This Privacy Notice informs you about the processing of personal data in connection with our website, https://www.winkgen.de
- Name and contact details of those responsible for the data processing
- General Information
- The scope of the processing of personal data
- Legal basis for the processing of personal data
- Data recipients, data transfer to third party countries
- Duration of processing, deletion or blocking of personal data
- Data processing when visiting our website
- Server log files
- Contact via e-mail
- Registration on our Website
- Social plugins
- Other third party services
- Rights of the data subject
- Right to information and confirmation
- Right to rectification
- Right to limit the processing operation
- Right to cancellation
- Right to data transferability
- Right to withdraw consent under data protection law
- Right of appeal to the competent supervisory authority
- Right to object
- Data security
- Up-to-dateness, status and changes
1. Name and contact details of those responsible for the data processing
Winkgen Medical Systems GmbH & Co. KG
Telephone: +49 (0) 6441 / 381437
2. General Information
With regard to the terminology used in this privacy notice, we refer to the definitions in Art. 4 GDPR.
b. The scope of the processing of personal data
When visiting our website, we only process personal data of our users as far as the processing of the data is authorized by legal regulations (e.g. as far as this is necessary to provide a functional website as well as our contents and services).
c. Legal basis for the processing of personal data
Whenever we process personal data after previously obtaining the consent of the data subject, Art. 6 para. 1 lit. a GDPR constitutes the legal basis. In the processing of personal data which is necessary for the fulfilment of a contract to which the data subject is a contracting party or for the implementation of pre-contractual measures which take place at the request of the data subject, Art. 6 para. 1 lit. b GDPR serves as the legal basis. Insofar as processing personal data it is necessary to fulfill a legal obligation to which our company is subject to, Art. 6 para. 1 lit. c GDPR serves as the legal basis. If the processing of personal data is necessary to safeguard the legitimate interests of our company or of a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the former, Art. 6 para. 1 lit. f GDPR serves as the legal basis. Hereafter we will mention the precise legal basis in regard to each processing activity.
d. Data recipients, data transfer to third party countries
As part of the operation of our website, we work together with external service providers who provide us with technical support and process personal data for us, bound by instructions in the context of a commissioned data processing relationship (e.g. Hoster). Compliance with the data protection regulations is thereby ensured. Should we transfer personal data to third parties beyond such commissioned data processing relationships, we will point this out in the following information. We will only transfer your personal data to third parties for the purposes stated in this privacy notice and only if there is a legal basis for the transfer.
Insofar as we transfer personal data to a third party country for processing, this will only take place if a transfer is legally permitted and in compliance with the regulations of Art. 44 ff. GDPR; in this case we will point this out in the following information.
e. Duration of processing, deletion or blocking of personal data
We only essentially process personal data for the time necessary to achieve the respective purpose. Thereafter, the personal data will be deleted or blocked unless there is a legal basis for further processing (e.g. an obligation to retain data due to legal record retention periods).
3. Data processing when visiting our website
a. Server log files
Scope and purpose of data processing
When visiting our website, the following information is automatically sent to the server of our website by the browser used on the user’s device. This information is temporarily stored in a so-called server log file until it is automatically deleted:
- Browser type and version used and operating system of your device
- Name of your access providers
- Date and time of access
- Name and URL of the website from which the access takes place (so-called referrer URL);
- Name and URL of the website that is accessed
- IP address of the requesting device (the address is disguised)
The temporary storage of the above-mentioned information is carried out for the purpose of transmitting the contents of our website to the user’s device and to allow their correct display.
Legal basis for the data processing
The legal basis for the processing of data is Art. 6 para. 1 lit. f DGPR. Our legitimate interest in the processing of data lies in the above-mentioned purposes. A merging of this data with other personal data of the user will not take place. The acquisition and temporary storage of this data in server log files is absolutely necessary for the operation of our website; therefore, the user has no right to object in this regard.
Duration of storage
The personal data will be deleted from the server log files after a maximum of 10 days.
Purpose and legal basis of data processing
Some elements of our website require that the visiting browser can also be identified after a page has been changed (log-in information, language settings). For this purpose we set technically necessary cookies for the functionality of our website. The data collected through these cookies is not used to create user profiles. The legal basis is Art. 6 para. 1 lit. f GDPR; our legitimate interest lies in the provision of our website and the related functions.
Duration of storage
The cookies used consist of so-called Session Cookies, which are deleted at the end of the browser session.
