Responsible authority and contact
Within the framework of the Data Protection Act and particularly the EU General Data Protection Regulation (GDPR), the responsible party for your data is:
Represented by Managing Director Ludwig Klitzsch.
If you have questions regarding data protection, please write us an e-mail or directly contact the party responsible for our organisation’s data protection:
IITR Datenschutz GmbH
Purpose of Data Processing through the Responsible and Third Parties
We will process your personal data only for the purposes outlined in this data privacy statement. The purpose of this processing is to ensure the availability of our services, the corresponding functions and content, response to contact requests and user communications, as well as implementing security measures and user reach measurements/marketing.
Transmitting your personal data to these parties for purposes other than the ones outlined above will not happen. We only transmit your personal data to third parties if the processing is necessary to completing a contract or fulfilling a legal obligation, if you’ve given your explicit consent, or if the processing is necessary for conserving justified interests and there is furthermore no reason to assume that you have an overwhelming interest worth protecting in not having your data passed on.
In order to carry out our business model and recognise user wishes, we analyse the available data of business processes, contracts, inquiries, etc. We process inventory data, communications data, contract data, and metadata on the basis of Art. 6 Section 1 lit. f) GDPR.
The analyses are carried out for marketing purposes. We also use the analyses in order to increase user-friendliness and optimise our offers and operational efficiency. These analyses are for our purposes alone and will not be publicly shared, provided that they don’t consist of anonymous analyses with summarised values.
As long as these analyses or profiles are personalised, they will be deleted when the contract conditions with the user have concluded. Furthermore, the overall operational analyses and the general trend determinations will be generated anonymously, as far as it’s possible. “Affected” are those who visit and use our website.
Processed data can include:
- Inventory data (such as names and addresses)
- Contact data (such as e-mails, telephone numbers)
- Content data (such as text entries, photographs, videos)
- Usage data (such as visited websites, interest in specific content, access times)
- Meta/communications data (such as equipment information, IP addresses)
Due to our authorised interests (cf. Art. 6 Section 1 lit. f) GDPR) we collect data over the access to our website and save them as “Server-Logfiles” on our website’s server. The following data is protocolled in this manner:
- The visited website
- The time of access
- The quantity of sent data in Byte
- The source/redirection from which you accessed the site
- The browser used
- The operating system used
- The IP address used
The Server-Logfiles are saved for a maximum of 7 days and then deleted. The saving of data occurs due to security purposes, such as clarifying instances of misuse. If data has to be recovered for evidential purposes, they are except from deletion until the incident has been fully resolved.
Transmission in Third Countries
Processing data in a third country — meaning beyond the European Union (EU) or the European Economic Area (EEA) — only occurs when it’s relevant for completing our contracted and precontractual duties, when you’ve consented, due to a legal obligation, or on the basis of our authorised interests. Processing occurs for example on the basis of certain guarantees, such as the officially recognised assessment of a data protection level in accordance with the EU (in the USA, for example, this would be the “EU-US Privacy Shield,” also known as the so-called “data protection shield” www.privacyshield.gov) or through the observance of officially recognised special contractual obligations (so-called “standard contract clauses”). The following service providers assist us with our offers and have headquarters in the USA or in other third countries (this is not a conclusive list, further indications can be found on the corresponding site in this data protection references):
Other processes include contract data (such as contractual objects, duration, customer categories) from our users for the purpose of providing contractual services, customer service, marketing, advertising, and market research.
Healthcare related services
When we process healthcare-related data, it occurs in accordance with Art. 6 Section 1 lit. b) GDPR, in order to be able to provide you with our contractual or precontractual services. The data processed for this purpose, as well as the nature, scope, purpose, and necessity of their processing, are determined by the underlying contractual relationship. Among the processed data are fundamental inventory and master data of patients (such as name and surname) as well as contact data (such as e-mail addresses and telephone numbers).
Within the context of our contact form, our users are able to freely enter information regarding their health status. This occurs voluntarily as far as entering information that’s health-related is concerned. By sending off the form, the user consents to a further processing through VIVELIA. The legal basis for this is Art. 6 Section 1 lit. a., Art. 7, Art. 9 Section 2 lit. a. GDPR. The processing occurs exclusively for health care purposes on the basis of Art. 9 Section 2 lit. h. GDPR, § 22 Section 1 Nr. 1 b. GDPR.
