Data Protection Policy
Controller:
Dr. med. dent. Susanne Münch
Hindenburgstraße 26
91054 Erlangen
Telephone Number: 09131 / 26949
Last Update: 25.05.2018
1. Basic Information on Data Processing and the Legal Basis thereof
1.1. This data protection policy provides information on the form, scope and purpose of the processing of personal data that occurs in our online content and the websites, the functions and the content associated therewith (hereinafter collectively referred to as "online content" or "website"). This data protection policy applies regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the online content is provided.
1.2. The terms used herein, such as "personal data" or their "processing", refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
1.3. The personal data of users processed within the scope of this online content include usage data (e.g., visited websites belonging to our online content, interest in our products).
1.4. We only process personal user data in compliance with the relevant data protection provisions. This means that user data will only be processed in cases where there is an applicable statutory authorisation to do so, in particular in cases where data processing is necessary, or required by law, for the provision of our contractual services (e.g. for processing orders) and of our online content, where a user has given their consent, or on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation and security of our online content within the meaning of Art. 6 para. 1 point f. GDPR, in particular for coverage measurement, the creation of profiles for advertising and marketing purposes, the collection of access data and the use of third-party services.)
1.5. Please note that the legal basis for consent is Art. 6 para. 1 point (a) and Art. 7 GDPR; the legal basis for data processing with regard to the fulfilment of our services and the carrying out of contractual measures is Art. 6 para. 1 point (b) GDPR; the legal basis for data processing with regard to the fulfilment of our legal obligations is Art. 6 para. 1 point (c) GDPR; and the legal basis for data processing in order to protect our legitimate interests is Art. 6 para. 1 point (f) GDPR.
2. Security Measures
2.1. We employ state-of-the-art organisational, contractual and technical security measures in order to ensure that the provisions of data protection laws are observed and thus to protect the data we process against accidental or intentional manipulation, loss, destruction or access by unauthorised persons.
2.2. These security measures include in particular the encrypted transmission of data between your browser and our server.
3. The Transfer of Data to Third Parties and Third-Party Providers
3.1. Data will only be transferred to third parties within the framework of statutory requirements. We will transfer user data to third parties only if, for example, this is necessary on the basis of Art. 6 para. 1 point (b) GDPR for contractual purposes, or on the basis of legitimate interests pursuant to Art. 6 para. 1 point (f) GDPR relating to the economical and effective operation of our business operations
3.2. To the extent that we employ subcontractors to provide our services, we will take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.
3.3. To the extent that, in the context of this data protection policy, contents, tools or other means provided by other providers (hereinafter collectively referred to as "third-party providers") are used and the provider’s declared registered office is located in a third country, it is to be assumed that a data transfer occurs to the countries in which the third-party providers have their registered office. Third countries are understood to be countries in which the GDPR is not directly applicable law, i.e. in principle countries outside the EU or the European Economic Area. The transfer of data to third countries occurs in cases where there is an appropriate level of data protection, or where user consent is given, or otherwise where statutory authorisation is available.
4. Provision of Contractual Services
4.1. We process basic data (e.g., names and addresses as well as contact data of users), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 para. 1 point (b) GDPR.
5. Contacting Us
5.1. When we are contacted (via contact form or e-mail), the user's details will be processed in order to handle and carry out the contact request in accordance with Art. 6 para. 1 point (b) GDPR.
6. Collection of Access Data and Log File
6.1. On the basis of our legitimate interests within the meaning of Art. 6 para. 1 point (f) GDPR, we collect data on every access to the server on which this service is located (known as "server log files"). Access data includes the name of the accessed website, the accessed file, the date and time of access, the transferred data volume, the notification of successful access, the browser type and version, the user's operating system, the referer URL (the previously visited page), the IP address and the requesting provider.
6.2. Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum of seven days and is then deleted. Data that requires further storage for evidentiary purposes are excluded from deletion until the respective incident is definitively resolved.
7. The Integration of Third-Party Services and Content
7.1. In our online content, on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online content within the meaning of Art. 6 para. 1 point f. GDPR) we use the contents or services provided by third parties, in order to incorporate their content and services, such as videos or fonts (hereinafter collectively referred to as "contents"). This always necessitates the third-party providers of these contents detecting a user’s IP address, as without the IP address they could not send the content to the user’s browser. The IP address is thus required for the display of these contents. We make every effort to use only those contents the respective providers of which use the IP address only for the delivery of the contents. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Information, such as visitor traffic on the pages of this website can be evaluated by means of "pixel tags". The pseudonymous information may also be stored in cookies on the user's device and may include, among other things, technical information on the browser and operating system, referring websites, time of access and other information about the use of our online content, and may also be linked with such information from other sources.
7.2. DThe following provides an overview of third-party providers and their contents, together with links to their data protection policies, which contain further information on the processing of data and, as already mentioned here in some cases, opt-out options:
- External fonts by Google, Inc., www.google.com/fonts ("Google Fonts"). The integration of Google Fonts takes place via a server call to Google (usually in the USA). Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
- External code of the JavaScript framework "jQuery", provided by the third-party provider jQuery Foundation, https://jquery.org.
8. User Rights
8.1. Users have the right, upon request and free of charge, to obtain information on the personal data pertaining to them that we have stored.
8.2. In addition, users have the right to correct inaccurate data, to limit processing and to have their personal data deleted, and, if applicable, to assert their rights to data portability and, in the event of the assumption of unlawful data processing, to file a complaint with the competent supervisory authority.
8.3. Users may also revoke their consent, generally with effect for the future.
9. The Deletion of Data
9.1. The data stored with us will be deleted as soon as it is no longer required for its intended purpose and there are no legal storage obligations preventing deletion. To the extent that the user's data are not deleted because they are necessary for other and legally permissible purposes, their processing is restricted. In other words, the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained by reason of commercial or tax law.
9.2. In accordance with statutory requirements, storage shall be for 6 years in accordance with § 257 (1) of the German Commercial Code (Handelsgesetzbuch - HGB) (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, receipts, etc.) and for 10 years in accordance with § 147 (1) of the German Fiscal Code (Abgabenordnung - AO) (account books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation, etc.).
10. The Right to Object
In accordance with the statutory requirements, users may object to the future processing of their personal data at any time. In particular, the objection may be directed against processing for the purposes of direct marketing.
11. Changes to the Data Protection Policy
11.1. We reserve the right to change the data protection policy in order to adapt it to changed legal situations, or to changes in service and changes in data processing. However, this only applies with regard to declarations on the processing of data. Insofar as user consent is required or parts of the data protection policy contain provisions within the remit of the contractual relationship with the users, changes can only be made with the user’s consent.
11.2. Users are requested to regularly inform themselves on the content of the data protection policy.