1 Name and contact details of the controller according to Article 4 section 7 GDPR
Company: GETEMED Medizin- und Informationstechnik AG
Address: Oderstraße 77, 14513 Teltow
Telephone: +49 3328 3942-0
Fax: +49 3328 3942-99
1.1 Data protection officer
Name: Dr.-Ing. Astrid Trachterna
Address: GETEMED Medizin- und Informationstechnik AG
Oderstraße 77, 14513 Teltow
Telephone: +49 3328 3942-323
Fax: +49 3328 3942-99
2 Security and protection of your personal data
We consider it our first priority to maintain confidentiality in relation to your personal data and to protect your personal data from unlawful interventions by third parties. We therefore handle our affairs with utmost care and make use of modern security standards, to protect your personal data in a most effective manner.
As a private company, we are bound by the European GDPR and the German Federal Data Protection Act. We have installed measures to comply with the applicable data protection law.
2.1.1 Personal data
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.1.3 Restriction of processing
'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future.
'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
'pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
2.1.6 Filings system
'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
2.1.10 Third party
'third party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3 Lawfulness of processing
A legal basis is necessary for the processing to be lawful. According to Article 6 section 1 letters a-f GDPR following legal basis are to be considered:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
4 Information concerning the processing of personal data
(1) We hereby inform you about the processing of personal data while using our website. (2) In case of contact with us using e-mail or the website’s contact form, we will store your personal data (for example: e-mail address, address, telephone number) in order to answer your questions concerning the company. We will delete your personal data as soon as further storage is not necessary anymore; if we have to comply with legal storage obligations, we will restrict the processing of your personal data.
Processing of personal data while using our website
In the case of visiting our website for informative reasons only, which means you are not logged in or actively send us personal data, we only process personal data that is transmitted to us by our server. While visiting our website, following personal data are processed to ensure the website’s security and stability, on the basis of Article 6 section 1 letter f GDPR:
– date and time of the action
– your location (country and city)
– time difference in reference to Greenwich Mean Time (GMT)
– content of your action (for example: which page was opened, amount of time spent on the website, clicks and so on)
– access status/HTTP status code
– amount of processed data
– technical information (for example: browser, internet provider and so on)
– origin of your website use.
– Technische Informationen wie Browser (Sprache und Version), Internetanbieter, Endgerät und Bildschirmauflösung
– Herkunftsquelle Ihres Besuchs (d.h. über welche Website bzw. über welches Werbemittel Sie zu uns gekommen sind).
5 Deployment of cookies
(2) Cookies of the following type are being used:
– Transient cookies (a.)
– Persistent cookies (b.).
a) Transient cookies will be deleted automatically after closing the internet browser. The most common form of transient cookies are so called session-cookies. They store your session-ID, which enables us to recapitulate your use of the website.
b) Persistent cookies are deleted automatically after a certain time, which differs depending on the type of cookie. You can delete persistent cookies yourself in your browser’s security settings.
c) You can adjust your browser settings in relation to cookies as you wish, which includes the possibility to reject all kinds of cookies, especially so called “third party cookies”. Third party cookies are not implemented by us, but by another party. We hereby inform you that rejecting third party cookies may cause the website to dysfunction.
6 Further functions and services of our website
(1) In addition to the informative use of our website only, our website offers you further services. To make use of these services, you have to transmit further personal data. The processing of further personal data normally is necessary to perform the further services; principles of data protection fully apply. (2) In parts, we make use of external service providers to process your personal data. These providers have been chosen with utmost care, are bound by our orders and are supervised by us. (3) In case our services are offered to you in collaboration with third parties, we are allowed to transmit your personal data to these third parties in order to perform our service. You will receive further information regarding this topic when you are about to transmit further personal data or in the offer of the service itself.
Our website is addressed to adults. Minors are not supposed to transmit personal data without their parent’s consent.
8 Google Analytics
(1) In order to analyse the use of our website and to develop it, we make use of Google Analytics. By evaluating the statistics, we are able to develop our website in the user’s interest. The legal basis for the use of Google Analytics is Article 6 section 1 letter f GDPR.
(2) Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) provides Google Analytics for us. Google processes the personal data in our mission and is, by contract, obliged to comply with data protection law. Google transmits personal data to servers in the United States of America. European and German data protection law does not apply in the United States of America. We hereby inform you that the data protection law of the United States of America grants a data protection standard below the standard in European and German law.
(3) To perform the Google Analytics evaluation, cookies are stored on your device. Through deleting existing cookies and not allowing new cookies, you are able to avert the evaluation. We hereby inform you that the non-approval of cookies may cause the website to dysfunction. You can adjust cookies in your browser’s settings. Another way to avert the processing of personal data through Google Analytics is to install the Browser-Add-ons to deactivate Google Analytics.
(4) This website makes use of IP-anonymisation. The IP-address is stored in a compressed way throughout the European Union and the European Economic Area. In compressing the IP-address, personal reference is not possible. Within the order processing contract between GETEMED and Google Inc., Google evaluates statistics of the website’s use and performs other services in relation to our website.
(5) Following this link (here), you will find further information on the processing of data by Google Inc.
9 The data subject’s rights regarding data protection
9.1 Withdrawal of the given consent
In case the processing of personal data is based on a consent given by the data subject, he or her can withdraw the consent at any time. The withdrawal does not affect the lawfulness of processing that has already happened on the basis of the consent. The withdrawal has to be expressed and addressed to GETEMED.
You have the right to receive a confirmation whether or not your personal data have been processed by the controller. The request for the confirmation has to be addressed to the company’s address.
9.3 Right of access
In case your personal data has been processed, you shall have the right to gain access to the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22 section 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
If personal data are transmitted to a third country or international organisation, you shall have the right to be informed about legal guaranties granted by Article 46 GDPR. We will produce a copy of the personal data concerned. For every further copy, we shall be able to demand a reasonable fee that covers the administrative costs. In case you state your request in an electronic form, we shall give the information in an electronic form as well. The right to receive a copy of the data concerned shall not affect the rights and freedoms of others.
9.4 Right to rectification
You have a right to rectification in case of false personal data. You also have the right to demand completion in case of relevant data missing.
9.5 Right to erasure ('right to be forgotten')
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
If the controller has made the personal data public, even though he is obliged to erase the personal data, he has to implement measures to inform the processors that a data subject has lawfully requested the erasure of personal data; costs and the technical standards have to be put into consideration. The right to erasure does not exist in following cases:
– processing is necessary considering the freedom of speech;
– processing is necessary to fulfil a legal obligation that bounds the controller by law in public interest;
– processing is necessary in public interest, especially for reasons concerning public health (Article 9 GDPR);
– processing is necessary in public interest, especially in relation to archiving, scientific or historical research or statistical purposes (Article 89 GDPR)
– processing is necessary to enforce or protect rights.
9.6 Right to restriction of processing
You shall have the right to demand the restriction of processing in the following cases:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing but they are required by the data subject for the establishment, exercise or defence of legal claims
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. To claim the right to restriction of processing, the data subject has to address GETEMED under above mentioned contact details.
9.7 Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
9.8 Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. The right to object can be claimed at any time.
9.9 Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not apply in following cases:
a) It is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) the controller is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
c) processing is based on the data subject's explicit consent.
In the cases referred to in points (a) and (c), the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. This right can be claimed by addressing the case to the controller.
9.10 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
9.11 Right to an effective judicial remedy against a supervisory authority
Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Article 55 and Article 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR.
We make use of external service providers (processors). All our processors have been chosen with utmost care and are supervised by us. They process personal data in our mission only and, by contract, work following our orders, to protect your personal data.