Privacy Notice Customers

Responsible party:
PAUL HARTMANN AG
Paul-Hartmann-Straße 12
89522 Heidenheim
Phone: +49-7321-36-0
Fax: +49-7321-36-3636
E-Mail: info@hartmann.info

Contact Data Protection:
PAUL HARTMANN AG
Department CFO-DPM / DPO
Paul-Hartmann-Straße 12
89522 Heidenheim
E-Mail: datenschutz@hartmann.info

We process your personal data in accordance with the provisions of the GDPR, the German Federal Data Protection Act (BDSG) and other applicable data protection regulations. You will find details under the following explanations.

2.1 Purposes in the context of pre-contractual/contractual measures (cf. Art. 6 (1) b GDPR)

We process your personal data in particular for the following purposes:

• Implementation of registration processes;
• Fulfilment of contractual obligations and services, memberships;
• Execution of payment transactions;
• Delivery of contractually ordered products and services;
• Transfer of address data to logistics companies for the delivery and collection of goods;
• Transfer of billing data to billing centres and forwarding to cost units;
• Transfer to group companies for internal administrative purposes;
• Sending of interesting information about products and promotions (in individual cases also in return for the prior sending of free articles);
• Forwarding to manufacturers, suppliers and service companies for custom-made products and for instruction and maintenance of the respective product;
• Business partner due diligence;
• Customers satisfaction surveys (in individual cases also in return for the prior sending of free test articles, which are to be evaluated);
• Sending Christmas cards and birthday cards;
• Reminders of business relations;
• Consultation or contact after trade fairs etc.;
• Obtaining creditworthiness information (e.g. via Creditreform: https://www.creditreform.de/datenschutz).

2.2 Purposes within the scope of legitimate interests of us or third parties (cf. Art. 6 (1) f GDPR)

We process your personal data if it is necessary to protect the legitimate interests of us or third parties, unless there are no overriding interests on your part (including fundamental rights and freedoms) that speak against such processing. Our purpose-oriented interests can be in particular:

• Statistical evaluations for corporate management;
• Transfer of data within our coroprate group for internal administrative purposes;
• Customer satisfaction survey;
• Direct marketing measures;
• Sending Christmas cards and birthday cards;
• Reminders of business relations;
• Consultation or contact after trade fairs etc.;
• Exclusive customer information on products and advertising materials;
• Product training courses;
• Measures for controlling and optimizing business processes;
• Measures for the further development of services and products;
• Testing and optimisation of procedures for demand analysis;
• Comparison with national as well as European and other international sanctions lists as part of our compliance program to determine critical data (screening), insofar as this goes beyond the legal obligations. The comparison depends to a large extent on the matter in question and the circumstances of the individual case, i.e. on the risk forecast and the safety relevance of the specific activity;
• Enrichment of our data, e.g. by using or researching publicly available data as far as necessary;
• Benchmarking;
• Assertion of legal claims and defence in the event of legal disputes which are not directly attributable to the contractual relationship;
• Building and plant security, securing and exercising of the right to the building by taking appropriate measures (e.g. access controls) and, if necessary, by video surveillance to protect third parties and our employees and to prevent criminal offences and to secure evidence for the investigation of criminal offences, insofar as this goes beyond the general duty of care;
• Further development of existing systems and processes;
• Internal and external investigations, security checks, publications;
• Obtaining and maintaining certifications of a private or official nature.

2.3 Purposes within the scope of your consent (cf. Art. 6 (1) a and Art. 9 (2) a GDPR)

Your personal data may also be processed for certain purposes on the basis of your consent. This may include – for us as a service provider – in particular the processing of your health data for consulting purposes (e.g. in the context of a telephone call) and supply or delivery of our products and, if applicable, care aids. In this context, we process, among other things, information on prescriptions (which you have sent to us or uploaded in your account) about remedies and medicines and information (which you have given us in a telephone call or via your account) as part of the collection of medical history forms on the type of incontinence, indication, continence profile, degree of care, etc.

You can withdraw your consent at any time. This also applies to the withdrawal of declarations of consent that were issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. In principle, the withdrawal of consent at any time is only valid for the future. Processings that took place before the withdrawal are not affected and therefore remains lawful. This means, for example, that the processing of your health data in the period prior to the withdrawal – among other things for the aforementioned purpose – remains effective.

In all other respects you are not obliged to grant consent and you will not suffer any legal disadvantages from the refusal of consent.

2.4 Purposes to meet legal requirements (cf. Art. 6 (1) c GDPR or purposes in the public interest (cf. Art. 6 (1) e GDPR); and acc. to Art. 9 (2) i GDPR DS-GVO.

Like everyone who is involved in the economic process, we are also subject to a variety of legal obligations. These are primarily legal requirements (e.g. according to the Works Constitution Act, Social Security Code, commercial and tax laws or the German Fiscal Code), but also, where applicable, regulatory or other official requirements (e.g. employers' liability insurance association). The purposes of processing may include in particular the invoicing of services to public health insurances, pharmacovigilance management (please see here also the privacy notice of Bode Chemie GmbH), identity and age verification as well as fraud and money laundering prevention (e.g. comparison with European and international anti-terrorist lists). In addition, the disclosure of personal data may become necessary within the scope of official/judicial measures for the purpose of gathering evidence, criminal prosecution or the enforcement of civil law claims.

