The protection of personal data and the responsible handling of information you entrust to us are an important and particular concern. medac GmbH (medac) processes personal data only in accordance with the statutory regulations. Specifically, these are the EU General Data Protection Regulation (GDPR) and the (German) Federal Data Protection Act (BDSG).
This data protection declaration is to inform you how, to what extent and for what purposes we process personal data connected with your use of our website.
1. Controller and Data Protection Officer
Controller within its meaning under data protection law: medac GmbH, Theaterstraße 6, 22880 Wedel (Company information)
Data Protection Officer: medac GmbH, Dr. Anna-Kristina Roschek, Theaterstraße 6, 22880 Wedel Tel. +49 (0)4103 - 8006-0
2. Website: Processing of your personal data
The processing of personal data to the extent described in section 2.1 is necessary for the use of this website. In addition to this, personal data are processed in the cases described in section 2.2 following.
2.1. Data processing to enable you to use the website
When you visit our website, we collect the data necessary to enable you to use it in that instance (usage data). These data include your IP address and data on the start, end and subject of your use of the website and the technical information transmitted by your browser (e.g. browser type, operating system and previously visited website). These data serve to ensure that a smooth connection is established, to assess system security and stability and other administrative purposes in our legitimate interests (Article 6, Paragraph 1, letter f GDPR).
When you visit our website, it may happen that data in the form of cookies are downloaded onto your computer. Cookies are small text files which are sent from a web server to your browser and stored on the hard drive of your computer. This makes it possible for you to be recognised when you visit the website again. In this way we can ensure better functionality of the website or conduct web analytics (see section 2.3).
There are various types of cookie. There is a difference between cookies which are placed by the website operator when the website is visited (also known as first party cookies) and cookies which are placed by third-party providers (third-party cookies). We have technical control only over the first type of cookie. There are also cookies which are stored on your computer only during your visit (session cookies) and cookies which are stored for a longer period.
Most browsers are set up in such a way that they automatically accept cookies. You can de-activate the storage of cookies in your browser and always have the option of deleting them from your hard drive. We would like to point out that without cookies, you are restricted in your use of what is on offer on our website.
However, you can use your browser to block only certain cookies (e.g. third-party cookies), for example if you wish to disable web tracking. You can find more information on this in your browser’s help function. You can find more information on third-party cookies which are placed or processed on visits to our website in section 2.3 and in the data protection declarations by the third parties in question.
2.3. Pseudonymised user profiles for advertising and market research (web tracking and web analytics)
We use web tracking systems for advertising, market research and to make the use of our website as convenient as possible for you. In this web tracking, data on the use of our website are stored in pseudonymised user profiles (your IP address is anonymised for this purpose). This allows us to develop our website further and even further attune the content to your needs. The pseudonymised user profiles are not merged with personal data.
You can veto the setting up of pseudonymised user profiles. For one thing, you can block the placing of cookies in your browser (see section 2.2). You can also install a privacy protection plug-in in your browser that gives you the option of disabling tracking – e.g. AdBlock, Ghostery or NoScript (please note the data protection information provided by the relevant plug-in provider).
The tracking technologies used on our website (which include, in particular, cookies (see 2.2)) and the service provider which processes user data in pseudonymised profiles for the purposes mentioned are described below. In addition, the link to the service provider’s data protection declaration is given, and we explain how you can selectively turn future web tracking by the service providers off or on. Usually, a special cookie for turning off tracking is stored on your end device; it blocks the future collection by the service provider of user data from your end devices; please note that you may need to download this cookie again if you delete cookies from your computer.
2.4. Google Analytics
You can prevent storage of cookies by applying the appropriate settings of your browser software or by declining them (see 2.2) or by means of a privacy plug-in (see 2.3). You can also block the transfer of the data generated by the cookie and relating to your use of the website (incl. your IP address) to Google and the processing of these data by Google by downloading and installing the browser plug-in available on the following link (http://tools.google.com/dlpage/gaoptout?hl=de).
Alternatively, you can block recording by Google Analytics by setting an “opt-out” cookie on your computer. Use the following link for this: Set opt-out cookie
You can find more information on data protection with Google Analytics at: www.google.com/intl/en/policies/.
2.5. Google Tag Manager
3. Data processing, if you use other functions of the website
In principle, you do not need to supply personal data in order to use our website. Apart from the cases described in section 2, data collection and processing takes place only if you voluntarily indicate your data. If you do not make any other personal data available to us, you may not be able to use the functions described in this section. Other than this, there will be no consequences for you.
We process your personal data if you use the following functions:
3.1. Contact form
If you contact us by means of the contact form, we store your details (name, e-mail address, telephone number if applicable, and the text of your enquiry) and process these in order to deal with your enquiry.
If this is necessary to answer your enquiry or if your enquiry is related to this, we forward your details under some circumstances to another company in the medac group (e.g., if your enquiry relates to a contract or a customer relationship with another medac company or its products).
The legal basis for this data processing is – according to the subject of your enquiry – the permissibility of processing in the context of contract negotiations, a contract or our legitimate interests connected with the provision of a contact form for general enquiries (Article 6 Paragraph 1 letter a or f GDPR).
3.2. Areas reserved for professional visitors
Professional visitors to our website (doctors, pharmacists and members of certain other health care professions) can use areas of our online content that are closed to members of the general public if they have registered as such beforehand. This registration is done via DocCheck. You can access closed areas of our website using the password assigned to you during registration.
DocCheck password protection
DocCheck uses so-called cookies - text files which are stored in the user’s browser - to facilitate use of the services. The information generated by these cookies is transmitted only to DocCheck servers and is not shared either with the website operator or any other third parties. There is no transfer of data to countries outside the EU.
