Data protection information

OBLIGATIONS TO PROVIDE INFORMATION PURSUANT TO ARTICLE 13 OF THE GENERAL DATA PROTECTION REGULATION (GDPR)

The protection of your personal data is one of our prime concerns. We therefore process your personal data (‘data’ for short) solely in line with legal requirements. We have prepared this Privacy Statement to inform you about the processing of your data in our company and the data protection rights and remedies to which you are entitled in accordance with of Article 13 of the General Data Protection Regulation (GDPR).

1.Who is responsible for the data processing (i.e. the ‘data controller’) and who can you contact?

The data controller is
CytoSorbents Europe GmbH
Müggelseedamm 131
12587 Berlin, Germany
datasecurity@cytosorbents.com
+49 (0)30 6549 9145

The company’s data protection officer is
Richard Söldner
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg, Germany
Emil: rs@projekt29.de
Phone: +49 (0)941 2986 930


2. What data is processed and where does this data come from?

We process the data that we have received from you during the initiation or processing of a contract, on the basis of consent, or as part of your application to us or your employment with us.

Personal data includes:
Your master data/contact details – for customers, this includes e.g. the first and last names, address, contact details (email address, phone number, fax), and bank details.
For applicants and employees, this includes e.g. the first and last names, address, contact details (email address, phone number, fax), date of birth, data from CV and employment references, bank details, religion, and photos.
For business partners, this includes e.g. the name of your legal representative, company, company registration number, VAT number, company ID number, address, contact details (email address, telephone number, fax number), and bank details.
For visitors to our company this includes the name and signature.
For journalists, this includes the first and last name, email, address, and fax number.
For competition participants, this includes the first and last name, and email, address.

We additionally process the following personal data:

  • Information on the type and content of contract data, order data, sales and receipt data, customer and supplier history and advisory documents,
  • Advertising and sales data,
  • Information from you electronic communication with us (e.g. IP address, log-in data),
  • Other data that we have received from you as part of our business relationship (e.g. in customer meetings),
  • Data that we generate ourselves from master data/contact details and other data, e.g. by means of customer requirements and potential analyses,
  • The documentation of your consent to receive e.g. newsletters.
  • Photographs taken during events.

3. For what purposes and on what legal bases is the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act 2018, as amended:

To fulfill (pre-)contractual obligations (Art 6, para 1 (b) GDPR):
Your data is processed in order to execute contracts formed online or in one of our branches, or to process your employment in our company. The data is processed in particular when the business is initiated and during execution of the contracts with you.

To fulfill legal obligations (Art 6, para 1 (c) GDPR):
Your data is processed for the purpose of fulfilling various legal obligations, e.g. required by German trading and tax legislation.

To safeguard legitimate interests (Art 6, para 1 (f) GDPR):
Based on a weighing up of interests, data may be processed beyond the actual fulfillment of the contract in order to safeguard our legitimate interests or those of third parties. Data may be processed in order to safeguard legitimate interests in the following cases, for example:
– Advertising or marketing (see point 4),
– Business management and the further development of products and services;
– Maintenance of a group-wide customer database to improve customer service
– Within the context of legal disputes
– Dispatch of non-promotional information and press releases.

Further to your consent (Art 6, para 1 (a) GDPR):
If you have given us consent to process your data, e.g. for sending our newsletter, publishing photos, competitions, etc.


4. Processing of personal data for advertising purposes
You may object to the use of your personal data for advertising purposes at any time, either in general or on a case-by-case basis, without incurring costs other than the transmission costs at basic rates.
Under the legal requirements of Section 7 (3) of the German Act Against Unfair Competition (UWG), we are entitled to use the email address provided by you when concluding the contract for the direct advertisement of similar goods or services. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter.
If you do not wish to receive email recommendations of this type from us, you may object to the use of your address for this purpose at any time without incurring any costs other than the transmission costs at basic rates. A notification in text form is sufficient in this regard. Every email will of course contain a link for you to opt out.


