Data protection notice

Data protection notice

Dear Customer,

Please allow us to present this data protection notice to inform you regarding how your personal data are processed by Dermaroller GmbH and the rights available to you as an affected person according to the new EU general data protection regulations (GDPR) and the new German data protection act (BDSG), which has been in effect since 25 May, 2018.

Person responsible for processing your personal data

mi.to. pharm GmbH
Wilhelm-Mast-Straße 8
38304 Wolfenbüttel (Germany)

Phone: +49 5331 7108488
Fax: +49 5331 7108489

E-mail: Datenschutz@dermaroller.de

Data protection officer

Company: BEL NET GmbH
Mr Marco Sebastian Schuller

You can reach our data protection officer at:
Phone: 0049 (0)531 2144178

Post: Christian-Pommer-Strasse 23, 38112 Braunschweig, Germany
E-mail: Datenschutz@dermaroller.de

Purpose and legal basis for data processing

We process your personal data exclusively according to the legal specifications of the EU general dataprotection regulation (GDPR), the new German data protection act (BDSG), and individually relevant industry-specific laws as required. For this reason, we only process your data if there is a contractual basis for this, you have provided us your consent to process the data, or a law concerning processing your data permits this or obligates us to do so.

Data processing for the purpose of contract fulfilment or completion of pre-contractual measures

We process your personal data that you provided to us using the order form or via telephone, provided this is required for contract completion, contract fulfilment, and termination of the contractual relationship. In addition to data involving services or products ordered by you, this includes your first name, last name, your customer name, and your address.
In order to enable correct contract fulfilment and to contact you in case of questions or problems as quickly as possible, we also process your telephone or mobile phone number and/or your e-mail address, provided you have provided this to use for this purpose.
The legal basis for data processing to fulfil a contract and to complete pre-contractual measures is normally provided by Art. 6 Para. 1 lit. b GDPR.

Data processing for the purpose of safeguarding justified interests of the responsible party or a third party

Furthermore, we process your data if this is required to safeguard our justified interests or the justified interests of a third party. Processing completed by us on the basis of a justified interest includes regular direct marketing for our own products, sending newsletters, creation of internal statistics, legally prescribed or court-ordained cooperation during examination of criminal activities, and measures to ensure the regular operations of our IT structure.
The legal basis for data processing to maintain a justified interest on behalf of the responsible party
or a third party shall be Art. 6 Para. 1 lit. f GDPR.

Data processing to fulfil a legal obligation

We shall also process your data if this is required to fulfil a legal obligation that we are subject to. In particular, the obligations that must be fulfilled by us include legal taxation obligations and commercial storage obligations. European and international medical product laws specify a regulatory requirement to store customer order data, which nevertheless does not extend beyond the legally prescribed financial obligation.
The legal basis for processing to fulfil a legal obligation is provided by Art. 6 Para. 1 lit. c GDPR in connection with the respective relevant legal standard.

Data processing on the basis of consent and for other purposes

As required, we also process your personal data, provided you have explicitly consented to this (compare Art. 6 Para. 1 lit. a GDPR). In these cases, we shall provide you additional legal data protection information separately within the scope of the consent process. You may withdraw your consent at any time via the contact data indicated above.
If we process your personal data in the future for additional purposes not specified within the scope of this data protection notice, we shall inform you about this separately as required according to the legal provisions.

Categories of recipients of personal data

Data processing within the company group Within the scope of our management activities and fulfilment of the contract, it may be necessary to transfer your personal data to the company involved with the respective data processing tasks within our company group. The following data are provided in this case to the following company within our company group for fulfilment:
Your name, your delivery address, telephone number for the purposes of delivering the goods via mi.to.pharm GmbH, Wilhelm-Mast-Str. 8, 38304 Wolfenbüttel, Germany, telephone number: 0049 (0)5331 7108488, e-mail: info@mi-to-pharm.de.

External service providers

Our external service providers, who complete data processing on our behalf, are contractually obligated within the context of Art. 28 GDPR to treat personal data according to the applicable legal regulations. Insofar as these companies come into contact with your personal data, we have ensured via legal, technical, and organisational measure and regular checks that these companies adhere to the regulations of the data protection laws. We currently use the following types of services for processing your data: IT service provider, enterprise resource program, courier services.

Authorities

We shall provide your personal data to the authorities as required if this is required within the scope of our legal reporting obligations.

Data transfer to a non-EU country

Basically, we do not transfer your personal data to a non-EU country or international organisation outside of the European Economic Area (EEA). If we complete a transfer of this nature in individual cases, then this shall only take place involving non-EU countries that have received a certificate of suitability from the European Commission or where the data protection level has been confirmed by suitable guarantees (e.g. binding corporate rules or EU standard contractual clauses).

Duration of data storage

We shall only store your personal data within the scope of the purposes indicated above and for the period during which we can expect the enforcement of legal claims against us. The legal limitation period for these claims may last for between three and thirty years in individual cases.
Furthermore, we shall store your personal data as far as we are obligated to do so within the scope of legal proof and storage obligations (for example, according to the commercial code, tax code, or money laundering act). The legal storage periods may last for up to ten years. Furthermore, exceptional cases may require special proof obligations, which make storage of your personal data necessary for a longer period.

Rights of the affected persons

As an effected person, you enjoy the following rights vis-a-vis our company according to Art. 15 ff.
GDPR:
Right to information
You have the right do demand information from us about whether we are processing personal data affecting you. If this is the case, then you have the right to demand information about this personal data from us.
Right to correction
You have the right to demand that we correct incorrect personal data affecting you.
Right to deletion
In certain cases, you have the right to demand that we delete personal data affecting you immediately.
Right to limit processing
In certain cases, you have the right to demand that we limit processing of personal data affecting you.
Right to transfer data
You have the right to receive personal data affecting you that you have provided to us in a structured, conventional, and machine-readable format from us.
Right to object to processing
Based on reasons resulting from your particular situation, you have the right at all time to object to processing personal data affecting you on the basis of Art. 6 Para. 1 lit. e or f GDPR. If we use your data for direct marketing, you may object to this at any time.
Right to withdraw
If you have consented to our use of your personal data, you may withdraw this at any time.

Data protection supervisory authority

You also have the option of complaining to the data protection supervisory authority concerning our processing of your personal data. The responsible data protection supervisory authority is:
Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstrasse 5
30159 Hanover, Germany

If you have additional questions or remarks, you may contact us or our data protection officer at any time.

Date: 25.05.2018