Permits a single sign-in for all DocCheck logins.
Expires after: 1 session
Used to provide customised content on the basis of pseudonymised characteristics (e.g. occupation, country, language).
Expires after: 1 year
In the context of the use of DocCheck password protection, DocCheck collects the user’s so-called protocol data (IP address, date of access, time of access, referrer URL, information on hardware and software used and, for example, browser features, device information such as resolution) from the website of the information provider which embeds the login into the website using “embed” or iFrame.
These data are not used to draw conclusions about the person, but serve to ensure the correct presentation of the page or iFrame content and/or the security of the DocCheck services.
We expressly advise you that DocCheck is a separate service provider to which medac directs you within the login screen provided on its website. medac has no influence on the collection, processing and use of your data by DocCheck. Please go to the DocCheck website for information on their measures for protecting your personal data: info.doccheck.com/com/privacy/
3.3. Careers portal
In the context of online applications, we collect data about you. These include, in particular, your personal data with contact information and a description of your education and training, work experience and skills. In addition, you have the option of sending us electronically stored documents such as references/certificates or covering letters.
You have the option of setting up an online applicant profile so that you do not need to enter your data repeatedly if you are making multiple applications.
This information is used only by the relevant medac human resources officers and only within the application process and for the purpose of dealing with your application. If your application is unsuccessful, these data are deleted three months after completion of the application process, unless you have expressly consented to longer storage.
The legal basis of processing is Article 88 GDPR in conjunction with section 26 of the BDSG for the decision regarding the basis of an employment relationship.
3.4. Google Maps
On some of our pages there is a plug-in which shows map sections from Google Maps. Google Maps is operated by Google LLC (known hereafter as “Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For this, a connection is set up between your browser and Google’s servers – as if you were visiting the website of the Google search engine. Google itself is responsible for the data processing. Tracking by Google on our website does not take place.
You will find more information on the use of Google Maps in the Google Maps terms of service. For information on the protection of your privacy, please go to https://www.google.com/intl/en/policies.
4. Forwarding to third parties
Your personal data are forwarded to third parties in the case mentioned in 2.4 and 2.5 (to Google) and under certain circumstances in the cases mentioned in 3.1 (to companies in the medac group). To provide the careers portal (Number error! Reference source not found), we use the service provider Haufe Service Center GmbH for the technical aspects. In addition to its statutory obligation to comply with all data protection regulations, our service provider is also bound by us to other contractual data protection requirements. This includes a duty as a processor in accordance with Article 28 Paragraph 3 GDPR.
Apart from that, we forward personal data to third parties only if statutory permission exists for this or you have previously given consent to this. You can revoke any consent you may have given at any time with future effect. We forward your data to government bodies only as part of statutory duties or as ordered by the authorities or as ruled by a court of law and only to the extent that this is permissible under data protection law.
5. Forwarding to countries outside the EU
Forwarding to countries outside the EU and the EEA (third countries) is strictly unnecessary for the purposes mentioned in section 3 and therefore does not take place. Apart from that, we forward data to third countries only if there is assurance that the recipient of the data can guarantee an appropriate standard of data protection within the meaning of Chapter V of the GDPR and that no other legitimate interests oppose the forwarding of the data. To ensure that the recipient of the data offers an appropriate standard of protection, we use, in particular, the model contracts of the EU Commission for the forwarding of personal data to third countries. The service provider for analytics and advertising, Google (see 2.4 and 2.5), has EU-US Privacy Shield certification, which ensures an appropriate standard of data protection.
6. Data security
medac has taken the necessary technical and organisational steps to protect the personal data provided by you against loss, destruction, manipulation and unauthorised access. To protect our users’ personal data, we use a secure online transfer protocol known as secure socket layer (SSL) transfer. You can recognise it by the “s” added to the “http://” part of the address (“https://”) and by a green lock symbol displayed in the browser. By clicking the symbol, you get information about the SSL certificate used. SSL encryption ensures secure and complete transfer of your data.
Pseudonymised user profiles (section 3.2) are deleted 24 months after the last new entry. Apart from that, we delete your personal data as soon as they are no longer required for the purposes of collection and processing and if no statutory obligations to retain data forbid this. Statutory obligations to retain data arise particularly from German legislation on tax and trade, and on medicinal products.
8. Your rights
Data protection law accords you a number of rights in respect of data concerning your person (known as rights of the data subject). In general, these are
- the right to demand information about the personal data stored about you,
- the right to rectification of inaccurate data,
- the right to erasure of data which are no longer permitted to be stored,
- the right to restriction of processing in certain cases,
- the right to object to processing if this is based on legitimate interests and you assert justified opposing interests in your situation (Article 21, Paragraph 1 GDPR),
- the right to object to processing for purposes of direct marketing (Article 21, Paragraph 2 GDPR),
- the right to data portability, i.e. to the transfer to you or to a third party, in electronic form, of data which you have provided, and
- the right to revoke any consents granted with future effect.
It emerges from the law, i.e. the GDPR and the BDSG, whether and to what extent these rights exist in the individual case and what conditions apply. You also have the right to complain to the competent data protection authority. However, if you have questions or complaints about data protection at medac, we recommend that you contact our data protection officer first (see section 1).
9. No automated individual decision-making
We do not use your personal data for automated individual decision-making within the meaning of Article 22, Paragraph 1 GDPR.
10. Amendment of the data protection declaration
New legal requirements, corporate decisions or technical development may require amendments to our data protection declaration. The data protection declaration will then be modified accordingly. You will always find the most up-to-date version on our website.
Last updated: April 2019