Dear Sir or Madam,
Data protection is important to us and we take it very seriously. We attach great importance to working with you on the basis of mutual trust and pay particular attention to responsible treatment of your personal data.
In accordance with the requirements of the General Data Protection Regulation (GDPR), this data protection notice is to inform you about how your personal data is processed by the Sartorius Group and your rights.
Sartorius AG, Parent Company of
Essen Bioscience and Intellicyt
1. Who is responsible for data processing and who can you contact?
Responsible entity (“Controller”):
Otto Brenner Strasse 20
Phone: +49 551 308 0
You can reach our Data Protection Officer at:
Sartorius Corporate Administration GmbH
Data Protection Officer
Otto Brenner Strasse 20
Phone: +49 551 308 0
Email: email@example.com | firstname.lastname@example.org
2. What sources and data do we use?
We process personal data which we receive from you in the course of our business relationship with you. We receive the data directly from you, e.g. in the context of enquiries, orders, periodical or newsletter subscriptions, or through personal contact with our employees. To the extent necessary to provide our service, we also process your personal data which we permissibly obtain from publicly accessible sources (e.g. commercial registers, association directories, press, internet) or which are transferred to us legitimately by other companies in the Sartorius Group (see Annex 1).
Specifically, we process the following data (among other data):
• master data for contacts (e.g. name, address, contact data)
• order data (e.g. in the context of order transactions)
• documentation (e.g. notes of meetings, visit reports)
• data for initiating and continuing our business relationships
• marketing and sales data (e.g. on products of potential interest to you
3. What do we process your data for (purpose of processing) and on what legal basis?
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz – BDSG). The following section explains the legal basis for processing your data.
3.1 To perform a contract (Art. 6(1)b GDPR)
We process data to perform a contract with you or to take steps at your request prior to entering into a contract. In detail, the purposes of data processing depend on the specific business relationship with you or the specific commission.
3.2 In connection with our legitimate interests, after consideration of your interests (Art. 6(1)f GDPR)
If necessary we process your data beyond actual performance of the contract to protect legitimate interests of ourselves or a third party. This is done for the following purposes, among others:
• general business management
• testing, optimising and further development of products and services
• need analysis of the use of our products, services and websites to address customers directly
• advertising or market and opinion research, unless you have objected
• pursuing legal claims and defence in legal disputes
• ensuring the Groups IT security and operations
• preventing and investigating criminal acts
• transfer of data within the Sartorius Group, to the extent necessary for the business relationship in question
Our interest in processing arises out of the specific purposes and is otherwise commercial in nature (efficient performance of tasks, sales, avoiding legal risks). Where the specific purpose permits, we process your data in pseudonymised or anonymised form.
3.3 Based on your consent (Art. 6(1)a GDPR)
If you have given your consent to the processing of personal data for specific purposes, this consent is the legal basis for the processing as described.
This applies specifically to
• advertising by email and/or phone and development and provision of advertising adapted to match your interests
• mailing of samples, products and information
• registration for programmes or offers
• delivery of other services we have offered you
• surveys on our websites
• transfer of data within the Sartorius Group
• transfer of data to third parties
You can withdraw consent at any time. This also applies to withdrawal of consent given before entry into force of the GDPR, i.e. before 25 May 2018. Withdrawal of consent is only effective for future processing.
3.4 Based on legal requirements (Art. 6(1)c GDPR)
We are subject to various legal obligations, e.g. the Medical Devices Act, Industrial Code, Commercial Code. Purposes for processing include
• implementing our General Terms and Conditions
• managing our business
• processing to comply with statutory retention or documentation obligations
4. Who receives my data?
Your data is transferred within the Sartorius Group if necessary to perform our contractual and statutory obligations or if the internal organisation makes this necessary (e.g. central financing accounting, sales and marketing, logistics). Within the Sartorius Group, appropriate measures in accordance with statutory requirements have been taken to protect your personal data.
We do not forward your personal data to third parties (entities the Sartorius Group) without your prior consent or a legal basis for doing so. A legal obligation is particularly relevant for the following recipients:
• public institutions, supervisory authorities and bodies, e.g. tax authorities
• judicial authorities, law enforcement authorities, such as police, public prosecutors, courts
• attorneys and public notaries, e.g. in insolvency proceedings
• chartered accountants
We further use various service providers (processors within the meaning of Art. 28 GDPR), which we bind contractually in accordance with the requirements of the GDPR and whose compliance we monitor. These include companies in the fields of IT services, printing services, telecommunications, debt collection, consulting and sales and marketing. Processors may only use personal data in accordance with our instructions and for the specific purpose.
