Introduction
We, Temedica GmbH, Erika-Mann-Str. 21, 80636 Munich, Germany (hereinafter referred to as "Temedica", "us" and "we") take the protection of your personal data seriously and would like to inform you at this point about data protection for website https://ced.temedica.com/ that holds information regarding our app for inflammatory bowel disease (IBD).
Within the scope of our responsibility under data protection law, additional obligations have been imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR in order to ensure the protection of personal data of the person affected by a processing (we also address you as a data subject with "customer" "user", "you" or "data subject" in the following).
Insofar as we decide either alone or jointly with others on the purposes and means of data processing, this includes in particular the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing in accordance with Articles 13 and 14 GDPR. With this statement (hereinafter "Privacy Notice"), we inform you about the manner in which your personal data is processed by us.
Our data protection notices have a modular structure. They consist of a general part for any processing of personal data and processing situations that come into play each time the website is called up (Part I.: General Information) and a special part, the content of which relates in each case only to the processing situation indicated therein with designation of the respective offer or product, in particular the visit to websites and the use of the services provided by Temedica, which are set out in more detail herein (Part II.: Data Processing IBD Website). Finally, we inform you about your rights as a data subject in accordance with the data protection provisions of the GDPR (Part III.: Rights to the data subject).
Part I. General Information
A. Definitions
Following the example of Art. 4 of the GDPR, these data protection notices are based on the following definitions:
-
“personal data” (Art. 4 Nr. 1 GDPR) means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
-
"processing" (Art. 4 Nr. 2 GDPR) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
-
"controller" (Art. 4 Nr. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
-
"third party" (Art. 4 Nr. 10 GDPR) means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
-
"processor" (Art. 4 Nr. 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
-
"consent” (Art. 4 Nr. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
B. Controller within the meaning of data protection law
We are the controller for the processing of your personal data within the meaning of Art. 4 Nr. 7 GDPR:
Temedica GmbH
Erika-Mann-Str. 21
80636 Munich
089 215 544 970
datenschutz@temedica.com
For further information on our company, please refer to the imprint details on our website: https://temedica.com/en/footernavigation/imprint
Responsible for compliance with data protection is our external Data Protection Officer:
Proliance GmbH / www.datenschutzexperte.de
Leopoldstr. 21
80802 Munich
datenschutzbeauftragter@datenschutzexperte.de
C. Legal basis of the data processing
By law, in principle, any processing of personal data is prohibited and only permitted if the data processing falls under one of the following justifications:
-
Art. 6 Para. 1 S. 1 lit. a GDPR ("consent"): If the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous confirmatory act that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;
-
Art. 6 Para. 1 S. 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request;
-
Art. 6 Para. 1 S. 1 lit. c GDPR: If the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a legal obligation to keep records);
-
Art. 6 Para. 1 S. 1 lit. d GDPR: If the processing is necessary to protect vital interests of the data subject or another natural person;
-
Art. 6 Para. 1 S. 1 lit. e GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
-
Art. 6 Para. 1 S. 1 lit. f GDPR ("Legitimate Interests"): If the processing is necessary to protect legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject override (in particular if the data subject is a minor).
For the processing operations carried out by us, we indicate below the applicable legal basis in each case. A processing operation may also be based on several legal bases.
D. Data deletion and storage period
For the processing operations carried out by us, we indicate below in each case how long the data will be stored by us and when it will be deleted or blocked. If no explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. In principle, your data will only be stored on our servers in Germany, subject to any transfer that may take place in accordance with the provisions of these data protection regulations.
However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings, or if storage is required by legal regulations to which we are subject as the responsible party (e.g. § 257 HGB, § 147 AO). If the storage period prescribed by the legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.
E. Data security
We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 of the GDPR, taking into account the state of the art, the cost of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying probability and severity of the risk to the rights and freedoms of natural persons. We use SSL encryption for security reasons and to protect the transmission of confidential content.
