Data Privacy

Institute Dr. Schrader

Privacy Policy of Institutes Dr. Schrader

The following information is intended to clearly explain to you how our company handles your data when you visit this website and how we have implemented the legislative requirements.

For a better understanding and overview, we have provided a table of contents to make it easier for you to find individual explanations and pieces of information.

Contents

I. Introduction/Overview

II. Scope of application

III. Definitions

1. Personal data

2. Data subject

3. Processing

4. Restriction of processing

5. Profiling

6. Pseudonymisation

7. Filing system

8. Controller

9. Processor

10. Recipient

11. Third party

12. Consent

13. Personal data breach

14. Cookies

15. IP address

16. Browser

17. Referrer URL

IV. Controller and data protection officer

1. Controller of Institutes Dr. Schrader

2. Data Protection Officer

V. General information

VI. Data collection and storage

1. Collection of general data and information when using our website

2. Contact by email

3. Contact via the contact form

VII. Cookies

VIII. Integration of third-party services and contents

1. Integration of Google Maps

2. Use of Google Analytics with anonymisation function

IX. Data protection during the application process

X. Transfer of data to third parties

XI. SSL and/or TLS encryption

XII. Existence of automated decision-making

XIII. Rights of data subjects

1. Right of access

2. Right to rectification

3. Right to erasure

4. Right to restriction of processing

5. Notification obligation

6. Right to data portability

7. Right to object

8. Right to withdraw the declaration of consent to data processing

9. Automated individual decision-making including profiling

10. Right to lodge a complaint with a supervisory authority

XIV. Amendments to our Privacy Policy

I. Introduction/Overview

Data protection has always been an important issue. Data protection makes it possible to protect the personal rights and/or other rights of every single individual from being adversely affected through the handling of their personal data.

Every company needs and processes data in order for them to exist in the first place.

Unfortunately, the ever more extensive digital networking also increases the risk of data abuse.

As a rule, however, it is not the companies collecting, storing or processing data that need to be protected.

Rather, every single individual needs to be protected from data abuse and, in particular, the resulting violation of their personal rights.

For this reason, data protection has always been a top priority of our institutes.

Ensuring maximum protection of your data is not only our ambition, but also required by law.

Our data protection practices are always in line with the applicable laws.

The statutory provisions for data protection are set forth in particular in the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG).

We have initiated and implemented numerous, both technical and organisational, measures to ensure the comprehensive protection of your personal data.

This Privacy Policy as well as the explanations and information provided below are intended to provide you with detailed and comprehensible information as to why, when, where, how and for what purposes we collect and process personal data.

In addition, we would like to inform you about your related rights as the data subject.

Hence, the explanations provided below inform you about the extent to which we collect and process personal data during the use of our website as well as your related rights.

For a better understanding, this Privacy Policy is structured into individual sections with headings. The subjects of the individual sections are already evident from the headings.

In addition, we have dedicated a separate section to the definition of terms used in the laws as well as other terms we think not everybody is familiar with in order to make it easier for you to understand this Privacy Policy and to enable you to look up the terms at any time.

In the individual sections, we have also added references to numerous terms, showing where the corresponding explanation or definition of the term can be found so that it can be quickly looked up.

Furthermore, we have specifically stated in the individual sections the legal basis that entitles us to collect and process and corresponding personal data.

Moreover, we have also stated in the individual sections the purpose and, where possible, the duration of processing.

We have also pointed out in the individual sections your specific rights in connection with the corresponding data processing.

Additionally, your rights, including the corresponding statutory provisions, are once again listed in a separate section so that you can find out about your rights at any time without having to search the individual sections.

If you consider the information and explanations provided below to be insufficient or difficult to understand despite our efforts, our Data Protection Officer (cf. IV.2) and/or our other staff members are at your disposal at any time for further questions, suggestions, criticism, etc.

The contact details are provided in both this Privacy Policy and our Imprint.

II. Scope of application

This website is operated by Institutes Dr. Schrader. The term “Institutes Dr. Schrader” is an umbrella term that refers to our individual institutes and not an independent company with its own legal capacity.