You can set your browser to refuse the acceptance of cookies in certain cases or generally, and that cookies are automatically deleted when you close the browser (For more information, click here: Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Internet Explorer) . When disabling cookies, the functionality of this website may be limited.
c. Contact via e-mail
Scope and purpose of data processing
When a contact is made by e-mail, the sender’s personal data transmitted with the e-mail (in particular name, e-mail address, message content, IP address, date and time) are stored and, if necessary, processed to handle the request.
Legal basis for the data processing
The legal basis for the data processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the aforementioned purpose. Insofar as the purpose of the contact is aimed at the conclusion or fulfilment of a contract with us, Art. 6 para. 1 lit. b GDPR constitutes an additional legal basis.
Duration of storage
The data will be deleted as soon as they are no longer necessary for the purpose of their collection, that is, when the respective communication with the user has ended. It is terminated when the circumstances suggest that the matter in question has been finally clarified. Furthermore, storage may occur insofar as this is necessary within the context of a (pre)contractual relationship or for the fulfilment of legal obligations (e.g. legal retention obligations).
d. Registration on our website
It is possible to register on our website by providing personal data (user name and e-mail address) and create a user account for the integrated ticket system in order to use its functions on our website.
Scope and purpose of data processing
In the context of registration, the data entered (user name, e-mail address) including the date and time of registration and the user’s IP address are stored.
The processing of the personal data is carried out for the setup and administration of the user account, through which the user can track his activities on our website and access and manage the data stored in connection with the user account, as well as for the determination of the user’s identity and communication with the user in the event of illegal conduct.
Legal basis for the data processing
The processing of personal data is based on the consent of the user; the legal basis is Art. 6 para. 1 letter a DSGVO. After performing the registration, we will send an e-mail to the e-mail address provided in order to complete the registration process; through the link contained therein, the registration can be confirmed. If confirmation does not occur within 24 hours, the registration data will be deleted.
Duration of the storage
The data associated with the user account is stored by us as long as you are registered on our website. For registered users there is the possibility to personally change or (completely) delete the provided data.
e. Social plugins
We use social plugins on our website in order to make ourselves and our website better known through these, and to render these and our offers more user-friendly and appealing. The plugins are only incorporated into our website in the form of a link. This means that no data is transferred to the respective providers when our website is simply visited. By clicking on one of the buttons, you will be directed to the offer of the respective social networks and you can share the content, like or similar. If at the time of using a plugin you are logged in to your account of the respective network, the social network can – after clicking the button – match your visit to our website and the page you visited to your account. The respective provider is responsible for this data processing. If you use the function of the plugin, the corresponding information is transmitted to the social network, stored and, if necessary, according to function, published on your page of the network. If you are not logged into your account, by clicking on the button you will access the login mask of the social network to be able to share the content after successfully logging in. In this case, your browser will transmit data (including your IP address) to the social network, even if you are not registered or logged in. The hereby transmitted information assigned to your browser could be assigned to your account at a later time when you register or log in. If you do not wish this to happen, before clicking the button you must log out of the respective network and delete the cookies from the device used. We use social plugins of the following providers:
Facebook is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”). For further information on the purpose and scope of data collection and the further use of data through Facebook on their website and your rights and setting options for the protection of your privacy, please consult Facebook’s privacy notice: https://www.facebook.com/policy.php. You can find further information regarding this at https://de-de.facebook.com/about/privacyshield
Linkedin is operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland (“Linkedin”). For further information on the purpose and scope of data collection and further use of the data through Linkedin on their website and your rights and settings options for the protection of your privacy, please consult Linkedin‘s privacy notice: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
f. Other third party services
We include third party services on our website in order to optimise our website, to guarantee a needs-based layout, to increase user-friendliness and to prevent misuse of our website. The legal basis for this is Art. 6 para. 1 lit. f GDPR; in the purposes mentioned above lies our legitimate interest. In order for the contents of the third party providers to be displayed on the browser of the user’s device, it is always necessary that the IP address of the user is transmitted to the respective provider. Below is a summary of the third party services we use:
i. Google Maps
On this website, we use a Google Maps API, a mapping service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Through Google Maps, we provide users with an interactive map which allows a better localisation of our site. Furthermore, we use the autocomplete function, which makes it easier for users to enter their address data in the ordering process through automatic completion or automatic location suggestions, reduces the risk of input errors and therefore ensures a smooth order process.
