bg-country-switch

Website users / Customers / Suppliers / Visitors / Applicants Privacy Notice

The purpose of this privacy notice it to let you know how HARTMANN UK & I (you may also know us as Paul Hartmann Ltd, HARTMANN or Hartmann Direct) processes your personal data, in particular the reason we process it, how we keep it secure and who we share it with. We want to make this notice as easy as possible to understand so we recommend that you read this main page, then click through to specific details depending on your relationship with us.

Who we are, our role and how to contact us

We are HARTMANN UK & I (Paul Hartmann Ltd), registered at UK Companies House under number 01523121. We are based at Heywood Distribution Park, Heywood, OL10 2TT.

Our fee payer registration ID with the UK Data Protection Authority (ICO) is Z4568444.

Our Data Protection Officer is based in the UK and can be contacted here:

PAUL HARTMANN UKI
Data Protection Officer
Unit P2 Parklands
Heywood Distribution Park, Pilsworth

OL10 2TT
E-Mail:gareth.jones@hartmann.info

Alternatively, drop us a line at ukdataprotection@hartmann.info if that’s easier for you and we will make sure you get the help you need.

HARTMANN UK & I plays a dual role when it comes to data protection; if you receive products from us via the NHS, then we are a Data Processor of your data. That means all decisions about the processing are made by the NHS and you should contact your healthcare provider for details.

We are the Data Controller for the following individuals:

  • Direct customers of ours
  • Suppliers
  • Potential employees
  • Clinical study participants
  • Visitors to our offices and to our website

In terms of the Data Protection Act 2018 and the GDPR, that means we are trusted to look after and deal with your personal information in accordance with this notice. We determine the ways and means of processing and must therefore be accountable for it.

What data do we process?

To find out more about the types of personal data we process where we are the Controller, please click on the privacy notice most appropriate for your relationship with us.
I am a potential employee

1. Responsible party and contact information

Responsible party:

PAUL HARTMANN UKI

P2 Parklands

Heywood Distribution Park

Pilsworth Road

Heywood

OL10 2TT

Phone: (+44) 01706 363 200

E-Mail: info@hartmann.info

Contact Data Protection:

Data Protection Officer

PAUL HARTMANN UKI

P2 Parklands

Heywood Distribution Park

Pilsworth Road

Heywood

OL10 2TT

E-Mail: ukdataprotection@hartmann.info

2. Data protection principles, Candidate profile

We process your personal data in accordance with the provisions of the GDPR and other applicable data protection regulations. You will find details under the following explanations.

Before applying for an open vacancy, being included in our talent pool, etc. it is necessary to create your own candidate profile. This profile will only be visible to us when you apply for an open vacancy. You can make changes or additions to your candidate profile yourself at any time.

2.1 Purposes in the context of pre-contractual measures

This data protection notice is issued in connection with the application procedure. Your personal data is processed in order to decide on the establishment of an employment relationship with you and to process it. This may also include the performance of an assessment, which especially may include the creation of a personality profile as part of a personality test. Although the evaluation of the personality test is initially automated, the content is then checked by the people involved in the recruitment process. The evaluation can then be included in the decision on whether to establish an employment relationship with you. The evaluation will be handed over to you personally. If per-sonal hand over is not possible, it will be sent to you by post or made available to you by digital means. Of course, we will ensure the best possible digital hand over from an IT-Security perspec-tive according to the state of the art. As part of the application process, your personal data may also be viewed by employees of various specialist departments in the UK, Germany and abroad, but only to the extent that this – as mentioned – serves to establish the employment relationship with you.

2.2 Purposes within the scope of legitimate interests of us or third parties

We process your personal data if it is necessary to protect the legitimate interests of us or third parties, unless there are no overriding interests on your part (including fundamental rights and freedoms) that speak against such processing. Our purpose-oriented interests can be in particu-lar:

  • Internal administrative purposes;
  • Statistical evaluations for corporate management;
  • Measures for controlling and optimizing business processes;
  • Measures for the further development of services and products;
  • Identification of recruited employees for distribution of bonus;
  • Testing and optimization of procedures for demand analysis;
  • Comparison with national as well as European and other international sanctions lists as part of our compliance program to determine critical data (screening), insofar as this goes beyond the legal obligations. The comparison depends to a large extent on the matter in question and the circumstances of the individual case, i.e. on the risk forecast and the safety relevance of the specific activity;
  • Enrichment of our data, among other things by using or researching publicly available data to the extent necessary;
  • Active Sourcing (direct approach of candidates);Benchmarking (especially comparison of the recruitment figures of the countries and the re-spective recruitment period. The benchmarking is anonymous);
  • Assertion of legal claims and defense in the event of legal disputes which are not directly at-tributable to the contractual relationship;
  • Building and plant security, securing and exercising the rights of the building by taking appro-priate measures (e.g. access controls) and, if necessary, by video surveillance to protect third parties and our employees and to prevent criminal offences and to secure evidence for the in-vestigation of criminal offences, insofar as this goes beyond the general duty of care;
  • Further development of existing systems and processes;Internal and external investigations, security checks; publications;
  • Obtaining and maintaining certifications of a private or official nature for internal administrative purposes.

2.3 Purposes within the scope of your consent

We process your personal data –in each case only based on your consent– for the following purposes:

  • In the context of an active application to establish the employment relationship, insofar as processing cannot already be based on Art. 6 (1) b GDPR, Art. 9 (2) b GDPR, § 26 (1) and (3) BDSG;
  • Replacement of vacancies that have become vacant again, for which you originally applied, as well as for worldwide vacancies including inclusion in a talent pool to which PAUL HARTMANN AG Group companies also have access. In the last-mentioned case, we will contact you via the email address and/or phone number you have provided us with, if there is a corresponding open vacancy;
  • Messages in the form of "job alerts". The basis for these alerts is your application for a specific vacancy, in the context of which you have also created your candidate profile. The specific name of the open vacancy for which you have applied serves as a keyword. You can add or delete individual "job alerts" at any time;
  • Messages about career opportunities. You will be considered for customized marketing campaigns –generated by the system– if you are visible in our talent pool at the same time. Such marketing campaigns can refer to current job fairs, for example, where you can get more information about career opportunities;
  • Active Sourcing - direct approach, addressed to you as a candidate.

You are not obliged to give your consent and there are no legal disadvantages for not granting your consent. You can revoke your consent at any time by emailing ukdataprotection@hartmann.info.

In principle, the revocation of a consent is only effective for the future. Processing that took place before the revocation is not affected and remains lawful.

2.4 Purposes to meet legal requirements or purposes in the public interest

Like everyone who is involved in the economic process, we are also subject to a variety of legal obligations. These are primarily legal requirements (e.g. commercial and tax laws), but also, where applicable, regulatory or other official requirements (e.g. employers' liability insurance association). The purposes of the processing may include identity and age verification, fraud and money laundering prevention (e.g. comparison with European and international anti-terrorist lists), company health management and ensuring occupational safety. In addition, the disclosure of personal data may become necessary within the scope of official/judicial measures for the purpose of gathering evidence, criminal prosecution or the enforcement of civil law claims.

3. Categories and origin of the personal data we process

Insofar as it is necessary for the decision on the establishment of an employment relationship with you, we process, in addition to the personal data received directly from you, any personal data that may have been lawfully received from third parties (see Art. 14 GDPR). This may include personal data received from external service providers such as headhunters or professional network operators (e.g. LinkedIn or Xing).

Relevant personal data can be:

First name and surname, if applicable maiden name, gender, residential address, contact data, date of birth, place of birth, nationality, religious affiliation, marital status, job description, callable contact data, start / end of employment, educational background (school, studies, training etc.) and professional development, title, residence permit / work permit and its period of validity, data from identification document, qualifications (driver's license, first-aider, knowledge of foreign languages etc.) Status information (mainly pupil or student), information about certificates and qualifications, severe disability (e.g. for holiday entitlement or job description), honorary position / active membership in a club (sports etc.), information about previous employment relationships, criminal records (e.g. for security-relevant functions), photos, bank records (for travel expense accounting).

4. Recipients or categories of recipients of your personal data

We only process your personal data within the company. Within our company, those internal departments or organizational units receive your personal data insofar as they need it to fulfil the purpose and within the scope of processing. Internal data recipients are obliged in each case to use your personal data only to the aforementioned extent.