5. Who will receive my data?

If we use a third-party service provider for order processing, we will still be responsible for protecting your data. All contract processors are contractually obliged to treat your data confidentially and to process it only within the framework of their provision of services. The third parties engaged by us will receive your data if they require the data to render their respective performance. These third parties are IT service providers that we need for the operation and security of our IT system, for example, and advertising and mailing list providers for our own advertising campaigns.
Your data is processed in our customer database. The customer database assists with the improvement of the data quality of existing customer data (duplicate cleanup, moved away/deceased indicator, address correction), and allows enrichment with data from public sources.
This data is provided to the companies within the Group if necessary for the execution of the contract. Customer data is stored separately for each company, with our parent company acting as a service provider for the individual participating companies.
Where there is a legal obligation to do so or as part of a prosecution, your data may be released to authorities and courts as well as to external auditors.
In addition, for the purpose of contract initiation and fulfillment, insurance companies, banks, credit agencies, and service providers may be recipients of your data.


6. How long will my data be stored?

We will process your data until the termination of the business relationship or until the expiry of the applicable statutory retention periods (for example, in line with trading, tax, or working time legislation); in addition, until the termination of any legal disputes in which the data is required as evidence.


7. Is personal data transmitted to a third country?

In principle, we do not transmit any data to a third country. Transmission in individual cases will only take place on the basis of an adequacy decision by the European Commission, standard contractual clauses, appropriate guarantees, or your express consent.


8. What data privacy rights do I have?

You have the right at any time to information, to have your stored data corrected or deleted and its processing restricted, the right to object to the processing of your data, the right to data portability, and the right to file a complaint in accordance with the requirements of data protection law.

Right to information:
You can ask us for information as to whether and to what extent we process your data.

Right to have your data corrected:
If we process data relating to you that is incomplete or inaccurate, you can demand at any time that we correct or complete this data.

Right to have your data deleted:
You may ask us to delete your data if we are processing it unlawfully, or if the processing disproportionately interferes with your legitimate interests in protection. Please note that there may be reasons preventing us from deleting your data immediately e.g. if statutory retention requirements exist.
Regardless of whether you exercise your right to deletion, we will delete your data promptly and in full unless a contractual or statutory retention obligation prevents us from doing so.

Right to have data processing restricted:
You can demand that we restrict the processing of your data if
– you dispute the accuracy of the data for a period of time that allows us to verify the accuracy of the data,
– the processing of the data is unlawful, but you decline the option to have the data deleted and instead demand that its usage is restricted,
– we no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims, or
–  you have objected to the processing of the data.

Right to data portability:
You can demand that we provide you with the information you have made available to us in a structured, common and machine-readable format, and in a manner that allows you to transfer that information to another data controller without hindrance, provided that
– we are processing this data based on your revocable consent or for the execution of a contract between us, and
– this processing is being performed with the aid of automated processes.
Where technically feasible, you can demand that we transfer your data directly to another data controller.

Right to object:
If we are processing your data due to a legitimate interest, you can object to this data processing at any time; this would also apply to any profiling supported by these provisions. We would then stop processing your data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or where the processing is being used for asserting, exercising or defending legal claims. You can object to the processing of your data for the purposes of direct advertising at any time without stating a reason.

Right to lodge a complaint:
If you believe that we are violating German or European data protection laws when processing your data, we would ask that you contact us for clarification. You naturally also have the right to contact the responsible supervisory authority, the relevant State Office for the Supervision of Data Protection (Landesamt für Datenschutzaufsicht).
If you wish to exercise one of the above-mentioned rights, please contact our data protection officer. If in doubt, we may request additional information to confirm your identity.


9. Am I obliged to provide data?

The processing of your data is necessary for the conclusion or execution of the contract you have entered into with us. If you do not provide us with this data, we will generally have to refuse to conclude the contract or may no longer be able to execute an existing contract, which we will have to terminate as a consequence. However, you are not obliged to give your consent for data processing with regard to data that is not relevant or legally required for the fulfillment of the contract.