When visiting the subpages on which functions of Google Maps are incorporated, as well as when using these functions, the information of the user in connection with the use of our website and the incorporated Google service (e.g. IP address of the user, device/browser information, accessed URL) is transmitted to Google. If you have a Google user account and are logged in to it, Google can assign this data to your user account. You can avoid this by logging out of your Google user account. Google stores the data (even those of users who are not logged in) in user profiles and processes this data for its own purposes (e.g. personalised advertising, market research).
Personal data may be transmitted to the servers of Google LLC. in the USA. Insofar as data processing takes place in the USA, we would like to inform you that Google LLC. is subject to the data protection agreement between the European Union and the USA, the Privacy Shield Agreement, by which the company is obliged to comply with the provisions and requirements of European data protection law. You can find further information regarding this at https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
For further information about the purpose and scope of the data collection and further use of the data through Google and your rights and settings options to protect your privacy, please consult the Google Privacy Notice: https://www.google.com/policies/privacy. Adjustments to Google’s display of advertising can be made at https://adssettings.google.com/authenticated
ii. Google ReCaptcha
This website uses reCAPTCHA, a captcha service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), to protect our website from spam and misuse. This service is used to distinguish whether our contact forms are being used correctly by a physical person or improperly by an automated software. For this purpose, the IP address and, if necessary, other data (e.g. the URL visited on our website) are transmitted to Google’s servers. Insofar as you are logged in to your Google user account when you visit a page on which Google Recaptcha is used, Google can match your surfing behaviour to your user account if necessary. You can avoid this by logging out of your user account on Google. The legal basis is Art. 6 para. 1 lit. f GDPR; our legitimate interest lies in protecting our website from spam and misuse. It may occur that personal data is transferred to the servers of Google LLC. in the USA. Insofar as data processing takes place in the USA, we would like to inform you that Google LLC. is subject to the data protection agreement between the European Union and the USA, the Privacy Shield Agreement, by which the company is obliged to comply with the provisions and requirements of European data protection law. For further information about the purpose and scope of the data collection and further use of the data through Google and your rights and settings options to protect your privacy, please consult the Google Privacy Notice: https://www.google.com/policies/privacy.
iii. Google Analytics
Google is certified under the Privacy Shield Agreement and hereby offers a guarantee to comply with the European data protection law. (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf to evaluate the use of our online offer by users, to collect reports on the activities within this online service and to provide us with further services connected with the use of this online service and the use of the Internet. Therefore pseudonymous user profiles of the users can be created from the processed data. We only use Google Analytics with activated IP anonymisation. This means that the IP address of the user is abbreviated by Google within Member States of the European Union or in other Contracting States of the Agreement on the European Economic Area. Only in exceptional cases the complete IP address is transferred to a Google server in the USA and abbreviated there.
The IP address transmitted by the user’s browser is not combined with other data from Google. Users can avoid the storage of cookies by appropriately setting their browser software; users can additionally avoid the collection of data generated by the cookie and data related to their use of the online service to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link : https://tools.google.com/dlpage/gaoptout?hl=de .
You can find further information on data use by Google, settings and appeal procedures on Google’s websites: https://www.google.com/intl/de/policies/privacy/partners .
(” Use of data by Google when using websites or apps of our partners”),
https://policies.google.com/technologies/ads (“Use of data for advertising purposes”),
https://adssettings.google.com/authenticated (“Manage information that Google uses to display advertising to you”).
We send newsletters, e-mails and other electronic notifications (hereinafter “newsletters”) only with the consent of the recipients or a legal permission. Insofar as in the context of a registration for the newsletter its contents are specifically described, they are decisive for the consent of the users. Furthermore, our newsletters contain information about our services and us.
To register to our newsletters, it is generally sufficient to provide your e-mail address. We may, however, request a name in order to address you personally in the newsletter, or other details if these are necessary to carry out the purposes of the newsletter.
Double opt-in procedure: The registration to our newsletter is always performed with a so-called double opt-in procedure. This means that after registration you will receive an e-mail inviting you to confirm your registration. This confirmation is necessary so that nobody can register with foreign e-mail addresses. The registrations to the newsletter are recorded in order to be able to demonstrate that the registration process is in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Similarly, any changes to your data stored by the dispatch service provider are also recorded.