If we transfer your personal data to other persons and companies (third parties), e.g. to service providers who provide our recruiting services or at least support us, or grant them other access to the personal data, this is only done on the basis of a legal permission. If we commission third parties to process personal data on the basis of a so-called "contract processing agreement" and thereby secure the necessary powers of influence or control with regard to the processing and use of the personal data, this is done on the basis of Art. 28 GDPR. However, we remain responsible to you for the legality of the data processing.

5. Storage of your personal data

First, we would like to point out that we do not delete your personal data but make it anonymous. After the anonymization process has been carried out, a reference to your person no longer exists and cannot be restored. The data protection regulations are then no longer applicable. We use the anonymized data in particular for evaluation purposes.

In principle, we process or store your personal data for the duration of the direct contact within the framework of active sourcing, for the duration of an active application process and for the duration of your activity in the candidate profile. This means that your personal data in connection with a specific application will be made anonymous at the latest 6 months after the application process has been completed (beginning especially by refusal). If we only have your application documents in paper form, we will return them to you after the end of the application procedure to our credit. The anonymization of your personal data stored in the candidate profile is done automatically in case of inactivity of 6 months (no login was made for 6 months). You will be informed about this in advance by email. By logging in again, the period is automatically extended by a further 6 months. The prerequisite in each case is that there is no active application. If you set up a "deletion" in your candidate profile yourself, the anonymization will take place automatically 6 months after setting up.

The above-mentioned information on the anonymization does not apply if, among other things, legally prescribed retention periods prevent immediate deletion –here anonymization– (cf. Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.

We would like to point out that the withdrawal of a consent granted by you for the purposes mentioned in No. 2.3 above only has the effect that the respective processing (e.g. sending of "Job Alerts") is stopped by us. No personal data will therefore be anonymized by the withdrawal.

6. Processing of your data in a third country or by an international organization

A transfer of data to entities (e.g. subsidiaries) in countries outside the European Economic Area EU/EEA (so-called third countries) takes place in particular if it is necessary for the decision on the establishment of an employment relationship with you. The processing of your personal data in a third country may also take place in connection with the use of service providers in the context of processing orders.Unless the EU Commission has decided on an adequate level of data protection in the country concerned, we guarantee - in accordance with Article 13 (1) f of the GDPR - that your rights and freedoms are protected in the case of transfers in accordance with Articles 46, 47 or 49 (1) subparagraph 2 of the GDPR by providing suitable and appropriate guarantees. Information on the suitable or appropriate guarantees and the possibility of how and where to obtain a copy of them can be obtained on request from the Data Protection Department or the Human Resources Department responsible for you.

7. Your rights

  • You have the right to withdraw your consent to the processing of your personal data in accordance with Art. 7 (3) GDPR at any time with effect for the future. Processing that took place before the withdrawal therefore remains lawful.
  • In accordance with Art. 15 GDPR, you can request information about your personal data processed by us.
  • In accordance with Art. 16 GDPR, you can demand the immediate correction of incorrect or incomplete personal data stored by us.
  • In accordance with Art. 17 GDPR, you can request the deletion (here anonymization) of your personal data stored by us in accordance with the conditions stated therein, unless legally prescribed retention periods prevent immediate deletion –here anonymization– (see Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.
  • Pursuant to Art. 18 (1) GDPR, you may request the restriction of data processing if one or more conditions pursuant to Art. 18 (1) GDPR lit. a to d are met.
  • In accordance with Art. 20 (1) GDPR, you can receive the personal data processed by us in a structured, common and machine-readable format and transfer this personal data to another person responsible without hindrance from us.
  • In addition, you can object to the processing of your personal data in accordance with Art. 21 (1) GDPR. In the event of an objection, we will terminate the processing of your personal data. However, the right of objection only applies in the event of special circumstances arising from your personal situation. In addition, compelling reasons worthy of protection that speak in favour of processing may prevail. Furthermore, certain processing purposes may conflict with your right of objection.
  • According to Art. 21 (2) GDPR, you have the right to object to the processing of personal data concerning you for the purpose of direct marketing at any time without further conditions. This also applies to profiling, insofar as it is connected with such direct marketing. If you object, your personal data will no longer be processed for these purposes (cf. Art. 21 (3) GDPR).
  • Without prejudice to any other administrative or judicial remedy, you also have the right to appeal to the competent supervisory authority (see Art. 77 GDPR) if you believe that the processing of your personal data violates data protection provisions. In this context, however, we would ask you to address any complaints first to the contact details given under (1) above.

