Information about the processing of your personal data (www.hema.to )

Care and transparency is the basis for a trusting cooperation with our customers. Therefore, we inform you about how we process your data and how you can exercise your rights that you are entitled to under the General Data Protection Regulation. Which personal data we process and for what purpose depends on the respective contractual relationship.

1.         Who is responsible for data processing (Controller)? 

The Controller is:

hema.to GmbH
Ainmillerstr. 22
80801 Munich 

2.         How do you reach the data protection officer? 

You can reach our data protection officer at:

RA Alexander Stolberg-Stolberg
SVF Attorneys at Law
Oberanger30
80331 Munich
datenschutz@hema.to  

3.         Which of your personal data do we use?

 If you have an enquiry, order documents for a haematological analysis or conclude a contract with us, we process your personal data. In addition, we also process your personal data, among other things, to fulfil legal obligations, to protect a legitimate interest or on the basis of consent given by you. Depending on the legal basis, this involves the following categories of personal data: ·   

- First name, last name,·    
- Address,·    
- Communication data (telephone, e-mail address),·   
- Date of birth,·    
- Contract master data, in particular order number, order date, type of contract,·   
- Invoice data/sales data,·    
- Payment details/ Account information,

 4.         What are the sources of the data? 

We process personal data that we receive from our customers.

 5.         For what purposes do we process your data and on what legal basis?

a)              Art. 6 I lit. aGDPR serves us as the legal basis for processing operations in which we obtain consent for a specific processing purpose.

b)              If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Article 6 I lit. bGDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services.

c)              If our company is subject to a legal obligation through which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.

d)              Processing operations could also be based    on Art.6 I lit. f GDPR if the processing is necessary for the protection of a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, sentence 2 of theGDPR).

e)              If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is the performance of our business activities for the benefit of the well-being of all our employees and our shareholders. 

 6.         Who will your data be passed on to? 

Your personal data will only be disclosed to third parties if this is permitted by law or if you have given your consent. 

7.         Is your data transferred to countries outside the European Union (so-called third countries)? 

We operate our website on servers in data centers located exclusively in Frankfurt am Main (Germany/EU). 

We use the Cloudfront content delivery network (CDN) to serve the website globally.This is a service provided by Amazon Web Services Inc, 410 Terry Avenue North,Seattle, WA 98109-5210. It makes duplicates of a website's data available on various AWS servers distributed around the world.

These servers located in non-EU countries are only accessed if this website is called up from a network in a non-EU country. This means: If you visit the website from an internet access point in Germany or the EU, the website will be loaded from our servers in Germany / the EU. Only then, if you call up our website from outside the EU, will it be provided by a nearest server outside the EU.

This allows us to achieve faster website load times, greater resilience and increased protection against data loss. Some of the images and files embedded on this website are then loaded from the Cloudfront CDN when the page is called up.

Through this retrieval, information about your use of our website (such as your IPaddress) is transmitted to Amazon servers in other EU countries and stored there. This happens as soon as you enter our website. The use of Amazon WebServices and the Amazon CDN Cloudfront is in the interest of a higher reliability of the website, increased protection against data loss and a better loading speed of this website. This represents a legitimate interest within the meaning of Art. 6 (1) f GDPR.  

To learn more about Amazon Web Services' privacy practices, visit: https://aws.amazon.com/de/data-protection/  

The current AWS privacy policy can be found at: https://aws.amazon.com/de/privacy/.   

AWS has contractually committed to ensure compliance with the level of data protection applicable in the EU under the EU Standard Contractual Clauses.

8.         How long will your data be stored? 

We store your personal data as long as it is necessary for the fulfilment of our legal and contractual obligations.If storage of the data is no longer necessary for the fulfilment of contractual or legal obligations, your data will be deleted. 

