I. Name and Address of the Responsible Person
The person responsible within the meaning of the Basic Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
L-A-W Services GmbH Leipziger Arzneimittelwerk
Tel.: +49 (0) 341 2582-0
II. Data Protection Officer
Our data protection officer is available under email@example.com or by postal letter addressed to our company (please add “Att: Data Protection Officer“).
III. General Information on Data Processing
1. Scope of Processing of Personal Data
We only process personal data of our users if this is necessary to provide a functional website as well as our contents and services. The processing of personal data of our users takes place regularly only after the user has granted his/her consent. An exception applies in those cases where prior consent cannot be obtained for actual reasons and where the processing of the data is permitted by law.
2. Legal basis for the processing of personal data
If and to the extent that we obtain consent from the data subject to the processing activities, Art. 6 subs. 1 a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing.
Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, Art. 1 subs. 1 b) GDPR serves as the legal basis for the processing.
This also applies for processing activities that are necessary for taking steps prior to entering into a contract.
If and to the extent that the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 1 subs. 1 c) GDPR serves as the legal basis for the processing.
Where the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 1 subs. 1 d) GDPR serves as the legal basis for the processing.
Where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 1 subs. 1 f) GDPR serves as the legal basis for the processing.
3. Erasure of data and duration of storage
The personal data of the data subject is erased or blocked as soon as the purpose of storage ceases to exist. The data can be stored beyond that time if this is provided for by European or national legislation in EU Regulations, EU laws or other provisions to which the controller is subject. The data is also erased or blocked as soon as the storage period prescribed by the aforesaid regulations expires unless further storage of the data is necessary for the conclusion or performance of a contract.
IV. Provision of the website and generation of log files
1. Description and scope of the data processing
Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected in this context:
- Information on the type of the browser and the browser version used
- Referrer (“referring page“)
- IP adress
- Date and time of access
- Website which is accessed by the system of the user via our website
- Successful loading or error in loading
This data is also stored in the log files of our system. The data is not stored together with other personal data of the user.
2. Legal basis for the data processing
The legal basis for the temporary storage of the data and log files is Art. 6 subs. 1 f) GDPR.
3. Purpose of the data processing
Temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For such purpose, the ID address of the user must be and remain stored during the session.
The data is stored in log files to ensure the functionality of the website. Moreover, the data helps us to optimise the website and ensure the security of our information technology systems. The data is not analysed for marketing purposes in this context.
The said purposes also constitute our legitimate interest in the processing in terms of Art. 6 subs. 1 f) GDPR.
4. Duration of storage
The data is erased when and as soon as it is no longer needed to achieve the purpose of the data collection. Where the data is collected for the purpose of making the website available, the data is erased when and as soon as the relevant session is closed.
Where the data is stored in log files, the data is erased after seven days at the latest. However, the data can also be stored beyond that time. In this case, the IP addresses of the users are erased or masked such that the accessing client can no longer be allocated to such data.
5. Opposition and elimination
The collection of the data for the purpose of making the website available and the storage of the data in log files are indispensable for operating the website. Thus, the user has no possibility to oppose.
Some of the cookies we use are deleted after the end of the browser session, ie after closing your browser (so-called session cookies). Other cookies remain on your device and allow us or our affiliate (third-party cookies) to recognize your browser on your next visit (persistent cookies). If cookies are set, they collect and process individual user information such as browser and location data as well as IP address values on an individual basis. Persistent cookies are automatically deleted after a specified period, which may differ depending on the cookie.
In some cases, cookies are used to simplify the ordering process by storing settings (for example, remembering the contents of a virtual shopping cart for a later visit to the website). Insofar as individual cookies implemented by us also process personal data, processing according to Art. 6 para. 1 lit. b GDPR either for the execution of the contract or in accordance with Art. 6 para. 1 lit. f GDPR for the protection of our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the site visit.
We may work with advertising partners, who help us, to make our website more interesting for you. For this purpose, cookies from partner companies will also be stored on your hard drive when you visit our website (Third-party cookies). If we cooperate with the aforementioned advertising partners, you will be informed individually and separately about the use of such cookies and the scope of the information collected in the following paragraphs.
Please note that you can set your browser so that you are informed about the setting of cookies and individually decide on their acceptance or can exclude the acceptance of cookies for specific cases or in general. Each browser differs in the way it manages the cookie settings. This is described in the Help menu of each browser, which explains how to change your cookie settings.
If you do not accept cookies, the functionality of our website may be limited.
VI. Email contact
1. Description and Scope of Data Processing
You can contact us via the email address indicated on our website. In this case, we store the personal data of the user which is transferred in his email.
The so transferred data is not transferred to third parties. The data is exclusively used for processing the conversation.
2. Legal Basis for the Data Processing
The legal basis for the processing of the data that is transferred in the context of an email sent to us is Art. 6 subs. 1 f) GDPR. Where the email contact is established for the purpose of concluding a contract, Art. 6 subs. 1 b) GDPR constitutes an additional legal basis.
