our fan page, nor do we have any other effective means of controlling this.

Origin of the data:
We receive the data from the data subjects directly or from the platform operator.

Where the platform operator receives the data of the data subjects can be seen from the following link: https://www.linkedin.com/legal/privacy-policy

Origin of the data:
We receive the data from the data subjects directly or from the platform operator.

Where the platform operator receives the data of the data subjects can be seen from the following link:
https://privacy.xing.com/de/datenschutzerklaerung

We have no influence or effective means of controlling whether the procurement of data by the platform operator is permissible.

Legal basis of the data processing:
We process the data based on the following legal bases:

  • Art. 6 (1) (a) GDPR: Consent of data subjects
  • Art. 6 (1) (b) GDPR, if applicable: Fulfillment of a contract with the data subject or implementation of pre-contractual measures at the request of the data subject
  • Art. 6 (1) (f) GDPR legitimate interest
    o Simplification of communication and data exchange by complementing the existing communication channels, such as website, press releases, print products and events, with the fan page
    o Promotion of the sales of our products and services or the demand as well as the recruitment of young talents by transparent presence and regular contributions to
    o optimize our fan page

The legal basis on which the platform operator bases the data processing can be found on the following link: https://www.linkedin.com/legal/privacy-policy

If the data subjects are tracked by collecting their data, whether by using cookies or comparable techniques or by storing their IP address, the platform operator will obtain the consent of the data subjects in advance. In particular, the platform operator is obliged to inform the data subject for what purposes and on what legal basis the first call up of a fan page generates entries in the so-called Local Storage, even for non-registered visitors, and whether the personal data of non-registered visitors (e.g. IP address or other data that condense into personal data) are also used to create profiles. We have no influence or effective means of controlling whether data processing is permitted by the platform operator.

Purposes of data processing
We process the data for the following purposes:

  • Public image and advertising
  • Communication and data exchange
  • Event management
  • Contract initiation and processing, if applicable

Information about the purposes for which the platform operator processes the data can be found on the following link: https://www.linkedin.com/legal/privacy-policy

We have no influence over the purposes for which the platform operator actually uses the data. We also have no effective means of controlling this.

Storage period:
Storing and deleting data is the duty of the platform operator. The information can be found on the following link: https://www.linkedin.com/legal/privacy-policy

We have no influence over how the platform operator determines the regular deletion periods and how the data is deleted. We also have no effective means of controlling this.

Categories of recipients:
The only people who have access to the data processed by us are our employees and service providers who maintain our fan page and who require the data for the above-mentioned purposes. If the data subjects post their data publicly on our fan page, these data can be accessed by other registered (and possibly also non-registered) visitors.

The categories of recipients to whom the platform operator discloses the data or allows registered visitors to disclose their data, as well as information on intra-group data exchange, can be found on the following link: https://www.linkedin.com/legal/privacy-policy

We have no influence on the disclosure of data to individual recipients by the platform operator. We also have no effective means of controlling this.

Data transfers to third countries:
If the data subjects post their data publicly on our fan page, these data can be accessed by other registered (and possibly also non-registered) visitors.

If you are located within the European Union, the European Economic Area or Switzerland, LinkedIn Ireland Unlimited Company (“LinkedIn Ireland”) will be the controller of your personal information that provides our services, is collected for or by our services or is processed in connection with them. As part of the operation of our fan page, the data is also processed by LinkedIn Corporation. The associated data transfer to the USA as a third country is currently carried out without an adequate level of data protection due to technical necessity of the data partially retrieved in the USA. Please be aware that due to the decision of the European Court of Justice on the invalidity of the privacy shield, the data transfer to the USA may not provide a sufficient level of data protection, which is why we are currently working on a solution. If you nevertheless call up our fan page, we wish to expressly point out that currently in the USA your basic rights from Art. 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (GRChr) are not adequately considered.

The platform operator will transfer the data to the United States, Ireland and any other country in which the platform operator conducts business, regardless of the residence of the data subjects, and store and otherwise process the data there.
Related data transfers to third countries are secured by an adequacy decision of the EU Commission in accordance with Art. 45 GDPR or by suitable guarantees in accordance with Art. 46 GDPR:
https://www.linkedin.com/legal/privacy-policy
https://www.linkedin.com/help/linkedin/answer/62533?trk=microsites-frontend_legal_privacy-policy&lang=de
https://privacy.linkedin.com/de-de/dsgvo

We have no influence over data transfers to third countries made by the platform operator. We also have no effective means of controlling this.