As far as it’s relevant for contractual performance or for legal reasons, we publish or transmit the data of patients within the framework of communicating with medical specialists, to third parties relevant to fulfilling our contractual obligations or otherwise typically involved—such as therapists, clearing offices or similar service providers, insofar as this is required for performing our services according to Art. 6, Section 1 lit. b) GDPR, or insofar as it serves our interests or those of our patients who have authorised interest in efficient healthcare according to Art. 6, Section 1. lit. f) GDPR, or is required according to Art. 6 Section 1 lit. d) GDPR in order to protect the vital interests of patients or other natural persons, or within the context of consent according to Art. 6 Section 1 lit. a), Art. 7 GDPR.
Data is erased once the data is no longer necessary for fulfilling contractual or legal duties of care, as well as for the use of possible guaranteed or similar duties, or when the relevant party demands erasure. The necessity of the data’s storage is reevaluated every three years; all legal retention duties continue to hold.
Therapeutic services and coaching
We process our users’ data according to Art. 6 Section 1 lit. b) GDPR, in order to provide our contractual or precontractual services. The hereby processed data, the nature, scope, purposes, and necessity of their processing are determined by the underlying contractual relationship. The data being processed fundamentally consists of users’ master data (such as names, addresses, etc), as well as contact data (such as e-mail addresses, telephone numbers, etc), contract data (the services that were used, fees, etc) and payment data (such as banking connections).
Within the context of our online services, we do not ask for any other health-specific data from users.
We publish or transmit data within the context of communicating with specialists or to third parties relevant to fulfilling our contractual obligations, such as clearing offices, insofar as it’s necessary for our contractual obligations or for legal reasons. This only occurs as long as it’s relevant to the provision of our contractual services according to Art. 6 Section 1 lit. b) GDPR, legally prescribed according to Art. 6 Section 1 lit. c) GDPR, relevant to our interests or the authorised interests of subjects of an efficient and affordable healthcare (cf. Art. 6 Section 1 lit. f) GDPR), or it’s permitted within the framework of an authorisation according to Art. 6 Section 1 lit. a) in conjunction with Art. 7 GDPR.
Data is erased once the data is no longer necessary for fulfilling contractual or legal duties of care, as well as for the use of possible guaranteed or similar duties. The necessity of the data’s storage is reevaluated every three years; all legal retention duties continue to hold.
Rendering of contractual services
We process inventory data (such as names and addresses as well as users’ contact data), contract data (such as services used, the names of contacts, payment information, etc) for the purpose of fulfilling out contractual obligations and service renderings according to Art. 6 Section 1 lit. b) GDPR. The entries on the online forms marked as obligatory are necessary for the conclusion of the contract. Otherwise, they’ll be marked as voluntary entries.
Within the framework of the use of our online services, we save IP addresses and the time period of the respective user action. Storage takes place on the basis of our authorised interests and on those of of users for the purposes of protecting against misuse and other unauthorised usages. A transfer of this data to third parties fundamentally doesn’t occur unless it’s necessary for pursuing our demands or there is a legal obligation according to Art. 6 Section 1 lit. c) GDPR.
We process usage data (such as the visited websites of our online catalogue, interest in our products) and content data (such as information entered into contact forms or in user profiles) for advertising purposes in a user profile, in order to show users product notices concurrent with their previously utilised services.
The data is erased once legal guarantees and similar duties have been completed, and the necessity of the data’s storage is reevaluated every three years; in the case of legal archiving obligations, erasure occurs after completion. Data in possible customer accounts remain until they’re deleted.
Data protection notices in application procedures
We process applicant data only for the purpose and within the framework of the application procedure in accordance with legal specifications. The processing of applicant data serves to fulfil our (pre-)contractual obligations within the framework of the application procedure according to Art. 6 Section 1 lit. b) and lit. f) GDPR, as long as the data processing is necessary for us within contexts such as legal procedures (in Germany § 26 BDSG also holds). The application procedure assumes that applications share applicant data with us. The necessary applicant data fundamentally consists of personal data, contact addresses, and material necessary for the application, such as cover letters, CVs, and report cards. Applicants can also voluntarily add information. By sending the application to us, applicants agree to have their data processed for the purpose of the application procedure in accordance with the nature and scope established in this data privacy statement. Apart from being able to apply online at Vivelia, applicants can also send their application via e-mail. In this case, we reiterate that e-mails fundamentally aren’t encrypted and that applicants will be solely responsible for encryption. We can, therefore, assume no responsibility for the path of transference of the application between the sender and the reception on our server, and therefore suggest using the online form or sending materials per post. There is also the option to send applications per post. The data made available by applications can, in the case of a successful application, be used by us for the purpose of employment relationships. If the application is not successful, then the applicant’s data will be deleted after six (6) months, subject to an applicant’s entitled revocation. The data of the applicant will also be deleted if an application is withdrawn.