F. Cooperation with Processors
As with any larger company, we also use external domestic and foreign service providers (e.g. for IT, logistics, telecommunications, sales and marketing) to process our business transactions. These will only act on our instructions and have been contractually obligated to comply with data protection regulations in accordance with Art. 28 GDPR.
The following categories of recipients, who are usually processors, may receive access to your personal data:
-
Service providers for the operation of our website and the processing of data stored or transmitted by the systems. The legal basis for the transfer is then Art. 6 Para. 1 S. 1 lit. b or lit. f GDPR, insofar as they are not order processors;
-
Government agencies/authorities, insofar as this is necessary for the fulfillment of a legal obligation. The legal basis for the transfer is then Art. 6 Para. 1 S. 1 lit. c GDPR;
-
Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 Para. 1 S. 1 lit. b or lit. f GDPR.
In addition, we will only pass on your personal data to third parties if you have given your express consent to do so in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR. If personal data from you is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships.
G. Requirement for transfer to third countries
In the course of our business relationships, your personal data may be transferred or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively for the fulfillment of contractual and business obligations and to maintain your business relationship with us. We will inform you about the respective details of the transfer below at the relevant points.
The European Commission certifies data protection comparable to the EEA standard in some third countries by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html ). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding internal data protection regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. We make explicit reference to this at the relevant points, insofar as the use of appropriate safeguards is relevant in accordance with Art. 44 of the GDPR.
Part II. Data processing IBD Landingpage (https://ced.temedica.com/)
A. Access to and storage of information in terminal equipment
By using our website, access to information (e.g. IP address) or storage of information (e.g. cookies) in your terminal equipment may occur. This access or storage may involve further processing of personal data pursuant to the GDPR.
In cases where such access to information or such storage of information is strictly necessary for the technically error-free delivery of our services, this is done on the basis of § 25 para. 1 s. 1, para. 2 no. 2 TTDSG.
In cases where such a process serves other purposes (e.g. the needs-based design of our website), this will only be carried out on the basis of § 25 para. 1 TTDSG with your consent pursuant to Art. 6 para. 1 lit. a GDPR. The consent can be revoked at any time with effect for the future.
For more information on the processing of your personal data and the relevant legal basis in this context, please refer to the following sections on the specific processing activities on our website.
B. Webhosting
This website is hosted by an external service provider (gridscale GmbH, Oskar-Jäger-Str.173, 50825 Köln). This website is hosted through gridscale Data Centers, which are localized in Germany. Personal data collected on this website is stored on the hoster's servers. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, website accesses and other data generated through a website.
We collect the listed data in order to ensure a smooth connection of the website and a technically error-free provision of our services. The processing of this data is absolutely necessary to provide you with the website. The legal basis for the processing of the data is our legitimate interest in the correct presentation and functionality of our website in accordance with Art. 6 (1) lit. f GDPR.
We have concluded an order processing agreement with the provider in accordance with the requirements of Art. 28 GDPR, in which we oblige the provider to protect our customers' data and not to pass it on to third parties.
C. Server-Logfiles
Once you visit our website, it is technically necessary that data is transmitted to our web server via your internet browser. The following data is recorded during an active connection for communication between your internet browser and our web server:
-
Date and time of the request
-
Name of the requested file
-
Page from which the file was requested
-
Access status
-
Web browser used and operating system used
-
Transmitted amount of data
We collect the listed data to ensure a proper connection to the website and an error-free delivery of our services. The processing of this data is strictly necessary to make the website available to you. The log files are processed for the purpose of evaluating system security and stability as well as for administrative purposes. The log files serve to evaluate system security and stability as well as administrative purposes. The legal basis for the processing of the data is our legitimate interest in the protection and functionality of our website in accordance with Art. 6 para. 1 lit. f GDPR.
For reasons of technical security, in particular to prevent attempts to attack our web server, we may temporarily store this data. After 30 days at the latest, the data is made anonymous by shortening the IP address at domain level, so that it is no longer possible to establish a reference to the individual user. This data is not evaluated in anonymous form except for statistical purposes. This data is not combined with data from other data sources.
