Data Processing of Customer Data

Scroll down

Our duty to provide information in accordance with Art. 13 and 14 GDPR can be found here:

Obligation to provide information Art. 13 and 14 customer data and prospective customer data

We would like to inform you about how we handle your personal data and what rights you have under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The responsibility for data processing lies with the organization OSCOMED GmbH (hereinafter referred to as "we" or "us").

Responsibilities

The controller for the processing of your personal data is:

OSCOMED GmbH
Am Lindenbach 3
96515 Sonneberg
Germany
Phone: +49 3675 - 4 39 70 – 0
E-Mail: datenschutzkoordinator@oscomed.de

General information on the legal basis for data processing

"Personal data" means any information relating to a specific individual. We process this data in accordance with the applicable data protection laws, in particular the GDPR and the BDSG. We may only process personal data if we have legal permission.
We process personal data only with your consent, in order to enter into a contract with you or to respond to your request in connection with a potential business relationship, to comply with legal obligations or to protect our legitimate interests, provided that this does not adversely affect your interests or fundamental rights and freedoms that require the protection of personal data.

Storage period of personal data

We will only store your data for as long as it is necessary to achieve the purpose of the processing or to fulfil our contractual or legal obligations, unless otherwise stated in the following information. Legal retention obligations may arise from commercial or tax regulations. After the end of the calendar year in which we collected the data, we will retain personal data contained in our accounting records for ten years and personal data contained in business letters and contracts for six years. Furthermore, we will retain data in connection with verifiable consents as well as complaints and claims for the duration of the statutory limitation periods or for the periods specifically requested by you that must be followed in the production of medical devices. Data stored for advertising purposes will be deleted if you object to the processing for this purpose.

Processing when exercising your rights

If you wish to exercise your rights under Articles 15 to 22 of the GDPR, we will process the personal data you provide in order to implement these rights and to be able to provide evidence of this. We will process the data stored for the purpose of providing information and preparation exclusively for this purpose and for data protection control purposes and otherwise restrict the processing in accordance with Article 18 of the GDPR.
This processing is based on the legal basis of Article 6 (1) (c) of the GDPR in conjunction with Articles 15 to 22 of the GDPR and Section 34 (2) of the BDSG.

Rights of the data subject

The General Data Protection Regulation (GDPR) guarantees certain rights to each data subject in relation to their personal data. These include:

  • The right of access: Every data subject has the right to obtain confirmation from us as to whether personal data is being processed and to access this data, as well as further information and copies of such data.
  • The right to rectification: Every data subject has the right to request the rectification of inaccurate personal data without undue delay.
  • The right to erasure ("right to be forgotten"): Every data subject has the right to request the erasure of their personal data without undue delay.
  • The right to restriction of processing: Every data subject has the right to request the restriction of the processing of his or her personal data.
  • The right to data portability: Every data subject has the right to receive the personal data concerning him or her that he or she has provided to us in a structured, commonly used and machine-readable format.
  • The right to object: Every data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her on the basis of Art. 6 (1) (e) or (f) GDPR. If we process personal data about the data subject for the purpose of direct marketing, the data subject may object to this processing in accordance with Art. 21 (2) and (3) GDPR.
  • Please send the objection in writing to:

    OSCOMED GmbH

    Data Protection Coordinator
    Mr. Bernd Brückner
    Am Lindenbach 3
    D-96515 Sonneberg
    E-Mail: datenschutzkoordinator@oscomed.de

The data subject also has the right to complain to a supervisory authority if he or she considers that the processing of his or her personal data infringes the GDPR.
The supervisory authority responsible for us is: Thuringian State Commissioner for Data Protection and Freedom of Information

Information on the processing of personal data

Processing framework, purpose and legal basis for processing

Purpose of processing

We process your personal data to the extent necessary to fulfil the following purposes:

  • Fulfilment of contractual obligations (order, order, payment processing, invoicing)
  • Collection, processing or use of personal data is carried out to fulfil the business purpose in the same way as pre-contractual measures (e.g. to prepare offers, process enquiries)
  • Maintain business contact and inform the business partner about new products and services
  • Conducting satisfaction surveys
  • Legal obligation to process (e.g. due to tax regulations)
  • Conducting telephone conferences, online meetings and video conferences

Legal basis

The legal basis for the processing of your personal data for the above purposes is/are

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)
  • Performance of a contract (Art. 6 para. 1 lit. b GDPR)
  • Legal obligations (Art. 6 para. 1 lit. c GDPR)
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR)

Sources of personal data

The stored data was collected within the framework of our contractual relationship and for the initiation of contracts as well as individual orders, or they were created in the context of business relationships and business initiation. The data is stored for the purpose of fulfilling and processing the orders placed with us as well as the documentation and archiving obligations under commercial and tax law, e.g. recording from entries in the ERP system, signatures from e-mail and documents. In this respect, the processing of your data is carried out on the basis of Article 6 (1), (b), (c), (f) of the EU GDPR.