Insofar as it is necessary for the decision on the establishment of a contractual relationship with you, we process, in addition to the personal data received directly from you, any legally obtained personal data from third parties (see Art. 14 GDPR).

We process in particular the following data categories:

• Stock data (e.g. title, first and last name, title, residential address, country, company address, date of birth, full legal capacity, industry);
• Contact data (e.g. e-mail address, telephone number fixed/mobile, fax number);
• Content data (e.g. text input contact form, photographs, videos);
• Contract data (e.g. subject matter of the contract, duration, customer category, user name), in particular for the fulfilment of our contractual obligations and services in accordance with Art. 6 Para. 1 lit. b GDPR, for the implementation of marketing measures based on our legitimate interests in accordance with Art. 6 Para. 1 lit. f GDPR and on the basis of your consent in accordance with Art. 6 Para. 1 lit. a GDPR (e.g. in the context of customer satisfaction surveys);
• Payment data (e.g. bank details, account details, credit card details, payment history);
• Health data (e.g. severely disabled status, general physical condition, diagnosis).

We only process your personal data within the company. Within our company, those internal departments or organisational units receive your personal data insofar as they need it to fulfil the purpose and within the scope of processing. Internal data recipients are obliged in each case to use your personal data only to the aforementioned extent.

If we transfer your personal data to other persons, companies or other third parties (e.g. public health insurance) or grant them other access to the personal data, this is only done on the basis of a legal permission. If we commission third parties to process personal data on the basis of a so-called "contract processing agreement" and thereby secure the necessary powers of influence or control with regard to the processing and use of the personal data, this is done on the basis of Art. 28 GDPR. However, we remain responsible to you for the legality of the data processing.

We process or store your personal data in principle for the duration of the contractual relationship.

The above information on deletion does not apply if, among other things, legally prescribed retention periods prevent immediate deletion (cf. Art. 17 (3) GDPR) and/or a further case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.

Incorrect and/or incomplete data will be deleted or - if possible - corrected immediately in accordance with Art. 5 (1) d GDPR.

Where possible, we will process your personal data on the territory of the Federal Republic of Germany, in another member state of the European Union or in another state party to the Agreement on the European Economic Area. If, however, processing – and thus at the same time transfer – of your personal data to third countries (e.g. USA) is necessary, especially in connection with the use of service providers in the context of contract processing, we will ensure that the special legal requirements for such processing operations are met and that an adequate level of data protection prevails in the respective third country. In particular, this includes checking whether the European Commission has decided that an adequate level of data protection exists in a third country (cf. Art. 45 DS-GVO) or whether suitable or appropriate guarantees (e.g. standard contractual clauses) exist and that the enforcement of your rights is guaranteed and that sufficient technical and organizational measures are in place to protect your personal data.

Information on the suitable or appropriate guarantees and on how and where to obtain a copy of them can be obtained upon request from the Data Protection Department via the contact channels mentioned in this Privacy Notice.

• You have the right to withdraw your consent to the processing of your personal data in accordance with Art. 7 (3) GDPR at any time with effect for the future. Processing that took place before the withdrawal therefore remains lawful.
• In accordance with Art. 15 GDPR, you can request information about your personal data processed by us.
• In accordance with Art. 16 GDPR, you can demand the immediate correction of incorrect or incomplete personal data stored by us.
• In accordance with Art. 17 GDPR, you can request the deletion of your personal data stored by us in accordance with the conditions stated therein, unless legally prescribed retention periods prevent immediate deletion (see Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.
• Pursuant to Art. 18 (1) GDPR, you may request the restriction of data processing if one or more conditions pursuant to Art. 18 (1) GDPR lit. a to d are met.
• In accordance with Art. 20 (1) GDPR, you can receive the personal data processed by us in a structured, common and machine-readable format and transfer this personal data to another person responsible without hindrance from us.
• In addition, you can object to the processing of your personal data in accordance with Art. 21 (1) GDPR. In the event of an objection, we will terminate the processing of your personal data. However, the right of objection only applies in the event of special circumstances arising from your personal situation. In addition, compelling reasons worthy of protection that speak in favour of processing may prevail. Furthermore, certain processing purposes may conflict with your right of objection.
• According to Article 21 (2) GDPR, you have the right to object to the processing of your personal data for the purposes of direct marketing at any time and without further conditions. This also applies to profiling, insofar as it relates to such direct advertising. If you lodge an objection, your personal data will no longer be processed for these purposes (cf. Art. 21 (3) GDPR).
• Without prejudice to any other administrative or judicial remedy, you also have the right to appeal to the competent supervisory authority (see Art. 77 GDPR) if you believe that the processing of your personal data violates data protection provisions. In this context, however, we would ask you to address any complaints first to the contact details given under (1) above.

You only need to provide us with the personal data that is necessary for the initiation, execution and termination of a contractual relationship or that we generally require for the execution of our services or that we are legally obliged to collect (e.g. to provide evidence to authorities). Without this personal data, we will generally not be able to conclude and carry out the contractual relationship with you or provide our services. This may also refer to personal data that will later become necessary within the scope of the contractual relationship or the provision of services. Boxes marked with an asterisk (*) in our forms are mandatory. If we request personal data from you in addition to this, your details are always voluntary.

We do not use purely automated decision-making procedures in accordance with Art. 22 GDPR. Should we nevertheless use such a procedure in individual cases in the future, we will inform you of this separately if this is required by law.