Institutes Dr. Schrader consist of the following individual companies:

1) Institut Dr. Schrader Ancopharm

2) Institut Dr. Schader Beratungslabor

3) Institut Dr. Schrader Creachem GmbH

4) Institut Dr. Schrader Hautphysiologie

5) Institute Dr. Schrader International GmbH.

Each of the above-listed institutes is an independent company with its own legal capacity.

Therefore, this Privacy Policy applies to our entire website / Internet presence and thus to all of the above-listed institutes / individual companies.

Further information on the individual institutes, such as legal form, representation, contact details, etc. is provided in our Imprint.

 

III. Definitions

As already pointed out above, the statutory provisions on data protection are set forth in particular in the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG).

You can find the most recent versions of the aforementioned laws under the following links:

– General Data Protection Regulation (GDPR): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG

– Federal Data Protection Act (BDSG): https://dejure.org/gesetze/BDSG

– Telemedia Act (TMG): https://www.gesetze-im-internet.de/tmg/

This Privacy Policy meets the requirements and guidelines of the aforementioned laws. Therefore, we also use definitions and terms used in these laws in this Privacy Policy. In addition, we use terms from computer language and the IT sector.

For a better understanding, we would like to first define and explain the most important terms used. These definitions are also used in the laws, in particular in the General Data Protection Regulation (GDPR). In the definitions and explanations provided below, we have therefore also stated the corresponding statutory provisions in which these definitions are stipulated, where possible.

1. Personal data (cf. Article 4 (1) GDPR)

Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Data subject (cf. Article 4 (1) GDPR)

Data subject means any identified or identifiable natural person whose personal data are processed.

3. Processing (cf. Article 4 (2) GDPR)

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. Restriction of processing (cf. Article 4 (3) GDPR)

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

5. Profiling (cf. Article 4 (4) GDPR)

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

6. Pseudonymisation (cf. Article 4 (5) GDPR)

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

7. Filing system (cf. Article 4 (6) GDPR)

Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

8. Controller (cf. Article 4 (7) GDPR)

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

9. Processor (cf. Article 4 (8) GDPR)

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

10. Recipient (cf. Article 4 (9) GDPR)

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

11. Third party (cf. Article 4 (10) GDPR)

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

12. Consent (cf. Article 4 (11) GDPR)

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

13. Personal data breach (cf. Article 4 (12) GDPR)

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

14. Cookies

Cookies are data sets that are installed on the user’s computer by a web server. When a connection is established again, they are sent back to the web server installing the cookie with the goal of recognising the user and their settings. It is a file created locally on the user’s computer that assigns a certain identity – consisting of numbers and letters – to the user.

Whether or not cookies are classified as personal data depends on the technical design of the cookies.

If the cookie merely stores a randomly generated number-letter combination on the user’s computer, the user cannot be identified. Allocation is only possible in possession of additional information as to which combination was stored on which computer. When merely using cookies with exclusively random elements, the operators of websites do not possess such additional information.

If the operator integrates the user’s name and email address in a cookie, the user has regularly provided the operator with the corresponding information and has thus disclosed their identity, for example by creating a customer/user profile, placing an order on the company’s website, using an email box of the operator, participating in surveys on the website and the like. The user’s system can be programmed in such a way that this additionally acquired information is integrated in the cookie’s identification combination. If the user’s name or email address is integrated in the cookie, the user can be identified. The cookie is then classified as personal data.

Furthermore, a combination of cookies and IP addresses is possible as well. In this case, the operator of the visited website stores IP addresses and relates them to the specific cookies right away, i.e. the operator stores in a database which cookie was allocated to which IP address. For the user to be identified, the website operator has to be able to allocate the IP address to a specific user without a disproportionate amount of time, expense and labour.

Most cookies used are usually deleted at the end of the respective browser session (so-called session cookies). Other cookies remain on the computer and enable the operator of the respective website to recognise the user the next time they visit the website (so-called permanent cookies).

Cookies usually serve to make the visit to a website more attractive and to enable the use of certain functions.

Every user can set their browser to inform them of the installation of cookies. This way, the use of cookies is transparent to the user.

