Principles of data processing at MT.DERM
To fulfil our duty to provide information in accordance with Article 12 ff. and Art. 21 of the General Data Protection Regulation (GDPR), we are pleased to provide you with the following information on data protection:
1 Data processor
The data processor within the meaning of data protection law is
Also represented under its brands (AMIEA, AMIEA MED, Cheyenne, VYTAL).
You will find more information about our company, details of the authorised representatives and other contact details in our website’s site notice: https://www.mtderm.de/impressum.
2 Processing purpose and categories
We will only process the data we have received from you for the purposes for which we have received or collected it.
As part of our cooperation with business partners, we process personal data for the following purposes:
- Communication with business partners on products, services and projects (e.g. product development);
- Planning, execution and administration of the (contractual) business relationship between MT.DERM and the business partner, e.g. for processing orders for products and services, collection of payments, for accounting, billing and debt collection purposes and for carrying out deliveries, maintenance activities or complaints or repairs;
- Conducting customer surveys (e.g. as part of post market surveillance in accordance with ISO 13485), marketing campaigns, market analyses, competitions, prize draws or similar events;
- Maintenance and protection the security of our products, services and websites, prevention and detection of security risks, fraud or other criminal or malicious activities;
- Compliance with
- legal requirements (e.g. tax and commercial law storage obligations);
- existing obligations to conduct compliance or sanctions list screenings (to prevent white-collar crime or money laundering); and
- Settlement legal disputes, enforcement of existing contracts and for the establishment, exercise and defence of legal claims;
- Conduct of product approvals.
We may process the following categories of personal data for the above-mentioned purposes:
- Contact information (forenames and surname, business address, business phone number, business mobile number, business fax number and business email address;
- Payment information (information required to process payment transactions or prevent fraud, including credit card information and card verification numbers);
- Other information required for the processing of a project, the execution of a contractual relationship with MT.DERM or any other cooperation, or voluntarily provided by our contact persons, such as orders placed, requests made or project details;
- Information collected from publicly available sources, information databases or credit agencies; and
- If necessary in the context of the above-mentioned screening procedures: Information on relevant legal proceedings and other legal disputes involving business partners.
3 Legal basis of the processing
The processing of personal data is necessary to achieve the above-mentioned purposes.
Unless expressly stated otherwise, the legal basis for data processing is Article 6 GDPR.
In this connection, the following possibilities come into consideration in particular:
- Consent (Article 6(1)(a) GDPR);
- Data processing for the performance of contracts (Article 6(1)(b) GDPR);
- Data processing on the basis of a balance of interests (Article 6(1)(f) GDPR);
- Data processing for compliance with a legal obligation (Article 6(1)(c) GDPR);
If personal data is processed on the basis of your consent, you have the right to withdraw your consent at any time prospectively.
If we process data on the basis of a balance of interests, you as the data subject have the right to object to the processing of personal data, under the provisions of Article 21 GDPR.
If the above personal data cannot be collected, it may not be possible to achieve the individual purposes described.
4 Storage Periods
If no specific storage period is specified during the data’s collection, the personal data will be deleted once the purpose of the collection no longer exists.
Exceptions to this are statutory retention obligations (e.g. commercial and tax retention obligations). In this case, the storage period for certain data can be up to 10 years or longer.
In principle, we will undertake a data review towards the end of a calendar year with respect to the requirement for further processing. On the basis of the amount of data, this review shall be undertaken with respect to specific types of data or processing purposes.
5 Data Recipients
Your personal data will only be transferred to third parties if this is necessary for the performance of the contract with you, the transfer is permitted on the basis of a balance of interests within the meaning of Article 6(1)(f) GDPR, we are legally obliged to undertake the transfer or you have given your consent in this respect.
In addition, the following offices may receive your data:
- contract processors (Art. 28 DS-GVO) used by us, service providers for supporting activities and other persons responsible within the meaning of the DS-GVO, for example marketing agencies, personnel service providers, accounting and controlling, data destruction, customer administration, website management, tax consultancy, auditing services or credit institutions. These have been carefully selected and commissioned by us, are bound by our instructions and are contractually obliged to comply with the applicable data protection requirements. They are also regularly monitored.
- public authorities and institutions where there is a legal or official obligation under which we are obliged to provide information, report or pass on data or where the passing on of data is in the public interest
- – authorities and institutions based on our legitimate interest or the legitimate interest of the third party (e.g. authorities, credit agencies, debt collection agencies, lawyers, courts, experts, committees)
- – other parties for which you have given us your consent for data transfer.
We will not use your data for purposes other than those mentioned above without your consent.
6 Data transfers to third countries.
A data transfer to places in states outside the European Union (EU) or the European Economic Area (EEA), so-called third countries, takes place when it should be necessary for the execution of an order/contract by or with you, it is required by law (e.g. tax reporting obligations), it is in the context of a legitimate interest of us or a third party or you have given us consent.
The processing of your data in a third country may also take place in connection with the involvement of service providers within the framework of order processing. If the EU Commission has not decided on an appropriate level of data protection for the country in question, we will ensure that your rights and freedoms are adequately protected and guaranteed in accordance with EU data protection regulations. We will provide you with the relevant detailed information on request.
However, we do not currently transfer this information to third countries.
7 Rights to information, rectification, correction and erasure of data
You have the following rights with respect to the processing of personal data:
- Information about the personal data concerning you that we are processing Article 15. In the event of a request for information not made in writing, please understand that we may then require proof from you that you are the person you claim to be.
- The right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) or to restriction of processing (Art. 18 GDPR), if you are legally entitled to it.
- Right to object to processing within the framework of statutory provisions (Articles 21(1) and (2) GDPR)
Upon request, we will provide you with a copy of your personal data in a structured, commonly-used and machine-readable format (Art. 20 GDPR).
8 Processing location
The data is mainly processed on IT-systems in our server rooms.
We have carried out prior evaluations of external service providers who process data for us with respect to the security of processing.
9 Data Protection Officer’s contact details
For information about your personal data, to have incorrect data rectified, blocked or erased, to exercise your right to object and in the event of additional questions about the use of your personal data, please contact us at:
Data Protection Officer
10 Lodging complaints with the supervisory authority
Under Article 77 GDPR, data subjects have the right to lodge complaints with the competent supervisory authority if they believe that the processing of their personal data is unlawful. The competent data protection supervisory authority is the Berlin Commissioner for Data Protection and Freedom of Information.
You can find a list of other national and international data protection authorities with which you can also lodge complaints here.
11 Changes to the data protection principles