Status:
N.V. PAUL HARTMANN S.A., attach great importance to the protection of your personal data. Please take the time to read this privacy policy carefully. This privacy policy provides you with information in accordance with the General Data Protection Regulation (GDPR). To understand this policy, it is important to know our different roles:
- HARTMANN as the controller (for your user data): We are the controller for your own personal data as a user (e.g. your name, email address, user account password). All sections of this policy (in particular C.1-C.4, C.7, D, E, F, G, H) refer exclusively to this data processing, for which we are the controller. This also applies explicitly to the access to your end device described in section D (Article 10/2 of the Belgian Data Protection Act of July 30, 2018), which exclusively concerns your device as a user (e.g. your work smartphone).
- HARTMANN as a processor (for patient data): As soon as you enter patient data in the "Care Plan" or "Wound Documentation" modules, you or your institution act as the controller. We then act exclusively as your processor bound by your instructions. Sections C.5 and C.6 transparently describe our role as a processor and the associated instructions (e.g. on anonymisation).
Detailed regulations on order processing (in particular regarding your obligations as the controller and our obligations as the processor) can be found in the separate "Supplementary Data Protection Information" for the respective applications and in the order processing agreement (OPA) that your institution concludes with us.
A. General information and definitions
According to the General Data Protection Regulation (GDPR), "personal data" is any information relating to an identified or identifiable natural person. This includes data such as your name, your email address or your user behaviour.
We strictly adhere to the applicable data protection regulations and protect your data through comprehensive technical and organisational measures.
B. Controller and data protection officer
N.V. PAUL HARTMANN S.A., Avenue Paul Hartmann, 1, 1480 SAINTES, Belgium, email: info@hartmann.be, is responsible for processing your personal data within the scope of the "HARTMANN Easy" app.
You can contact the data protection officer at: N.V. PAUL HARTMANN S.A., Avenue Paul Hartmann, 1, 1480 SAINTES, Belgium Email: dataprotection.be@hartmann.info.
Processor: PAUL HARTMANN AG (parent company) operates this app as a central technical
platform. If you use modules whose content is provided by local PAUL HARTMANN subsidiaries (e.g. the HARTMANN company in your country), PAUL HARTMANN AG processes your user data as a technical service provider (processor) on behalf of these subsidiaries. However, we remain your central point of contact for your data protection rights in relation to the use of the app.
C. Processing of your personal data when using the app
The scope and type of data processing depends on how you use our app. To increase transparency on mobile devices, this statement follows the recommended "layered approach", which allows you to navigate to the sections relevant to you by selecting the headings.
1. Downloading the app from an app store
When you download the app, the necessary information is transferred to the respective app store (e.g. Apple App Store or Google Play Store). This includes, in particular, your user name, your e-mail address, your account customer number, the time of download and, if applicable, payment information. We have no influence on this data processing; it is the sole responsibility of the respective app store operator.
2. Technically necessary data processing when starting the app
Each time you use the app, we automatically process data that your device transmits to our servers for technical reasons. This data is essential for ensuring the stability, localisation and security of the app.
- IP address
- Date and time of the request
- Device identification (e.g. IMEI, IMSI)
- Name of your mobile device
- Operating system and its version
- Language and version of the app
The legal basis for this processing is our legitimate interest in providing a functional and secure app in accordance with Art. 6(1)(f) GDPR.
3. Registration and management of your user account
To use the app, you must create a user account. Depending on whether you are already listed as a contact with us, we distinguish between two registration methods. The data collected in this process is processed for the purpose of creating and managing your account, authenticating you and enabling you to use the app. The legal basis for this processing is the fulfilment of the user agreement in accordance with Art. 6 (1) (b) GDPR.
Depending on the registration method, the following data is processed in detail:
1. Guest registration (for new users): When you register as a new user, we collect the following mandatory information: your title, first and last name (for unique identification and account management), your email address (as a unique identifier, for communication and login), your country (for country-specific content/regulations), the name of your institution, your postcode and your industry (in each case for assignment to the contractual partner and for B2B verification). You can optionally specify your occupation (profession). It is also optional to provide your HCP/AHPRA/NPI number. The legal basis for the mandatory information is Art. 6 (1) (b) GDPR; for country-specific mandatory information, the legal basis may also be Art. 6 (1) (c) or (f) GDPR.
2. Contacts Registration (for existing contacts): If you are already registered in our CRM system, we collect the following mandatory information for registration: your HARTMANN CRM ID (to link to your existing customer account), your first and last name (for comparison and verification purposes), your email address (as a unique identifier for communication and login purposes), your title (for personalised communication) and your profession (for verification of professional affiliation). The legal basis for this processing is also Art. 6 (1) (b) GDPR.