Of course, the respective user can also set their browser to reject the installation of cookies on their computer or to delete already installed cookies.

To this end, you have to first open the browser you use, such as Internet Explorer, Firefox, etc. Under the heading “privacy settings”, you can block cookies and/or make other cookie settings.

You can also find more detailed information in the privacy policy of your respective browser provider.

15. IP address

An IP address is an address in computer networks that – just like the Internet – is based on the Internet Protocol (IP). It is assigned to devices which are connected to the network, thereby making the devices addressable and thus reachable. The IP address may refer to a single receiver or a group of receivers. Conversely, a computer can have several IP addresses assigned to it.

The IP address is used predominantly to be able to transport data from their sender to the intended recipient.

16. Browser

Browsers are special computer programmes that serve to display websites on the Internet (World Wide Web) or documents and data in general.

17. Referrer URL

Referrer URL refers to the website on the Internet from which the user was redirected to the current website or file.

IV. Controller and data protection officer

At this point, we would like to inform you about the controller (as defined in III. 8) and the data protection officer of the individual institutes listed below.

1. Controller of Institutes Dr. Schrader

Institut Dr. Schrader Ancopharm, Max-Planck-Straße 6, 37603 Holzminden, owner Dr. Andreas Schader, ibid., controller: Dr. Andreas Schrader

Institut Dr. Schrader Beratungslabor, Max-Planck-Straße 6, 37603 Holzminden, owner Dr. Andreas Schrader, ibid., controller: Dr. Andreas Schrader

Institut Dr. Schrader Creachem GmbH, Max-Planck-Straße 6, 37603 Holzminden, represented by Managing Director Dr. Andreas Schrader, ibid., controller: Institut Dr. Schrader Creachem GmbH, represented by Managing Director Dr. Andreas Schrader

Institut Dr. Schrader Hautphysiologie, Max-Planck-Straße 6, 37603 Holzminden, owner Dr. Andreas Schrader, ibid., controller: Dr. Andreas Schrader

Institute Dr. Schrader International GmbH, Max-Planck-Straße 6, 37603 Holzminden, represented by Managing Director Dr. Andreas Schrader, ibid., controller: Institute Dr. Schrader International GmbH, represented by Managing Director Dr. Andreas Schrader

Each of the above-listed institutes can be reached as follows:

Tel: +49(0)55319313-0

Fax: +49(0)55319313-500

Email: info@schrader-institute.de

Website: www.schrader-institute.de.

Further information on this is also provided in our Imprint.

2. Data Protection Officer

The Data Protection Officer of all institutes listed in IV.1 is:

Dr. Heiko Nerenz

Max-Planck-Straße 6

37603 Holzminden

Tel: +49(0)55319313-0

Fax: +49(0)55319313-500

Email: datenschutz@schrader-institute.de

Website: www.schrader-institute.de

If you have any questions and suggestions concerning data protection, you can directly contact our above-named Data Protection Officer.

V. General information

As a rule, you can use our website without having to disclose personal data.

However, if you wish to make use of special services offered by our company, for example as customer, prospective customer, test subject, business partner, etc., the processing of your personal data may become necessary.

This is the case, in particular, if you contact us via the contact form provided on our website or by email.

In this context, we would like to expressly point out that, despite us having taken all technically feasible security measures, data transfer over the Internet may involve gaps and we are therefore unable to guarantee absolute protection.

For this reason, you can also send us personal data via alternative communication channels, such as email or fax. For the various contact options, please read our Imprint or ask us personally.

VI. Data collection and storage

Although our website can generally be used without disclosing personal data, data are collected and stored every time you access our website. In addition, you have the opportunity to contact us via our contact form or by email.

At this point, we would like to explain to you what data are collected and processed, the legal basis that entitles us to do so, the purpose, the duration of storage as well as your related rights.