3. Purpose of Data Processing
When contacting us by e-mail, the necessary legitimate interest in the processing of the data lies in the contact itself.
3. Duration of Data Storage
The data is erased when and as soon as it is no longer needed to achieve the purpose of the data collection. In the case of personal data transferred to us by email, the data is erased when and as soon as the relevant conversation with the user is terminated. The conversation is deemed terminated when it can be concluded from the specific circumstances of the case that the issue in question has been finally settled.
4. Opposition and elimination
The user has the right to withdraw his consent to the processing of the personal data at any time. When the user contacts us by email, he can oppose the storage of his personal data at any time. In this case, the conversation cannot be continued.
For this, it is sufficient to send us an email in which you communicate your request to: firstname.lastname@example.org.
In this case, all personal data that was stored in the context of contacting us is erased.
VII. Google Maps
We use the map service Google Maps via an API. This service is provided by Google Inc., 1600
Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). To be able to use the functions and features of Google Maps it is necessary to store your IP address. This information is, as a rule, transferred to a server of Google in the USA and stored there. The operator of this website has no influence on this data transfer.
We use Google Maps to ensure attractive online presentation of our services and to make it easy to find our location.
This is a legitimate interest in terms of Art. 6 subs. 1 f) GDPR.
VIII. Rights of the data subjects
When your personal data is processed, you are a data subject in terms of the GDPR and you are entitled to the following rights in the relationship with the controller:
1. Right to information/access
You have the right to request from the controller a confirmation whether personal data concerning you is processed by us.
If such personal data is processed, you have the right to request from the controller information about the following:
- the purposes for which the personal data is processed;
- the categories of personal data which are processed;
- the recipients resp. the categories of recipients to whom personal data concerning you has been or will still be disclosed;
- the scheduled duration of storage of the personal data concerning you or, where no detailed information can be provided on this point, the criteria for the determination of the duration of storage;
- the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of the processing by the controller or a right to object to this processing;
- the existence of a right to lodge a complaint with a supervisory authority;
- all information available on the origin of the data where the personal data is not collected from the data subject;
- the existence of an automated decision-making procedure including profiling according to Art. 22 subs. 1 and 4 GDPR and – at least in these cases – sound information on the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or an international organisation. In this context, you have the right to request information about appropriate safeguards in terms of Art. 46 GDPR provided in connection with the transfer.
2. Right to rectification
You have the right to rectification and/or completion by the controller if the personal data concerning you which is processed is inaccurate or incomplete. The controller is obliged to rectify the data without undue delay.
3. Right to restriction of the processing
You have the right to request restriction of the processing of the personal data concerning you where any of the following applies:
- the accuracy of the personal data concerning you is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
- you have objected to processing pursuant to Article 21 subs. 1 GDPR pending the verification whether the legitimate grounds of the controller override the grounds you rely on.
Where the processing of your personal data was restricted, your personal data may only be processed, with the exception of storage, with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where the processing was restricted according to the aforementioned conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Obligation to erase
You have the right to request from the controller erasure of personal data concerning you without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
- your personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- you withdraw the consent on which the processing was based according to Article 6 subs. 1 a) or Art. 9 subs. 2 a) GDPR, and there is no other legal ground for the processing;
- you object to the processing pursuant to Article 21 subs. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 subs. 2 GDPR;
- your personal data has been unlawfully processed;
- our personal data has to be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
- your personal data has been collected in relation to the offer of information society services referred to in Article 8 subs. 1 GDPR.
b) Notification of third parties
Where the controller has made your personal data public and is obliged pursuant to Art. 17 subs. 1 GDPR to erase this personal data, the controller, taking account of available technology and the cost of implementation, is obliged to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, this personal data.
The right to erasure does not apply to the extent that the processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with Art. 9 subs. 2 h) and i) and Art. 9 subs. 3 GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 subs. 1 GDPR in so far as the right referred to under a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- or the establishment, exercise or defence of legal claims.
5. Right to be notified
When you have asserted your right to rectification, erasure or restriction of processing against the controller, the latter is obliged to communicate this rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to request the controller to inform you of the aforesaid data recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. Moreover, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided, where:
- the processing is based on consent pursuant to Art. 6 subs. 1 a) GDPR or Art. 9 subs. 2 a) GDPR or on a contract pursuant to Art. 6 subs. 1 b) GDPR, and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The exercise of this right must however not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 subs. 1 e) or f) GDPR, including profiling based on those provisions.
In this case, the controller will no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw your consent given under data protection law
You have the right to withdraw your consent given under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing that has taken place based on this consent until the time of the withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into, or for the performance of, a contract between you and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
However, these decisions must not be based on special categories of personal data referred to in Art. 9 subs. 1 GDPR unless Art. 9 subs. 2 a) or g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests have been implemented.
In the cases referred to in subs. (1) and (3), the controller is obliged to implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes this GDPR.
The supervisory authority with which the complaint has been lodged is obliged to inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.