Logic and scope involved in a profiling or an automated individual decision based on the collected data:
If the data subjects are tracked by collecting their data, be it by using cookies or comparable techniques or by saving the IP address, the platform operator is obliged to inform them about this. The information can be found by clicking on the following links:
https://www.linkedin.com/legal/privacy-policy
https://www.linkedin.com/legal/cookie-policy
https://www.linkedin.com/help/linkedin/answer/3566?trk=microsites-frontend_legal_privacy-policy&lang=de
https://www.linkedin.com/help/linkedin/answer/68763?trk=microsites-frontend_legal_privacy-policy&lang=de
The platform operator may use various analysis tools for evaluation.

We have no influence over the use of these kinds of tools via the platform operator and have not been informed of any such potential use. If tools such as this be used by the platform operator for our fan page, we have neither commissioned nor approved nor supported this in any way. We are also not provided with the data obtained during the analysis. Furthermore, we have no way of preventing or stopping the use of such tools on our fan page, nor do we have any other effective means of controlling this.

Rights of data subjects:
The joint controllers must grant the data subjects various rights with regard to the processing of their data, which they can assert directly against the platform operator. The rights to which data subjects are entitled can be found in Section 6.

Data subjects can find information on the available personalization and data protection settings here (with additional references):
https://privacy.linkedin.com/de-de/faq
https://privacy.linkedin.com/de-de/einstellungen

Additional information on social networks and how data subjects can protect their data can also be found here: https://www.youngdata.de/

The supervisory authority responsible for the platform operator is:
Data Protection Commission
21 Fitzwilliam Square, Dublin 2
D02 RD28, Ireland
Web address: https://www.dataprotection.ie/docs/Contact-us/b/11.htm
Web address: http://gdprandyou.ie/contact-us/

New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany
Data protection contact details: Data protection contact details can be found in Section 3.

Data protection contact details: Data protection contact details can be found in Section 3.

The data protection officer of the platform operator can be contacted under the following online form https://www.xing.com/settings/privacy/data/disclosure or at the following address:

Xing SE
Dammtorstrasse 30
20354 Hamburg
Germany
Tel.: +49 40 419 131-0
Fax: +49 40 419 131-11
E-mail: info@xing.com

Categories of data subjects:
Visitors to our site who are registered in the social network as well as those who are not registered, possibly also website visitors
We wish to inform the data subjects of the fact that they use Xing and LinkedIn and their functions on their own responsibility. This applies in particular to the use of interactive functions (e.g. sharing, rating).

Categories of personal data:
Data that we process from registered visitors to our fan page:
User ID or username under which the data subjects have registered, approved profile data (name, email address, telephone number), education, professional experience, salary expectations, photo, location data, knowledge and confirmation of knowledge, professional achievements (e.g. issue of a patent, professional recognition, projects), including, if applicable, special categories of personal data, data arising from the sharing of content, the exchange of messages and communication, data required in the context of the preparation and execution of contracts at the request of registered visitors, other data and content published, provided, distributed, posted or uploaded freely by the data subjects on LinkedIn or via their LinkedIn account.
Apart from this, we only process pseudonymous data such as statistics and insights into how people interact with our fan page, the posts, pages, videos and other content provided on it (page activities, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements.
We are not able to link the pseudonymous data to the corresponding allocation feature (e.g. name details). This means it’s not possible for us to identify individual visitors, who therefore remain anonymous to us.

Data that we process from non-registered visitors to our fan page:
Pseudonymous data such as statistics and insights into how our fan page, posts, pages, videos and other content interacts with our fan page (page activity, page views, “Like” information, reach, general demographic, location and interest-related information on age, gender, country, city, town, language), evaluations of the success and background of our advertisements, other analyses and measurements.

Data that we process from our website visitors:
By integrating the Xing button (pure link) on our website, IP addresses of our website visitors are not transferred to the platform operator.

Data that the platform operator processes about the registered and non-registered visitors of our fan page can be found by clicking the following link:
https://privacy.xing.com/de/datenschutzerklaerung
The platform operator may use various analysis tools for evaluation.

We have no influence over the use of these kinds of tools via the platform operator and have not been informed of any such potential use. If tools such as these are used by the platform operator for our fan page, we have neither commissioned nor supported this in any way. We are also not provided with the data obtained during the analysis. Furthermore, we have no way of preventing or stopping the use of such tools on our fan page, nor do we have any other effective means of controlling this.

Origin of the data:
We receive the data from the data subjects directly or from the platform operator.

Where the platform operator receives the data of the data subjects can be seen from the following link:
https://privacy.xing.com/de/datenschutzerklaerung

We have no influence or effective means of controlling whether the procurement of data by the platform operator is permissible.