1. Collection of general data and information when using our website

Information is collected and stored automatically every time our website is accessed. Specifically, the following information and data are collected and stored:

– Name of the website

– File

– Date

– Time

– Data volume

– Web browser and web browser version

– Operating system

– The domain name of your Internet provider

– The so-called referrer URL

– The IP address

The above-listed data and information are automatically transmitted to us by your browser. This information is general and does not allow any conclusions as to your identity; this means that you stay anonymous. These data and information are not associated with any other data sources. However, we reserve the right to subsequently check this information, also referred to as server log files, if we become aware of specific indications of unlawful use or if we are legally required by third parties to do so. This data collection serves to display the contents of this website as well as statistical purposes. In particular, the collection of these data helps us optimise the technology. Hence, the collection of the above-listed data is absolutely essential.

The legal basis for the aforementioned data collection is point (f) of Article 6 (1) GDPR.

As a rule, these data are stored for the period of 7 days and then deleted, unless we are legally required by third parties to continue storing these data and/or there are specific indications of unlawful use.

The collection and storage of these data is absolutely essential for the provision and operation of our website. Therefore, there is no right of objection and/or deletion.

2. Contact by email

You can contact us at any time by email. When you contact us by email, your email address, your name and any other personal data you provide are stored automatically. These personal data, which you provide on a voluntary basis, are stored for the purpose of processing your request and/or contacting you. These personal data will not be passed on to third parties.

The legal basis for this data collection is point (f) of Article 6 (1) GDPR. If the email contact is aimed at entering into a contract, the legal basis for the processing is additionally point (b) of Article 6 (1) GDPR.

These data will be deleted once they are no longer necessary to achieve the purpose for which they were collected. This is the case once the respective email communication with the user is completed. The communication is completed once it can be inferred from the circumstances that the issue in question has been conclusively settled.

You can withdraw your consent to the processing of personal data at any time. This means that when you contact us by email, you can object to the storage of your personal data at any time. In this case, the communication cannot be continued. You can withdraw your consent without having to observe any formal requirements, i.e. you can send your withdrawal directly to our Data Protection Officer and/or one of our other staff members by email, by fax, etc. The corresponding contact details are provided in both this Policy and our Imprint.

If you withdraw your consent, all personal data which have been stored by us in the course of the communication will be deleted.

3. Contact via the contact form

You can also contact us via the contact form provided on our website.

When you contact us via the contact form, the personal data you provide are stored automatically. Specifically, the following data are stored:

– Company

– First name

– Last name

– Email

– Street, house number

– Postcode, city

– Phone number

– Fax number

The personal data collected can also be seen in the input mask of our contact form.

These personal data, which you provide on a voluntary basis, are stored for the purpose of processing your request and/or contacting you. However, these personal data will not be passed on to third parties.

The legal basis for this data collection is point (f) of Article 6 (1) GDPR. If the contact via the contact form is aimed at entering into a contract, the legal basis for the processing is additionally point (b) of Article 6 (1) GDPR.

These data will be deleted once they are no longer necessary to achieve the purpose for which they were collected. This is the case once the respective communication with the user, which then regularly takes place via email, is completed. The communication is completed once it can be inferred from the circumstances that the issue in question has been conclusively settled.

You can withdraw your consent to the processing of personal data at any time. This means that when you contact us by email, you can object to the storage of your personal data at any time. In this case, the communication cannot be continued. You can withdraw your consent without having to observe any formal requirements, i.e. you can send your withdrawal directly to our Data Protection Officer and/or one of our other staff members by email, by fax, etc. The corresponding contact details are provided in both this Policy and our Imprint. If you withdraw your consent, all personal data which have been stored by us in the course of the communication will be deleted.

VII. Cookies

We use cookies on our website (as defined in III. 14).

VIII. Integration of third-party services and contents

We have integrated third-party services in our website to make our website more attractive and to expand the range of services offered.

1. Integration of Google Maps

Our website uses the Google Maps service. This allows us to display interactive maps directly on the website and enables you to conveniently use the map function.

Google Maps is a component of Google Inc., 1600 Amphitheatre, Parkway, Mountain View, CA 94043, USA. Every time the “Google Maps” component integrated by us is accessed, Google sets a cookie (as defined in III.14) to process user settings and user data while displaying the website on which the “Google Maps” component is integrated.

This cookie is usually not deleted after closing the browser, but will expire after a certain period of time, unless you delete it manually before.