8. Scope of your obligations to provide us with your personal data

You only need to provide personal data that is necessary for the decision on the establishment of the employment relationship or that we are legally obliged to collect (e.g. to provide evidence to authorities). Without this personal data, we will generally not be able to carry out the application process. If we request additional personal data from you, you will be informed separately about the voluntary nature of the information.

9. Automated decision making in individual cases (including profiling)

We do not use purely automated decision-making procedures in accordance with Art. 22 GDPR. Should we nevertheless use such a procedure in individual cases in the future, we will inform you of this separately if this is required by law.

I am a customer or potential customer

Data that we hold and how we use it

If you are a direct individual customer of ours, we hold the contact and payment details required to carry out our contract with you and manage our relationship. If you signed up for our newsletter then we hold your contact details and your preference choices to keep you up to date with changes and improvements to our services. This data would have been sourced from you directly.

Managing our relationship with you includes any customer service related data and order history. Incoming calls are recorded, and you will always be made aware of this when you call in. They are recorded to ensure that we capture your order correctly, help us with quality control and training, as well as helping to resolve disputes should they arise.

If you are a customer who has agreed to give a testimonial or provide photos to help with our marketing, then we will hold the data that you gave up (Contact details, opinion and any corresponding photos) and make them available on our website and marketing materials.

If you are a potential customer then you are likely to be an employee of an entity that we believe would benefit from our services, we will hold your contact details.Potential corporate customer data is sourced from third parties such as the CQC website and providers of healthcare data.

Where possible, we will endeavour to let you know within 30 days that we have your data, where we sourced it, and provide you with this privacy notice if we did not source your personal data directly from you.

Lawful basis for processing

Our lawful basis for processing your data is a combination of Contract, Legitimate Interest and consent. We use legitimate interest when we use your data to keep you up to date with changes and improvements to our goods and services. Our legitimate interest balancing test indicates that this is a legitimate purpose; it is necessary for the purpose of keeping you updated and growing our business, and unlikely to cause you risk or harm. Likewise, if you are a potential customer, who has not yet placed an order, then we process this data under legitimate interest. All other data is processed to enable us to fulfil our contract with you and manage our relationship with you. We only use consent when we ask you to process your personal data in our marketing collateral, including our newsletter.

Data Sharing and Transfers

Like most companies, we use a number of other entities to facilitate data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. If data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses and due diligence. We do not sell your data to anybody. All data processed by Paul Hartmann Ltd is shared with our parent company in Germany, and such transfers are done on a need to know basis and are subject to an inter-company agreement.

Retention Periods

As a customer we hold your data for the time that you are a customer of ours plus 7 years in case of any dispute and to abide by accounting regulations.If you withdraw consent for marketing collateral then we will update our records in the Hartmann marketing preference center and CRM system accordingly to ensure you no longer receive marketing material from us.If you are a potential customer we will delete your data 2 years from your last engagement with us.

Technical and Operational Security

All data is password protected, access controlled by 2factor authentication, backed up securely and encrypted when appropriate. All employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects. We take the protection of personal data into account as early as possible in the development and selection of hardware, software and our standard procedures.

I am a supplier

Data that we hold and how we use it

As a supplier to HARTMANN UK & I, we hold the contact and payment details required to carry out our contract with you, and any data to manage our relationship with you, for example our email communications. Most of this data would have been sourced from you directly, although your initial contact details may have been sourced from a recommendation or a website, with the intention of entering into a contract with you.

Lawful basis for processing

Our lawful basis for processing your data is contract; all data is used to enable us to fulfil our contract with you, including paying you and managing our relationship with you.

If we are asked to recommend a supplier to another company then we will share your company name and phone number. The lawful basis for this is legitimate interest and we believe this has benefits to both you and us.

Data Sharing and Transfers

Like most companies, we use a number of other entities to facilitate data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. If data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses and due diligence. We do not sell your data to anybody. All data processed by HARTMANN UK & I is shared with our parent company in Germany, and such transfers are done on a need to know basis and are subject to an inter-company agreement.

Retention Periods

We hold data on suppliers for the duration of our contract, plus 7 years to account for accounting regulations and in case of any dispute.