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of such data.

  • Collected from the data subject
  • Technical, automatic transmission
  • From the person concerned

Categories of personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the categories of data concerned.

  • Contact details
  • Communication
  • Customer
  • Name
  • Billing and payment data
  • Address
  • Order and contract data
  • Meeting-Metadates
  • Log
  • Text, audio, and video data

Legitimate interests

The indication of the "legitimate interests" of the controller or the third party pursued with the processing of personal data refers to Art. 6 (1) sentence 1 lit. f GDPR.

  • Corporate interest

Storage period

We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this period.

  • 10 years: Annual financial statements, opening balance sheets, trading and business books, records, work instructions, organisational documents, invoices and accounting documents (HGB, AO, EStG, KStG, GewStG,
  • UStG, AktG, GmbHG, GenG)
  • 30 years: Enforceable titles
  • 6 years: Commercial and business letters as well as other documents (HGB, BGB)
  • Legal and normative provisions with a specific storage period for medical device law
  • Individual archiving obligations of customers

Possible consequences of not providing

The provision of personal data by the data subject may be required on a legal or contractual basis or may be necessary for the conclusion of a contract. There may also be a legal obligation to provide the data.

Failure to provide the personal data could result in the following effects:

  • The contract cannot be properly performed. Legal obligations cannot be guaranteed.

Automated decision-making and profiling

No automated procedures of decisions according to Art. 22 GDPR or other profiling measures Art. 4 No. GDPR are used.

Data recipients

Recipients of the personal data outside the organisation

Article 4(9) of the General Data Protection Regulation (GDPR) defines the term "recipient" as "the natural or legal person, public authority, agency or any other body to which personal data is transferred, whether or not it is a third party".

  • Website providers
  • IT service providers
  • Software Providers
  • Dumping enterprise
  • Banks
  • Tax authorities
  • Tax advisor
  • Court
  • Customs
  • Lawyer
  • Law enforcement agencies
  • Notified bodies to review our quality management system and for product files
  • Microsoft Corporation

General information for data transfers to third countries

In the course of our data processing, it may happen that certain personal data is transferred to countries in which the EU General Data Protection Regulation (EU GDPR) does not apply law (so-called third countries). Such a transfer is only permissible if the European Commission has established that an adequate level of data protection is guaranteed in the third country concerned. In the absence of such an adequacy decision by the European Commission, personal data may only be transferred to a third country if appropriate safeguards are in place in accordance with Art. 46 GDPR or one of the requirements of Art. 49 GDPR is met.
Unless otherwise stated below, we use the EU standard data protection clauses as appropriate safeguards for the transfer of personal data in third countries. The data subject has the right to obtain a copy of or to inspect these EU Standard Data Protection Clauses. To do this, it is recommended to contact the contact details provided under Responsibilities.

If the data subject expressly consents to the transfer of personal data, the transfer takes place on the legal basis of Art. 49 (1) (a) GDPR.

Transfer of data to a third country or international organization with standard contractual clauses

A transfer of personal data to an "international organization" (within the meaning of Art. 4 No. 26 GDPR) or to controllers, processors or other recipients in a state outside the European Union (EU) and the European Economic Area (EEA) entails special data protection risks from the point of view of the data subject.

We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA):

  • Data transfer to a third country or to an international organization does not take place and is not planned.

Transfer of data to a third country or international organisation with an adequacy decision by the EU Commission

A transfer of personal data to a country outside the European Union (EU) and the European Economic Area (EEA) or to an international organisation is permissible if the European Commission has determined that the country, territory or one or more specific sectors within that country or international organisation ensure an adequate level of protection.

We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA) for whom an adequacy decision exists:

  • Microsoft Corporation (United States of America)

Up-to-dateness and amendment of this information obligation pursuant to Art. 13 and Art. 14 GDPR

This information obligation on data protection is currently valid and has the status of 24.04.2024
Due to changed legal or official requirements, it may become necessary to change this information.