If you do not agree to this processing of your data, you can deactivate the “Google Maps” service and thereby prevent the transfer of data to Google. To this end, you have to deactivate the JavaScript function in your browser. However, you should be aware that in this case you will not be able to use “Google Maps” or only to a limited extent.

The use of “Google Maps” and the information obtained via “Google Maps” is subject to Google’s Terms of Service, https://policies.google.com/, as well as the additional Terms and Conditions for “Google Maps”, https://www.google.com/intl/de_US/help/terms_maps/. This applies irrespective of whether Google provides a user account to which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly allocated to your account.

If you do not wish your data to be allocated to your Google profile, you have to log out from your Google account before using the “Google Maps” component. Google stores your data as user profiles and uses them for the purpose of advertising, market research and/or to adapt its website to your needs. Such an evaluation is conducted, in particular (and even for users who are not logged in), to display appropriate advertising and to inform other users of the social network of your activities on our website. You have the right to object to the creation of these user profiles. To exercise this right, you have to contact Google, where you can also obtain further information on your related rights and setting options to protect your privacy.

Google also processes your personal data in the U.S. and has submitted to the EU-US Privacy Shield: https://www.privacyshield.gov.

2. Use of Google Analytics with anonymisation function

This website uses Google Analytics, a web analytics service of the company Google Inc. 1600 Amphitheatre, Parkway, Mountain View, CA 94043, USA. Google Analytics uses so-called cookies (as defined in III. 14). These cookies are stored on your computer and enable us to analyse your use of our website.

The information generated by these cookies, such as the time, place and frequency of your visits to the website, including your IP address, is transferred to and stored by Google in the U.S.

Our website uses Google Analytics with an IP anonymisation function. In this case, your IP address is shortened and thereby anonymised by Google already within member states of the European Union or in other contracting states to the Agreement on the European Economic Area.

Google will use this information for the purpose of evaluating your use of our website, compiling website activity reports for us and providing further services relating to website and Internet use. Google may also transfer this information to third parties, if this is required by law or insofar as third parties process these data on Google’s behalf.

According to the information provided by Google, Google will by no means associate your IP address with any other data held by Google. You can prevent the installation of cookies by making the appropriate setting in your browser software; however, you should be aware that in this case you may not be able to use all functions of this website to their full extent.

Furthermore, Google offers a deactivation function for the most common browsers, which gives you more control over the data collected and processed by Google. If you activate this function, no information concerning the visit to the website will be transmitted to Google Analytics. However, the activation will not prevent the transmission of information to us or to other web analytics services used by us. For more information on the deactivation option provided by Google as well as on the activation of this option, please follow the link below: https://tools.google.com/dlpage/gaoptout?hl=de.

IX. Data protection during the application process

We offer the option of sending us applications by email.

Please note that we are unable to encrypt the contents of email communication. We use the STARTTLS transport encryption and the Perfect Forward Secrecy encryption technique. Applications can also be sent by post or handed over personally.

We collect, store and process the personal data of applicants for the purpose of processing the applications.

If we enter into an employment contract with an applicant, we will store the data provided in the course of the application process for the purpose of performing the employment contract in compliance with the statutory provisions.

If we do not enter into an employment contract with the applicant, the application documents will be deleted 6 months after notifying the applicant of our negative decision, unless this conflicts with our other legitimate interests, such as the burden of proof in legal proceedings.

The legal basis for this is point (f) of Article 6 (1) GDPR as well as point (b) of Article 6 (1) GDPR.

You can withdraw your consent to the processing of personal data at any time. This means that when you send us your application by email, you can object to the storage of your personal data at any time. In this case, the communication cannot be continued, i.e. your application cannot be processed either, the consequence being that an employment contract may not be concluded. You can withdraw your consent without having to observe any formal requirements, i.e. you can send your withdrawal directly to our Data Protection Officer and/or one of our other staff members by email, by fax, etc. The corresponding contact details are provided in both this Policy and our Imprint.

If you withdraw your consent, all personal data which have been stored by us in the course of the application process will be deleted, unless this conflicts with our other legitimate interests, such as the burden of proof in legal proceedings.