D. Newsletter SendinBlue
If you would like to receive the newsletter offered on our website with regular information about our offers and products, we need your email address as mandatory information. Additional data is provided on a voluntary basis in order to be able to address you personally in the newsletter.
For the dispatch of the newsletter we use the so-called double opt-in procedure. This means that we will only send you our newsletter via email, if you have expressly confirmed that you agree to receive newsletters. In the first step, you will receive an email with a link to confirm that you, as the owner of the corresponding email address, wish to receive newsletters in the future. With the confirmation you give us your consent in accordance with Art. 6 para. 1 lit. a GDPR that we may use your personal data for the purpose of the desired newsletter dispatch.
When you register for the newsletter, in addition to the email address required for sending the newsletter, we store the IP address by which you registered for the newsletter as well as the date and time of registration and confirmation in order to be able to trace possible misuse at a later point in time. Legal basis for this processing is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.
You can unsubscribe from the newsletter at any time by clicking on the link included in each newsletter or by sending an email to the controller as described above. Once you have cancelled your subscription, your email address will be deleted from our newsletter list immediately, unless you have expressly consented to the continued use of the data collected.
Our email newsletters are sent via a technical service provider to whom we pass on the data you provide when you register for the newsletter. We have concluded a data processing agreement with our e-mail service provider in which we bind him to protect the data of our customers and not to pass them on to third parties.
Service Provider: Sendinblue GmbH
Address: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin
Privacy Policy: https://de.sendinblue.com/legal/privacypolicy/
Since a transfer of personal data to countries outside the EU takes place, further appropriate safeguards are required to ensure the level of data protection under the GDPR. To guarantee this, we have concluded standard contractual clauses with the provider in accordance with Art. 46 Para. 2 lit. c GDPR. These oblige the recipient of the data in the country outside the EU to process the data according to the level of protection in Europe. In cases in which this cannot be guaranteed even by this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the country outside the EU. Based on your consent pursuant to Art. 6 para. 1 lit. a GDPR, our provider uses this information for the dispatch and statistical evaluation of the newsletter on our behalf. For the evaluation the sent emails contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. In this way it can be determined whether a newsletter message has been opened and which links have been clicked on, if applicable. Conversion tracking can also be used to analyse whether a predefined action (e.g. purchase of a product on our website) was carried out after clicking on the link in the newsletter. Technical information is also recorded (e.g. time of access, IP address, browser type and operating system). The data is collected pseudonymously and is not linked to your other personal data, a direct personal reference is excluded. These data are used exclusively for statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients. If you wish to revoke your consent for the data analysis for statistical evaluation purposes, you must cancel the newsletter subscription.
E. Booking an appointment (Calendly)
On our website you have the possibility to book an appointment with us. We use "Calendly" for this purpose. Calendly is a service of Calendly, LLC, 1315 Peachtree St NE, Atlanta, GA 30309, USA, https://calendly.com.
If you want to book an appointment with us, you can use the form provided for this purpose. The data you provide will then be transmitted to the respective contact person via Calendly and the data will be entered into our calendar (Outlook). In addition, the data can be viewed by us in the login area of Calendly and is stored there.
You will receive a confirmation of the appointment by e-mail, where you have the option to insert the data into your calendar.
The purpose of processing the data provided is to be able to make an appointment, process the contact request and get in touch with you.
The legal basis for the processing of personal data described here is Art. 6 (1) lit. f GDPR. Our legitimate interest is to offer you the opportunity to independently arrange appointments with us. This simplifies the coordination regarding appointments and enables an efficient appointment arrangement. If the provision of your data is for the initiation or execution of a contract, Art. 6 para. 1 lit. b GDPR is also the legal basis.
The personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
We have concluded a contract processing agreement with Calendly, so that the data you provide is processed for us in accordance with instructions and orders.
As a transfer of personal data to the USA may occur, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even by this contractual extension, we endeavor to obtain additional regulations and commitments from the recipient in the USA.