Legal basis of the data processing:
We process the data based on the following legal bases:

  • Art. 6 (1) (a) GDPR: Consent of data subjects
  • Art. 6 (1) (b) GDPR, if applicable: Fulfillment of a contract with the data subject or implementation of pre-contractual measures at the request of the data subject
  • Art. 6 (1) (f) GDPR legitimate interest
    o Simplification of communication and data exchange by complementing the existing communication channels, such as website, press releases, print products and events, with the fan page
    o Promotion of the sales of our products and services or the demand as well as the recruitment of young talents by transparent presence and regular contributions to
    o optimize our fan page

We only process special categories of personal data, if at all, on the following legal basis:

  • Art. 9 (2) (a) GDPR: Consent of data subject
  • Art. 9 (2) (e) GDPR: The data subject has clearly made the personal data public

The legal basis on which the platform operator bases the data processing can be found on the following link:
https://privacy.xing.com/de/datenschutzerklaerung

If the data subjects are tracked by collecting their data, whether by using cookies or comparable techniques or by storing their IP address, the platform operator will obtain the consent of the data subjects in advance. In particular, the platform operator is obliged to inform the data subject for what purposes and on what legal basis the first call up of a fan page generates entries in the so-called Local Storage, even for non-registered visitors, and whether the personal data of non-registered visitors (e.g. IP address or other data that condense into personal data) are also used to create profiles. We have no influence or effective means of controlling whether data processing is permitted by the platform operator.

Purposes of data processing
We process the data for the following purposes:

  • Public image and advertising
  • Communication and data exchange
  • Event management
  • Contract initiation and processing, if applicable

Information about the purposes for which the platform operator processes the data can be found on the following link:
https://privacy.xing.com/de/datenschutzerklaerung

We have no influence over the purposes for which the platform operator actually uses the data. We also have no effective means of controlling this.

Storage period:
Storing and deleting data is the duty of the platform operator. The information can be found on the following link: https://privacy.xing.com/de/datenschutzerklaerung

We have no influence over how the platform operator determines the regular deletion periods and how the data is deleted. We also have no effective means of controlling this.

Categories of recipients:
The only people who have access to the data processed by us are our employees and service providers who maintain our fan page and who require the data for the above-mentioned purposes. If the data subjects post their data publicly on our fan page, these data can be accessed by other registered (and possibly also non-registered) visitors.

The categories of recipients to whom the platform operator discloses the data or allows registered visitors to disclose their data, as well as information on intra-group data exchange, can be found on the following link: https://privacy.xing.com/de/datenschutzerklaerung

We have no influence on the disclosure of data to individual recipients by the platform operator. We also have no effective means of controlling this.

Data transfers to third countries:
If the data subjects post their data publicly on our fan page, these data can be accessed by other registered (and possibly also non-registered) visitors.

The platform operator will transfer the data to the United States and any other country in which the platform operator conducts business, regardless of the residence of the data subjects, and will store and otherwise process the data there.
Related data transfers to third countries are secured by an adequacy decision of the EU Commission in accordance with Art. 45 GDPR or by suitable guarantees in accordance with Art. 46 GDPR:

https://privacy.xing.com/de/datenschutzerklaerung/wer-erhaelt-daten-zu-ihrer-person/drittlaender

We have no influence over data transfers to third countries made by the platform operator. We also have no effective means of controlling this.

Logic and scope involved in a profiling or an automated individual decision based on the collected data:
If the data subjects are tracked by collecting their data, be it by using cookies or comparable techniques or by saving the IP address, the platform operator is obliged to inform them about this. The information can be found by clicking on the following links:
https://privacy.xing.com/de/datenschutzerklaerung
The platform operator may use various analysis tools for evaluation.

We have no influence over the use of these kinds of tools via the platform operator and have not been informed of any such potential use. If tools such as this be used by the platform operator for our fan page, we have neither commissioned nor approved nor supported this in any way. We are also not provided with the data obtained during the analysis. Furthermore, we have no way of preventing or stopping the use of such tools on our fan page, nor do we have any other effective means of controlling this.

Rights of data subjects:
The joint controllers must grant the data subjects various rights with regard to the processing of their data, which they can assert directly against the platform operator. The rights to which data subjects are entitled can be found in Section 6.

Data subjects can find information on the available personalization and data protection settings here (with additional references):
https://privacy.xing.com/de/datenschutzerklaerung

Additional information on social networks and how data subjects can protect their data can also be found here: https://www.youngdata.de/

The supervisory authority responsible for the platform operator is:
The Hamburg State Data Protection and Freedom-of-Information Officer
Ludwig-Erhard-Str 22, 7. OG
20459 Hamburg
Web address: https://datenschutz-hamburg.de/pages/kontakt/

7.14. Online portal uPortal

Our online portal uPortal has its own privacy policy, which you can find at https://up.ulrichmedical.de. Users of the uPortal can find this at https://up.ulrichmedical.de/datenschutz/.