X. Transfer of data to third parties

We will not pass on your personal data to third parties, except where we inform you of such transfer.

Our IT service provider has access to the data stored by us to eliminate any defects and to enable us to take the required technical and organisational measures.

The legal basis for this is point (f) of Article 6 (1) GDPR as well as point (b) of Article 6 (1) GDPR. Our IT service provider has been carefully selected and commissioned in writing. The service provider is bound by our instructions and is monitored on a regular basis. The service provider will not pass on these data to third parties.

Apart from the cases explained in this Privacy Policy, we will only pass on data to third parties without the user’s express consent if we are required to do so by law or an administrative or court order.

The collection and storage of these data is absolutely essential for the operation and maintenance of our entire IT system. Therefore, there is no right of objection and/or deletion.

XI. SSL and/or TLS encryption

This website uses SSL and/or TLS encryption for security reasons and to protect the transmission of confidential content, such as enquiries you send to us, i.e. the website operator.

You can recognise an encrypted connection by the address bar of your browser changing from http:// to https:// and by the padlock symbol in your browser address bar.

If the SSL and/or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

XII. Existence of automated decision-making

As a responsible company, we do not use automated decision-making or profiling.

XIII. Rights of the data subject

The rights of the data subject are very important to us. They are one of the key elements of the statutory provisions, which is why we would like to particularly emphasise them at this point. We have dispensed with describing these rights in the information provided above. In our opinion, the rights of the data subject must be presented in a separate section in order to ensure that the corresponding rights can be found and looked up easily at any time.

The rights of the data subject are expressly set forth in the General Data Protection Regulation (GDPR). They are governed by Articles 12 to 23 of the General Data Protection Regulation (GDPR).

Specifically, the data subject has the following rights:

1. Right of access (cf. Article 15 GDPR)

Each data subject has the right to obtain from us, i.e. the controller, confirmation as to whether or not personal data concerning him or her are being processed by us (referred to as right to confirmation). The information must be provided free of charge.

If that is the case, you have the right to obtain from us the following information pursuant to Article 15 GDPR:

(1) the purposes of the processing;

(2) the categories of personal data concerned;

(3) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(4) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(6) the right to lodge a complaint with a supervisory authority;

(7) where the personal data are not collected from the data subject, any available information as to their source;

(8) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Furthermore, the data subject has the right to obtain information as to whether personal data are or have been transferred to a third country or to an international organisation. In this context, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

If the data subject intends to exercise this right of access, they can contact our Data Protection Officer (as defined in IV.2) and/or one of our other staff members. The corresponding contact details are provided in both this Policy and our Imprint.

2. Right to rectification (cf. Article 16 GDPR)

Each data subject has the right to obtain from us, i.e. the controller, without undue delay the rectification and/or completion of personal data, insofar as the personal data concerning him or her are inaccurate or incomplete. If rectification and/or completion is requested from us, we must comply with the request without undue delay.

If a data subject intends to exercise this right to rectification and/or completion, they can contact our Data Protection Officer (as defined in IV.2) and/or one of our other staff members. The corresponding contact details are provided in both this Policy and our Imprint.

3. Right to erasure (“right to be forgotten”) (cf. Article 17 GDPR)

Each data subject has the right to obtain from us, i.e. the controller, the erasure of personal data concerning him or her without undue delay where one of the following grounds applies, insofar as the processing is not necessary:

(1) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(2) the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1) GDPR or point (a) of Article 9 (2) GDPR, and where there is no other legal ground for the processing;

(3) the data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR;

(4) the personal data have been unlawfully processed;

(5) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(6) the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

Where we, i.e. the controller, have made the personal data public and are obliged pursuant to Article 17 (1) GDPR to erase the personal data, we, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

However, the right to erasure cannot be exercised to the extent that processing is necessary:

(1) for exercising the right of freedom of expression and information;

(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the area of public health in accordance with points (a) and (i) of Article 9 (2) GDPR as well as Article 9 (3) GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in Article 17 (1) GDPR (right to erasure) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5) for the establishment, exercise or defence of legal claims.