9.         What rights do you have in connection with the processing of your data?

As a data subject, you have the following rights:

- in accordance with Art. 15 GDPR the right to request information about your personal     data processed by us to the extent specified therein;

- in accordance     with Art. 16 GDPR the right to demand the immediate correction of     incorrect or completion of your personal data stored by us;

- in accordance     with Art. 17 GDPR the right to demand the deletion of your personal data     stored by us, insofar as the further processing is not prohibited.

–               to exercise the right to freedom of expression and information;
–               to fulfil a legal obligation;–               for reasons of public interest, or
–               is necessary for the assertion, exercise or defence of legal claims;

- in accordance     with Art. 18 GDPR, the right to demand the restriction of the processing     of your personal data, insofar as

–               the accuracy of the data is disputed by you;
–               the processing is unlawful but you object to itserasure
;–               we no longer need the data, but you need it for the assertion, exercise or defence of legal claims or              defence of legal claims or
–               you have objected to the processing in accordance withArt. 21 GDPR;

- in accordance     with Art. 20 GDPR, the right to receive your personal data that you have     provided to us in a structured, common and machine-readable format or to     request that it be transferred to another controller;

- In accordance     with Art. 77 GDPR, you have the right to complain to a supervisory     authority. As a rule, you can contact the supervisory authority of your     usual place of residence or workplace or our company headquarters.

To exercise your rights, you can contact the data controller or the data protection officer using the contact details provided or contact customer service: datenschutz@hema.to. We will process your requests promptly and in accordance with the legal requirements and inform you of the measures we have taken.  

10.        Is there an obligation to provide your personal data? 

In order to enter into a business relationship, you must provide us with the personal data that is required for the implementation of the contractual relationship or that we must collect due to legal requirements.
If you do not provide us with this data, then the implementation and processing of the contractual relationship is not possible for us.  

11.        Data collection by this website

Each time you use our website, we collect the data that your browser automatically transmits to enable you to visit the website. These are in particular:

- Domain name or IP address of the requesting terminal device File request of the client (file name and URL)
- http response code
- Date and duration of the visit
- Address of the accessed website and the requesting website

The data processing is necessary to enable the visit of the website and to ensure the permanent functionality and security of our systems. The aforementioned data is also temporarily stored in internal log files for the purposes described above, in order to create statistical information about the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices with which the pages are accessed increases) and to generally maintain our website administratively.

Pursuant to Art. 6 para. 1 lit. b GDPR, personal data will continue to be collected and processed if you provide it to us for the performance of a contract or when opening a customer account. Which data is collected can be seen from the respective input forms. Deletion of your customer account is possible at any time and can be done by sending a message to the above address of the person responsible. We store and use the data provided by you for the purpose of processing the contract. After complete processing of the contract or deletion of your customer account, your data will be blocked with regard to tax and commercial law retention periods and deleted after expiry of these periods, unless you have expressly consented to further use of your data or a legally permitted further use of data was reserved by us.

When using these general data and information, we do not draw any conclusions about the data subject. 

12.        Contact form
If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not pass on this data without your consent.  The processing of this data is based on Art. 6 (1) lit. b GDPR, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6(1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR), if this has been requested. The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions - in particular retention periods -remain unaffected. 

13.        Request by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your enquiry including all personal data arising from it (name, enquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent. The processing of this data is based on Art. 6 (1) lit. b GDPR, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us(Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested. The data you send to us via contact requests will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g.after processing your request has been completed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected. 

14.        Registration on this website 

You can register on this website to use additional functions on the site. We use the data entered for this purpose only for the purpose of using the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise we will reject the registration.  For important changes, for example in the scope of the offer or in the case of technically necessary changes, we will use the e-mail address provided during registration to inform you in this way. The data entered during registration is processed for the purpose of implementing the user relationship established by registration and, if necessary, for initiating further contracts (Art. 6 para. 1 lit. b GDPR).  The data collected during registration will be stored by us for as long as you are registered on this website and will then be deleted. Legal retention periods remain unaffected. 

15.        Changes to this information
If there is a significant change in the purpose or manner in which we process your personal data, we will update this information in a timely manner and notify you of the changes in a timely manner.