Further information on this can be found in the order processing agreement (https://calendly.com/pages/dpa) and in the Calendly privacy policy (https://calendly.com/de/pages/privacy).
F. External links to social media
Social networks (Instagram) are only integrated on our website as a link to the corresponding services. After clicking on the embedded text/image link, you will be redirected to the page of the respective provider. Only after the redirection, user information is transferred to the respective provider. For information on the handling of your personal data when using these websites, please refer to the respective data protection provisions of the providers you use.
G. Data transfer and recipients
Your personal data is not transferred to third parties, unless
-
we have explicitly pointed this out in the description of the respective data processing.
-
you have given your explicit consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,
-
the transfer pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is necessary for the assertion, exercise or defence of legal claims and our legitimate interests are not overridden by your fundamental rights and freedoms.
-
there is a legal obligation to transfer data pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR, and
-
required by Art. 6 para. 1 sentence 1 lit. b GDPR for the execution of contractual relationships with you.
In addition, we use external service providers for the processing of our services, whom we have carefully selected and commissioned in writing. They are bound by our instructions and are regularly monitored by us. Required data processing agreements pursuant to Art. 28 GDPR are concluded before the commission. In particular, these contracts concern web hosting services, the dispatch of emails and IT updates and maintenance. Your personal data will not be transferred to third parties by our service providers.
Part III. Right to the data subject
In the following, you will find information about your data subject rights, which the current data protection law grants you against the controller concerning the processing of personal data:
A. The right, pursuant to Art. 15 GDPR, to obtain information about your personal data processed by us. In particular, you may request information about the purposes of processing, the categories of personal data concerned, the categories of recipients to whom your data has been or will be disclosed, the envisaged period for which the data will be stored, the existence of the right to request from the controller rectification or erasure or personal data or restriction of processing of personal data concerning you or to object such processing, the existence of a right to lodge a complaint with a supervisory authority, the origin of your data, if these have not been collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about the logic involved, as well as the significance and the envisaged consequences.
B. The right to obtain without undue delay the rectification of inaccurate personal data concerning you. in accordance with Art. 16 GDPR.
C. The right to request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary to exercise the right of freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
D. The right, pursuant to Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is contested by you, the processing is unlawful, but you oppose the erasure and we no longer need the data for the purposes of processing, but they are required by you for the establishment, exercise or defence of legal claims or you have filed an objection against the processing pursuant to Art. 21 GDPR.
E. The right, in accordance with Art. 20 GDPR, to receive the personal data concerning you, which you have provided to us in in a commonly used and machine-readable format and the right to transmit those data to another controller.
F. The right to withdraw your given consent pursuant to Art. 7 para. 3 GDPR with effect in the future at any time.
G. The right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR, in particular in the Member State of your habitual residence, place of work.
H. The right to withdraw your given consent pursuant to Art. 7 para. 3 GDPR:You have the right to withdraw your given consent concerning the processing of your personal data with effect for the future at any time. In the event of withdrawal, we will delete the data concerned without delay, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
I. Right to object
If your personal data is processed by us based on legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR, you have the right, pursuant to Art. 21 GDPR, to object at any time to the processing of your personal data on grounds relating to your particular situation. If the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right of objection without the requirement of stating a particular situation.
If you wish to exercise your right of withdrawal, objection or any of your other rights, simply send an e-mail to datenschutz@temedica.com
J. Necessity of providing personal data
The provision of personal data for the decision on the conclusion of a contract, the fulfilment of the contract or for the implementation of pre-contractual measures is voluntary. However, we can only make the decision in the context of contractual measures if you provide such personal data that is required for the conclusion of the contract, the fulfilment of the contract or pre-contractual measures.
K. Automated decision making / profiling
Automated decision making or profiling according to Art. 22 GDPR does not take place.
L. Subject to change
We reserve the right to adapt or update this privacy policy, if necessary, in compliance with the applicable data protection regulations. In this way, we can adapt it to the current legal requirements and take account of changes to our services, e.g., the introduction of new services. The most current version applies to your visit.
Status of this privacy policy: 18.10.2022