If a data subject intends to exercise this right to erasure, they can contact our Data Protection Officer (as defined in IV.2) and/or one of our other staff members. The corresponding contact details are provided in both this Policy and our Imprint.

4. Right to restriction of processing (cf. Article 18 GDPR)

Each data subject has the right to obtain from us, i.e. the controller, restriction of processing where one of the following applies:

(1) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

(4) the data subject has objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where the processing of personal data concerning you has been restricted, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where processing has been restricted according to the aforementioned conditions, we will inform you before the restriction of processing is lifted.

If one of the aforementioned conditions is met and a data subject wishes to restrict the processing of personal data stored by us, the data subject can contact our Data Protection Officer (as defined in IV.2) and/or one of our other staff members. The corresponding contact details are provided in both this Policy and our Imprint.

5. Notification obligation (cf. Article 19 GDPR)

If you have exercised the right to rectification, erasure or restriction of processing against us, i.e. the controller, we are obliged to communicate this rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed about these recipients.

If you wish to exercise this right, you can contact our Data Protection Officer (as defined in IV.2) and/or one of our other staff members. The corresponding contact details are provided in both this Policy and our Imprint.

6. Right to data portability (cf. Article 20 GDPR)

Each data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, i.e. us, in a structured, commonly used and machine-readable format. In addition, each data subject has the right to transmit these data to another controller without hindrance from the controller to which the personal data have been provided, where:

(1) the processing is based on consent pursuant to point (a) of Article 6 (1) GDPR or point (a) of Article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR; and

(2) the processing is carried out by automated means.

In exercising this right, the data subject also has the right to have the personal data transmitted directly from one controller to another, where technically feasible. However, this is subject to the condition that the rights and freedoms of other persons are not adversely affected thereby.

However, this right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, i.e. us.

If a data subject intends to exercise this right to data portability, they can contact our Data Protection Officer (as defined in IV.2) and/or one of our other staff members. The corresponding contact details are provided in both this Policy and our Imprint.

7. Right to object (cf. Article 21 GDPR)

Each data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions.

We, i.e. the controller, will no longer process the personal data, unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where the personal data are processed for direct marketing purposes, each data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

Where personal data are processed for scientific or historical research purposes of statistical purposes pursuant to Article 89 (1) GDPR, the data subject, on grounds relating to his or her particular situation, also has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, each data subject may exercise his or her right to object by automated means using technical specifications.

To exercise the right to object, the data subject can also directly contact our Data Protection Officer (as defined in IV.2) and/or one of our other staff members. The corresponding contact details are provided in both this Policy and our Imprint.

8. Right to withdraw the declaration of consent to data processing (cf. Article 21 GDPR)

Each data subject has the right to withdraw his or her consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise this right, the data subject can also directly contact our Data Protection Officer (as defined in IV.2) and/or one of our other staff members. The corresponding contact details are provided in both this Policy and our Imprint.

9. Automated individual decision-making including profiling (cf. Article 22 GDPR)

Each data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This does not apply if the decision:

(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(3) is based on the data subject’s explicit consent.

However, these decisions must not be based on special categories of personal data referred to in Article 9 (1) GDPR, unless point (a) or (b) of Article 9 (2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), we, i.e. the controller, implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority (cf. Article 51 ff GDPR)

Without prejudice to any other administrative or judicial remedy, each data subject has the right to lodge a complaint with the competent supervisory authority in the event of infringements of the data protection regulations. The competent supervisory authority for data protection issues is the State Commissioner for Data Protection of the federal state in which our institutes have their registered office, i.e. the State Commissioner for Data Protection of Lower Saxony. The State Commissioner for Data Protection of Lower Saxony can be reached as follows:

Prinzenstraße 5, 30159 Hannover

Tel: +49(0)511-120 4500

Fax: +49(0)511-120 4599

The supervisory authority with which the complaint has been lodged informs the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

XIV. Amendments to our Privacy Policy

We reserve the right to amend our Privacy Policy at any time in order to ensure that it always meets the latest statutory provisions. This also applies in the event that new or changed services necessitate adaptation of the Privacy Policy. The new Privacy Policy then becomes effective the next time you visit our website.

Print Friendly, PDF & Email