Technical and Operational Security

All data is password protected, access controlled by 2factor authentication, backed up securely and encrypted when appropriate. All employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects. We take the protection of personal data into account as early as possible in the development and selection of hardware, software and our standard procedures.

I am running or participating in one of your clinical trials or study

Data that we hold and how we use it

As someone who has agreed with their Health Care Professional to participate in a clinical trial on our product, we will hold the following personal data:

  • Identification data
  • Medical data observations
  • Clinical trial results

If you are a Healthcare professional who carries out our trials, then we will hold the following:

  • Contact details
  • Place of work, role and qualifications
  • Details of the training provided to enable you to carry out the trial

Lawful basis for processing

Our lawful basis for processing your data is a combination of Contract (with the health care provider), and legal obligation for the trial participant. Where health data is used, the additional lawful basis for this will be ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Whilst consent is given to participate in the trial, this is not the same as consent to process the data. We do not use consent to process the data as this would not be the most appropriate since we are obliged by law to carry out these trials to ensure the quality and safety of our products. We do however ask for consent to publish the data if it is not fully anonymised.

Data Sharing and Transfers

Like most companies, we use a number of other entities to facilitate data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. If data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses and due diligence. We do not sell your data to anybody. All data processed by Paul Hartmann Ltd is shared with our parent company in Germany, and such transfers are done on a need to know basis and are subject to an inter-company agreement.

Retention Periods

Data processed on the Health care professional is retained for 5 years after their last clinical trial/study.

Clinical trial/study data is retained 7 years after the withdrawal of a product.

Technical and Operational Security

All data is password protected, access controlled by 2factor authentication, backed up securely and encrypted when appropriate. All employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects. We take the protection of personal data into account as early as possible in the the development and selection of hardware, software and our standard procedures.

I am visiting your offices

Data that we hold and how we use it

When you come to our offices, you will be asked to sign in via a device in the lobby. The data collected is your name, email address, phone number, car registration number and the person you are visiting, as well as a photograph.

The device will then provide you with a label containing your name and photo that we ask you to wear whilst you are on the premises.

Lawful basis for processing

Our lawful basis for processing your data legitimate interest. It is legitimate for us to know who is visiting the site and to protect the premise against unauthorised entry, and crime.

Data Sharing and Transfers

Like most companies, we use a number of other entities to facilitate data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. If data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses and due diligence. We do not sell your data to anybody. All data processed by Paul Hartmann Ltd is shared with our parent company in Germany, and such transfers are done on a need to know basis and are subject to an inter-company agreement.

Retention Periods

Data in our sign in system is kept for 6 months after your visit to make it easier for you, should you return in that timeframe.

Technical and Operational Security

All data is password protected, access controlled by 2factor authentication, backed up securely and encrypted when appropriate. All employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects. We take the protection of personal data into account as early as possible in the the development and selection of hardware, software and our standard procedures.

I am visiting your website

Data that we hold and how we use it

As a user of our websites (hartmann.info, hartmanndirect.co.uk, hartmannhelp.co.uk, hartmannmarketing.com) and depending on the cookie preferences you gave, we collect your individual usage data which includes information about how you use our website, products and services. This is used to create aggregated data.

If cookies are accepted loaded, we will process information about the pages you have visited, your searches on our website, load and download times, time spent on our pages, interaction with the page and what led you to our website (link in an article, google search etc).

We perform analytics based on this data. Performing analytics is vital for us to understand how you interact with our website and various services in order to improve them and to give you a good user experience.

We do not use your browsing data to predict or make any assumptions about you.

You can view our Cookie policy here: Cookie Policy

Social Media:

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users. When accessing social networks and platforms, the terms and conditions and data processing guidelines of the respective operator apply.

We process your personal data if you communicate them within social networks and platforms, e.g. by writing articles on our online presences or sending us messages. In addition, Facebook, among other things, may provide statistics and insights (e.g., total number of page views, "Like" information, page activity, post interactions, video views, post reach, comments, shared content, responses, etc.) that help us understand the types of actions you take on our sites. This enables us to better understand your interests and preferences and can, for example, increase the attractiveness of articles or our performance presentation or choose the right time for publication.

Your personal data may be processed by the respective operator outside the European Union or the European Economic Area. As a result, risks may arise for you, in particular the enforcement of rights may become more difficult.