By subscribing to our newsletter you’re agreeing to receiving and to the described process. We send out newsletters, e-mails, and other electronic notifications with promotional information (subsequently known as “newsletter”) only with the consent of the receiver or with legal permission. Signing up to our newsletter occurs in a so-called double-opt-in process. After signing up you’ll receive an e-mail in which you’re asked to confirm your signup. This confirmation is necessary so that no one can sign up with an unknown e-mail address. The signups to the newsletter are protocolled in order to be able to confirm the sign-up process with legal demands. This includes saving signup and confirmation dates and IP addresses. Any changes made to data saved by the dispatch service providers will also be protocolled. In order to sign up for the newsletter, it’s sufficient to provide an e-mail address. Optionally, you can also add a name that will be used for your personal greeting on the newsletter. The sending of the newsletter and the measuring of success metrics associated with it will occur on the basis of the recipient’s consent according to Art. 6 Section 1 lit. a), Art. 7 GDPR in compliance with § 7 Section 2 Nr. 3 Unfair Competition Act or on the basis of legal permission according to § 7 Section 3 Unfair Competition Act.
The protocolling of the sign-up process occurs on the basis of our authorised interest according to Art. 6 Section 1 lit. f) GDPR. Our interest is guided by implementing a user-friendly and safe newsletter system that serves our business interests and also conforms with user expectations and allows us to prove consent. You can cancel the newsletter anytime, meaning you can withdraw your consent. A link to cancelling the newsletter can be found at the bottom of every newsletter. We can save the registered e-mail addresses up to three years on the basis of our authorised interest before we delete them, in order to prove a previously granted consent. The processing of this data will be limited to the purpose of a possible defence against claims. An individual request for cancellation is possible anytime as long as there is evidence of previous consent.
The newsletter is sent out via the distribution service “MailChimp,” a newsletter distribution platform of the US company Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The data protection regulations of the distribution service can be read here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the privacy-shield agreement and therefore offers a guarantee to uphold European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The distribution service will be implemented on the basis of our authorised interests according to Art. 6 Section 1 lit. f) GDPR and an order management contract according to Art. 28 Section 3 S. 1 GDPR. Mailchip can use the data of recipients in pseudonymous form, meaning without assigning it to a specific user, in order to optimise or improve its own services, such as the technical optimisation of its distribution or the newsletter style or for statistical purposes. However, the distribution service does not use the data of our newsletter recipients in order to unilaterally contact them or pass on their data to third parties. The performance measurement of our newsletter occurs through so-called “web-beacon,” meaning a pixel-sized file that is retrieved from its server after the newsletter is opened. Within the context of this retrieval, technical information, such as information about the browser and your system, are first collected, as is your IP address and the time of retrieval. This information is used in order to technically improve the service through technical data or through the target groups and their reading habits via their retrieval locations (which can be determined through IP addresses) or via retrieval times. Part of the statistical survey also is determining whether newsletters have been opened, when they’ve been opened, and what links have been clocked. This information can be assigned to individual newsletter recipients due to technical reasons, but it’s not our aim to watch individual users. The evaluation serves the purpose of giving us insight into our users’ reading habits and help us tailor out content to them or send out different content depending on user interest.
The hosting services used by us serve to perform the following: infrastructure and platform services, computing capacities, storage space and databank services, security services, and technical maintenance services that we utilise for the purpose of managing our online offers. Under our assignment, our hosting company All-Iknl.com (ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf) processes all inventory data, contact data, content data, contract data, usage data, meta- and communications data from users and visitors of our online offers on the basis of our authorised interests in an efficient and secure availability of this online offering according to Art. 6 Section 1 lit. f GDPR in compliance with Art. 28 GDPR. A corresponding data processing has been concluded with All.inkl.
Out frontend (which is what you see as a user) is created via WordPress (a brand of Automattic Inc. from the USA, which is also located in the EU, Aut O’Mattic A8C Ireland Ltd. Business Centre, No.1 Lower Mayor Street International Financial Services Centre Dublin 1, Ireland). Automattic Inc. is also responsible for some parts of data processing through Aut O’Mattic Ltd. Aut O’Mattic does not receive any of your user data. Automattic’s data privacy statement can be found here: https://automattic.com/privacy/
In order to make our web presence as user-friendly as possible, we use so-called session storages for our online offers. These are Application Program Interfaces (APIs) whose characteristics allow us to save data on their servers during the duration of your visit on your homepage in order to analyse your user behaviour. It will recognise from which page within our online presence you’re coming from, so that we can see what you’re interested in. After your session has ended this data is deleted. Session storage is necessary for running our homepage. The legal foundation for this is Art. 6 Section 1 lit. b) GDPR.