The deletion and restriction of the processing: We may store the discharged e-mail addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to demonstrate a previously given consent. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for deletion is possible at any time, as long as at the same time the former existence of a consent is confirmed. In case of obligations to permanently respect contradictions, we reserve the storage of the e-mail address solely for this purpose in a banned list ( so-called “blacklist”).
The recording of the registration procedure is based on our legitimate interests for the purpose of demonstrating its correct execution. If we commission a service provider with the sending of e-mails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.
Information on the legal basis: The dispatch of newsletters is based on the consent of the recipients or, if consent is not necessary, on our legitimate interests in direct marketing, if and to the extent it is permitted by law, e.g. in the case of advertising to existing customers. Insofar as we commission a service provider with the sending of e-mails, this is done on the basis of our legitimate interests. The registration process is recorded on the basis of our legitimate interests in order to demonstrate that it has been carried out in accordance with the law.
Content: Information about us, our services, products, actions and offers.
Performance measurement: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a mailing service provider, from their server. In the context of this retrieval, first of all technical information is collected, such as information on the browser and your system, as well as your IP address and the time of the retrieval.
This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behaviour on the basis of their retrieval locations (which are determinable with the help of the IP address) or the access times. This analysis also includes the determination of whether the newsletters are opened, when they are opened and which links are clicked. This information can be associated to the individual newsletter recipients for technical reasons. It is neither our intention nor, if used, that of the dispatch service provider to observe individual users. These analyses rather serve us to detect the reading habits of our users and to adapt our contents to them or to send different contents according to the interests of our users.
The analysis of the newsletter and the performance measurement are carried out, subject to the express consent of the users, on the basis of our legitimate interests for the purpose of the use of a user-friendly and secure newsletter system, which serves both our business interests as well as it corresponds to the expectations of the users.
A separate revocation of the performance measurement is unfortunately not possible. In this case, the entire newsletter subscription must be cancelled or objected to .
Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times).
Persons concerned: communication partners.
Purposes of the processing: direct marketing (e.g. by e-mail or by post).
Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO).
Option to object (opt-out): You can cancel the reception of our newsletter at any time, i.e. revoke your consent or object to further receipt. You can find a link to cancel the newsletter either at the end of each newsletter or you may use one of the contact options indicated above, preferably e-mail.
Used services and service providers:
Mailchimp: e-mail marketing platform;
Service Provider: “Mailchimp” – Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA;
Privacy Notice: https://mailchimp.com/legal/privacy/;
Privacy Shield ( the guarantee of the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active.
4. Rights of the data subject
If personal data regarding you are processed, you are a data subject according to the DSGVO and you are entitled to the following rights:
a. Right to information and confirmation
Every data subject of the processing of personal data has the right, in accordance with Art. 15 GDPR, to receive free of charge from the person responsible for the processing, information on the personal data stored about him or her and a copy of this on the following information:
- the purposes of the processing;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the scheduled duration for which the personal data will be stored or, if that is not possible, the criteria for the determination of this duration;
- the existence of a right of correction or deletion of personal data relating to them or the right to limit processing by the person responsible or the right of objection to such processing;
- the existence of a right of appeal to a supervisory authority;
- if the personal data is not collected from the data subject: all available information on the origin of the data;
- the existence of automated decision-making, including profiling, in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases -meaningful information on the logic involved as well as the scope and intended effects of such processing on the data subject.
Furthermore, the data subject has a right of information about whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject furthermore has the right to be informed of the appropriate guarantees in relation to the transfer. In addition, every person has the right to require confirmation from the person responsible for the processing if related personal data are being processed.
b. Right to rectification
Every person concerned with the processing of personal data has the right, under Article 16 of the DPA, to request the controller, to rectify incorrect personal data immediately. Taking into account the purposes of the processing, the data subject shall have the right to completion of incomplete personal data also by means of providing a supplementary statement.
c. Right to limit the processing operation
Every person concerned with the processing of personal data has the right under Art. 18 DPA to request controller to limit the processing if one of the following conditions apply:
- the accuracy of the personal data is contested by the data subject, for a period of time which allows the controller to verify the accuracy of the personal data.
- the processing is illegal, the data subject refuses to have the personal data deleted and instead requires the limitation of the use of the personal data.
- the controller no longer needs the personal data for the purposes of processing, but the data subject needs them to assert, exercise or defend legal claims, or
- the data subject has objected to the processing in accordance with Article 21 para. 1, as long as it is not certain whether the legitimate reasons of the controller outweigh those of the data subject.
d. Right to cancellation
Every person concerned with the processing of personal data has the right according to Art. 17 GDPR to require that the controller immediately deletes the related personal data if one of the following reasons applies:
- the personal data are no longer necessary for the purposes for which they were collected or in any other way processed.