If you click on the button of the respective operator eg Facebook, you will be redirected to the Hartmann presence on their site in a separate browser window and can - if you are logged in to your user account - share or subscribe to our news, among other things. Clicking the button will establish a direct connection between your browser and the server of the respective operator. The respective operator receives the information that you have visited our website with your IP address. The respective operator may collect further personal data as soon as you use their offers. In addition, it is then possible for the respective operator to assign your visit to our website to you and your user account, provided you are logged in to your user account.

In addition, your personal data may be further processed for the purposes of market research and advertising. This means that profiles can be created from your usage behaviour and the preferences and interests derived from it. Such profiles can be used, for example, to place suitable advertisements within our online presence or on other online presences or websites based on the interests determined. Cookies are placed and stored on your end device, with the help of which personal data on usage behaviour can be collected and bundled for further processing - to determine your interests. The collection and bundling of this personal data can - especially if you are logged in to your user account - also be realised across several end devices used by you.

Should you request information or wish to exercise other rights to which you are entitled, please contact the respective operator directly. The background to this is that only the respective operators have access to your personal data and can provide you with the relevant information and take further measures if necessary. Should you require assistance in exercising the rights to which you are entitled, you can also contact us at any time.

A description of the data processing carried out by the respective operator as well as the requirements for the implementation of an objection (opt-out) can be found in the information provided by the respective operator:

Provider: Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland
Privacy policy: https://www.facebook.com/about/privacy/
Site insight data: https://www.facebook.com/legal/terms/information_about_page_insights_data
Opt-Out: https://www.facebook.com/settings?tab=ads

Provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland
Privacy policy: https://twitter.com/de/privacy
Opt-Out: https://twitter.com/personalization
Anbieter: LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany
Privacy policy: https://www.xing.com/app/share?op=data_protection

Provider: YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA
Privacy policy: https://policies.google.com/privacy?hl=de&gl=de

Provider: (Instagram) Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland
Privacy policy: https://help.instagram.com/519522125107875

Lawful basis for processing

Our lawful basis for processing tracking data as a result of dropping unnecessary cookies is consent. You will have provided this consent via our cookie banner.

If you accessed our social media presence then we are slightly constrained by the way that site operates and cannot give assurances that they will always use consent as the lawful basis.

Data Sharing and Transfers

Like most companies, we use a number of other entities to facilitate data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. If data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses and due diligence. We do not sell your data to anybody. All data processed by HARTMANN UK & I is shared with our parent company in Germany, and such transfers are done on a need to know basis and are subject to an inter-company agreement.

Technical and Operational Security

All data is password protected, access controlled by 2factor authentication, backed up securely and encrypted when appropriate. All employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects. We take the protection of personal data into account as early as possible in the the development and selection of hardware, software and our standard procedures.

Your rights:

Right of access: You can request access to a copy of the personal data which we hold about you, as well as details about why and how we use it;

Right to rectification:You can ask us to change or complete any personal data we hold about you which is inaccurate or incomplete;

Right to be forgotten/erasure: You have a right, under certain circumstances, to ask us to delete any personal data we hold about you. Please note that there may be situations where we must retain your personal data after a request for erasure where we have a lawful basis for doing so;

Right of restriction: You can ask us to restrict (i.e. prevent) the processing of your personal data where you have objected to our use of it and we have no lawful basis to continue processing your personal data;

Right of data portability: In certain circumstances, you can ask us to transfer the data we hold about you to another organisation. This would be sent in a structured, commonly used, electronic form;

Right to object: You can object to us using your personal data for particular purposes; and

Automated decision making: You have a right not to be subjected to automated decision making and profiling in certain situations.

If you have any cause to complain about our use of your personal data, please contact us by emailing ukdataprotection@hartmann.info.

You also have the right to lodge a complaint about our processing with a supervisory authority — in the UK that is the ICO whose details are here: https://ico.org.uk/make-a-complaint/.

Our global DPO is based in Germany, at our head office so you also have the right to make your complaint to the German Data Protection Authority.

Automated decision making

HARTMANN UK & I does not carry out any automated decision making on your data and have no plans to do so.

What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.

In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

Changes to our privacy notice

We may change this privacy notice from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up-to-date.

If we make any material changes to the manner in which we process and use your personal data, we will contact you to let you know about the change.