Google Tag Manager
Google Tag Manager is a solution with which we can manage so-called website tags over a surface (and then incorporate Google Analytics and other Google marketing tools in our online offers). The tag manager itself (which implements the tags) doesn’t process personal user data. In terms of the processing of personal user data, the following notices regarding Google services are to be observed. User guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.
This website uses jitsi, which is an innovative open-source live-chat video conferencing software of the jitsi.org community. Jitsi uses “cookies,” text data, that’s saved on your computer and allows you to have a conversation in the form of a live chat on the website. The collected data will not be used to personally identify website visitors and personal data will not be connected to the pseudonym carrier. The chat saves an identification key in the storage of your browser (window.localStorage). This is necessary so that you can access your past communication protocol at a later time, even after closing your browser. If you delete your browser cache, you will delete all saved settings corresponding to your chosen pseudonym, as well as the connection to the saved chat timeline. We cannot make any conclusions to your identity based on the saved data. Your prior consent is needed in order to use the blogs/chats, which means you consent to these conditions.
Within our online offers we use the so-called “Facebook Pixel” of the social network Facebok with your explicit consent (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you’re in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). Facebook is certified under the privacy shield agreement and therefore guarantees to uphold European data privacy laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
Due to the decision made by the European Court of Justice on 05.06.2018 (C 210/16), we inform all visitors of our Facebook fanpage that their personal data in accordance with GDPR is processed through Facebook here. As a site manager, we cannot currently deactivate this function. Vivelia is aware of its mutual responsibility with Facebook. We hope to soon achieve a quick solution through Facebook.
We maintain an online presence through social networks and platforms in order to communicate with our users and interested persons. Calling up a certain network or platform enforces the terms and conditions and the data processing guidelines of that particular operator. As long as it’s not otherwise states within our data protection statement, we process the data of our users as long as they’re communicating with us within social networks and platforms through actions such as commenting on our online presence or sending us messages.
Incorporating the services and content of third parties
Within our online offers we utilise the content or services of third parties on the basis of our authorised interests (meaning interest in analysis, optimisation and the economic management of our online offers in accord with Art. 6 Section 1 lit. f) GDPR), in order to incorporate their content and services such as videos or font types (hereto forth referred to as “content”). This always presupposed that the third providers of this content take note of the users’ IP addresses, since they cannot send content to their browser without their IP addresses. Therefore IP addresses are necessary for the display of content. We try to only display the kind of content in which third parties use IP addresses for the sole purpose of delivering content. Third parties can also use so-called Pixel Tags for statistical or marketing purposes. “Pixel-Tags” help sort through information such as visitor traffic on certain pages of a website. The pseudonymous information can also be saved in the cookies on a user’s device, and can include technical information about browsers, operating systems, referring websites, visiting times, and information regarding the use of our online offers, and can be connected with information from other sources.
We incorporate the maps of the service “Google Maps” (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The processed data usually includes IP addresses and location data of users, which however cannot be collected without their consent (often obtained through the settings on their mobile devices). This data can be processed in the USA. Further information from Google regarding data protection can be found here: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
The use of social plugins from Facebook, Twitter, Google+, Instagram, and co. under the use of the Shariff-Solution
On our website we use social plugins (“plugins”) from social networks. In order to increase the safety of your data while visiting our website, plugins are not limited but merely incorporated into the site through the use of an HTML link (a so-called “Shariff Solution” from c’t). “Shariff” was developed in order to ensure more privacy on the net and to replace the usual “share” buttons used by social networks. This incorporation ensures that no automatic connection is made with the servers of the providers of corresponding social networks whenever you call up one of our sites that has such plugins. If you click on one of the buttons, a new window in your browser will open and call up the site of the corresponding service provider, where you can then utilise the like or share button (sometimes after having put in your login data). The purpose and scope of this data collection and the further processing and use of data through providers on their sites as well as your rights and setting options on this subject and for the protection of your privacy can be found in the data protection notices of the providers:
Rights of affected individuals
You continue to have the right to demand a confirmation regarding whether specific data has been processed and to receive information regarding this data as well as other information and a copy of said data, in accordance to Art. 15 GDPR.