- the data subject revokes the consent on which the processing was based on according to Article 6 para. 1 letter a GDPR or Article 9 para. 2 letter a GDPR, and there is no alternative legal basis for the processing.
- the data subject places an objection against the processing under Art. 21 para. 1 GDPR and there are no alternative legal grounds for the processing or the data subject places an objection against the processing under Art. 21 para. 2 GDPR
- the personal data was processed illegally.
- the cancellation of the personal data is necessary to fulfil a legal obligation under EU law or the law of the Member States to which the person responsible is subject to.
If the personal data are made public by us and we, as controllers, are obliged to delete them in accordance with Art. 17 para. 1 of the GDPR, we will take appropriate measures, including technical measures, taking into consideration the available technology and the implementation costs, to inform others responsible for the data processing, who process the published personal data, that the data subject has requested these other controllers to delete all links to this personal data or copies or replications of such personal data.
The right to delete and our obligation to inform others responsible for the data processing regarding the data subject’s request for deletion does not apply insofar as the processing is necessary:
- to exercise the right to freedom of expression and information;
- to fulfil a legal obligation which requires the processing under EU or Member State law to which the controller is subject;
- as in the public interest lie the purposes of archives, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the law mentioned in Art. 17 para. 1 GDPR probably makes it impossible or seriously affects the objectives of such processing, or
- to assert, exercise or defend legal claims.
e. Right to data transferability
Every person concerned by the processing of personal data has the right under Art. 20 GDPR to receive the relevant personal data provided by the data subject to a controller in a structured, standard and machine-readable format, and has the right to transfer such data to another controller without interference from the controller to whom the personal data was supplied, provided that
- the processing is based on the consent in accordance with Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract in accordance with Art. 6 para. 1 lit. b GDPR and
- the processing is performed using automated procedures.
This right does not apply to the processing that is necessary for the performance of a task carried out that lies in the public interest or in the exercise of public authority that is transferred to the controller. Furthermore, the data subject, when exercising his or her right to data transferability in accordance with Art. 20 para. 1 GDPR, has the right to obtain that personal data be transferred directly from one controller to another controller, insofar as this is technically feasible and provided that this does not affect the rights and freedoms of other persons.
f. Right to withdraw consent under data protection law
Every person concerned by the processing of personal data has the right in accordance with Art. 7 para. 3 GDPR to revoke his or her consent to the processing of personal data at any time. The revocation may be made, for example, by e-mail to the e-mail address given in Section 1. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
g. Right of appeal to the competent supervisory authority
In the case of violations of data protection law, the data subject has a right of appeal to the competent supervisory authority in accordance with Art. 77 GDPR. The competent supervisory authority in matters of data protection law is the State Data Protection Officer of the Federal State in which we have our registered office. A list of the data protection officers and their contact details can be obtained from the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
h. Right to object
Every person affected by the processing of personal data has the right under Art. 21 GDPR to object at any time, for reasons arising from his or her particular situation, to the processing of personal data relating to him or her, which is carried out on the basis of Art. 6 Par. 1 lit f GDPR. In the case of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for processing which outweigh the interests, rights and freedoms of the person concerned, or unless the processing serves to assert, exercise or defend legal claims. The objection can be made, for example, by e-mail to the e-mail address given under Section 1.
5. Data security
As those responsible for the data processing ,we implement numerous technical and organisational measures on our website to ensure the most complete possible protection of the personal data processed via our website and therefore to protect your data against accidental or intentional manipulation, partial or complete loss or destruction or against unauthorised access by third parties. For security reasons and to protect the transmission of confidential content, our website uses TLS (Transport Layer Security) encryption. You can recognize an encrypted transmission of content on our website by the “padlock” symbol in front of our domain in the address bar of your browser. We would like to point out, however, that data transmission on the Internet (e.g. when communicating by e-mail) can have security vulnerabilities. A seamless protection of data against access by third parties is not possible.
6. Up-to-dateness, status and changes
Status of the Privacy Notice: May 2020
Through the further development of our website and our services or due to changed statutory or official requirements it may become necessary to amend this Privacy Notice. The respective current version can be viewed and printed out at any time on our website at https://www.winkgen.de/datenschutzerklaerung