An exception to this is onward transfer to service providers such as a package delivery service or forwarding agent, if the transfer is necessary for processing orders or delivering goods. Logistics service providers receive the data necessary for delivery for their own processing. We restrict ourselves to transferring only the data necessary for delivery.
5. Are data transferred to a third country or an international organisation?
We only transfer your data to states outside the European Economic Area (third countries) to the extent
• necessary to carry out your orders,
• required by law, or
• you have consented to.
If we transfer your data to a third country or an international organisation, this is done in accordance with the requirements of the GDPR. In addition, in accordance with the principle of data minimisation we only transfer data which is restricted to the necessary minimum.
In some cases we use service providers whose registered office, parent company or sub-provider are domiciled in a third country. Your data is only transferred then if the European Commission has decided that there is an adequate level of protection in a third country (Art. 45 GDPR), suitable guarantees have been given (e.g. by standard clauses published by the European Commission) and you as a data subject have enforceable rights and effective legal support. We have contractually settled compliance with the EU General Data Protection Regulation and its requirements with the service provider.
6. How long will my data be stored?
So far as necessary, we only process your personal data for the duration of the business relationship, including initiating and completing this together with compliance with statutory retention periods.
If the data are no longer required to perform contractual or statutory obligations, they are erased, unless there are legal obligations of the responsible entity which count against erasure. This can be the case for the following purposes, among others:
• compliance with commercial and tax law retention periods, based on e.g. the Commercial Code, compliance with retention obligations under commercial and tax law, e.g. Commercial Code (HGB), Tax Code (AO), Money Laundering Act (GwG). The retention periods for documentation in these are between two and ten years.
• Retention of evidence under regulations on the statute of limitations. Under Arts 195 et seq. of the Civil Code (BGB) these periods can be up to 30 years, although the normal limit is three years.
7. Do I have an obligation to provide data?
Within the framework of our business relationship you must provide the personal data required for initiation and completion of the business relationship and compliance with the associated contractual obligations, or which we are legally obliged to collect. Without these data we will generally not be able to enter into a business relationship with you and comply with the resulting obligations.
8. To what extent is there automated decision-making including profiling?
There is no automated individual decision-making, including profiling.
9. What data protection rights do I have?
You are welcome to request information from us on our processing of your personal data, in accordance with Art. 15 GDPR. If your information is not (is no longer) accurate, you can require rectification (Art. 16 GDPR), and if your data are incomplete you can require completion. If we have transferred your information to third parties, we inform these third parties of your rectification – if required by law.
In accordance with Art. 17 GDPR you can require erasure of your personal data if
• your personal data are no longer needed for the purpose for which they were collected
• you withdraw your consent and there is no other legal basis
• you object to processing and there are no overriding legitimate grounds for the processing
• your personal data have been unlawfully processed
• your personal data have to be erased for compliance with a legal obligation
Please note that legal obligations on the controller may mean that your data cannot be erased until expiration of a required period or at all.
You also have the right to restrict processing under Art. 18 GDPR, the right to object under Art. 21 GDPR and the right to data portability under Art. 20 GDPR. The right to information and the right to erasure are subject to restrictions under Arts 34, 35 GDPR. In addition there is a right to complain to a responsible data protection supervisory authority (Art. 77 GDPR in combination with section 19 BDSG).
10. Information on your right to object under Art. 21 GDPR.
Individual right of objection
On grounds relating to your particular situation, you have the right to object to processing of personal data relating to you which is done on the basis of Art. 6(1)f GDPR (processing for reasons of overriding interest) at any time; this also applies to profiling based on this provision within the meaning of Art. 4(4) GDPR. If you object, we will no longer process your personal data, unless we can show legitimate grounds for processing which override your interests, rights and freedoms or the processing is for the purpose of asserting, exercising or defending legal claims.
Right to object to processing of data for purposes of direct marketing
We can also use your data for direct marketing within the framework of legal provisions. You have the right to object at any time to the processing of your personal data for purposes of direct marketing; this also applies to profiling, if this is in connection with such direct marketing. If you object to processing for purposes of direct marketing we will no longer process your personal data for these purposes. No special form is required for the objection. You can find our contact data under (1) above.