According to Art. 16 GDPR you have the right to demand the completion of data relevant to you or the correction of incorrect data relevant to you. According to Art. 17 GDPR, you have the right to demand that affected data be immediately deleted or alternatively, in accordance with Art. 18 GDPR you can demand a restriction of the processing of the data.
You have the right to demand that data relevant to you, which you have made available according to the guidelines of Art. 20 GDPR, be kept and that their transmittance to other parties be promoted. You also have the right, according to Art. 77 GDPR, to submit a complaint with a supervisory authority of your choice.
Right of revocation: You have the right to revoke given consent according to Art. 7 Section 3 GDPR with future effect.
Right of objection: You can object anytime to the future processing of your personal data according to Art. 21 GDPR. The objection can particularly be raised against processing for the purpose of direct ads.
We follow the guidelines of data avoidance and data minimisation. We therefore only save your personal data for as long as it’s necessary to achieve the purposes outlined here, or for as long as the various storage periods determined by lawmakers allow for. After the completion of the corresponding purpose or the completion of the time limit, the corresponding data will routinely and according to legal guidelines be blocked or deleted.
Standard legal bases
According to Art. 13 GDPR, we are publicising the legal basis of our data processing. Insofar as the legal bases aren’t determined in the data protection statement, the following goes into effect: the legal basis for obtaining consent is Art. 6 Section 1 lit. a) and Art. 7 GDPR, the legal basis for processing in order to perform our services and carry out contractual measures as well as answer queries is Art. 6 Section 1 lit. b) GDPR, the legal basis for processing in order to carry out our legal obligations is Art. 6 Section 1 lit. c) GDPR, and the legal basis for processing in order to protect our authorised interests is Art. 6 Section 1 lit. f) GDPR. In the case that vital interests of affected individuals or of other persons make the processing of personal data necessary, Art. 6 Section 1 lit. d GDPR provides the legal basis.
We assume adequate technical and organisational measures according to the guidelines of Art. 32 GDPR that consider technical statuses, implementation costs, and the nature, scope, circumstances, and purpose of data processing as well as the different probability scenarios and the risk size for the rights and freedoms of natural persons in order to guarantee a level of security adequate to risk.
The measures include securing confidentiality, integrity, and access to data through the control of the physical access to data, as well as any sort of related access, entry, transmittance, securing of availability and severance of it. Furthermore, we’ve also established a process in which the observance of individuals’ rights, the deletion of data, and the reaction to data risks is guaranteed. We also already consider the protection of personal data during the development or selection of hardware, software, as well as in processes, in correspondence with the principle of data protection through technical development and through data protection-friendly default settings (Art. 25 GDPR).
Cooperation with external processors and third parties
When the data processed by us is made available, transmitted, or otherwise made accessible to other peoples and businesses (external processors or third parties), this solely occurs on the basis of legal permission (for example when data is transmitted to a third party such as a payment provider, according to Art. 6 Section 1 lit. b) GDPR, in order to fulfil a contractual obligation), if we’ve obtained your consent, if a legal obligation determines this, or if it’s part of the foundation of our authorised interests (such as the use of representatives, webhosters, etc). Insofar as we’ve commissioned third parties with processing data on the basis of a so-called “order management process contract,” this occurs on the basis of Art. 28 GDPR.
“Personal data” is all information that refers to an identified or identifiable natural person (now known as “affected person”); a natural person is considered identifiable if they can either directly or indirectly be identified via allocation of an identification such as a name, and identifying number, a location, an online identifier (such as a cookie), or who can be identified by one or various special characteristics that are an expression of that natural person’s physical, physiological, genetic, psychological, economic, cultural, or social identity.
“Processing” refers to every process, either assisted or unassisted by automated procedures, or to a series of processes in connection with personal data. The term can be widely applied and refers to basically every use of data.
“Pseudonymising” is the processing of personal data in a way that the personal data can’t be assigned to a specific person without additional information, insofar as this additional information has been stored separately and technical and organisational measures have been undergone in order to ensure that the personal data cannot be assigned to an identified or identifiable natural person.
“Profiling” refers to any kind of automated distribution of personal data, which consists of ensuring that this personal data is used in order to evaluate personal aspects that relate to a natural person, especially when it comes to analysing or predicting aspects regarding work performance, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence or moving destination of this natural person.
A “responsible party” refers to a natural person or legal entity, authority, institution, or other position which decides over the purpose and methods of processing personal data, either alone or together with others.
A “processor” is a natural person or legal entity, authority, institution, or other position who processes personal data on behalf of the responsible party.