If you already have a user account for the HARTMANN Supply Management , you can use it to log in to the app. In this case, the data required for verification and linking (in particular name, email address and customer number) will be exchanged between the systems.
4. Data processing for lead generation (modules "Inco Guide" & "Wound Guide") When registering for the free "Inco Guide" and "Wound Guide" modules, you have the option of giving us your voluntary consent to use your contact details (first name, surname, email address, job title) for marketing purposes. This consent is separate and voluntary. Use of the modules is not dependent on granting consent. Consent includes: - Transferring your data to our CRM system (Salesforce) for managing prospective customer contacts. - Contacting you by email with information about our products, services and events. To ensure that you actually want to receive the emails, we use the double opt-in procedure: after you have given your consent, you will receive an email with a confirmation link. Only after clicking on this link will you be added to our mailing list. You can revoke your consent at any time and without giving reasons for the future, e.g. via the unsubscribe link in each email or via your account settings in the app. The revocation does not affect the lawfulness of the processing carried out up to that point. The legal basis is your express consent in accordance with Art. 6 (1) (a) GDPR and Art. XII.13. § 1er of the Belgian Code of Economic Law.
5. Processing of health data (Care Plan and Wound Documentation modules)
5.1. Distribution of roles: The "Care Plan" and "Wound Documentation" modules enable you, as a healthcare professional, to process the health data of third parties (patients). This constitutes special categories of personal data within the meaning of Art. 9 GDPR. When using these modules, you (or your employer) act as the controller within the meaning of Art. 4 No. 7 GDPR. As the provider of the app, we act in this context exclusively as a processor bound by instructions within the meaning of Art. 4 No. 8 GDPR on the basis of a DPA (Art. 28 GDPR) with your institution. Details on this are regulated in the supplementary data protection information.
5.2. Legal basis for processing as a processor: We process the patient data you enter exclusively on the basis of a data processing agreement (DPA) concluded with you in accordance with Art. 28 GDPR. This agreement regulates our obligations as a service provider in detail and ensures that processing is carried out only in accordance with your instructions. The use of these modules requires the prior electronic conclusion of a data processing agreement (DPA) by your administrator by means of electronic acceptance (click & wrap) with us. Use is not permitted without a DPA. Anonymised usage data may be used by subsidiaries and parent companies for the purposes of product improvement, research and development. The user hereby instructs the company named in section 12.2 of the General Terms and Conditions to anonymise patient data exclusively on the basis of a legal basis to be ensured by the user (in particular the consent of the patients). Only after anonymisation has been carried out may this data be used by subsidiaries and/or parent companies for research, product improvement and development.
5.3. Your obligations as the controller: As the user, you are solely responsible for ensuring a valid legal basis for your processing of patient data. This will usually be the express consent of the respective patient in accordance with Art. 9 (2) (a) GDPR. It is your responsibility to obtain this consent. As the provider, we do not obtain consent from your patients.
6. Data processing for anonymisation
We are entitled to anonymise both technical usage data and the patient data you enter.
Anonymisation of technical and general usage data: We process purely technical usage data (e.g. functions used, loading times, crash reports) on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in order to anonymise it. The anonymisation process is designed to permanently and irreversibly remove any personal reference.
Anonymisation of patient data: Insofar as patient data is anonymised, this is done exclusively within the scope of order processing and on your instructions. The anonymised data may be used by companies belonging to the HARTMANN Group for research and development purposes.
7. Contact and support
If you contact us by e-mail or via a contact form, we will store the data you provide (e.g. e-mail address, name, content of the enquiry) in order to process your request. This data will be deleted as soon as storage is no longer necessary, unless there are legal retention obligations.
The legal basis is
Art. 6 (1) (b) or (f) GDPR.
D. Access to functions on your device (Article 10/2 of the Belgian Data Protection Act of July 30, 2018 )
In order to operate the app, it is sometimes necessary to store or access information on your device. This is done in accordance with Article 10/2 of the Belgian Data Protection Act of July 30, 2018.
1. Absolutely necessary access (without consent): Certain accesses are absolutely necessary for the provision of the app functions you have expressly requested. We do not require your consent for this. This concerns:
- Storage of session information for authentication after login.
- Storage of settings (e.g. language) to make the app user-friendly.
2. Access requiring consent: For all other access, we obtain your express consent before access takes place. You can revoke this consent at any time in the settings of your operating system or the app. This applies in particular to:
- Camera/photo gallery: Only if you actively want to take or upload a photo in the "Wound Documentation" module.
- Analysis and performance data: To improve the app's stability and user-friendliness, we use analysis tools that collect pseudonymised usage data (e.g. functions used, crash reports). This data is only collected after you have actively given your consent via our consent management tool.
Refusal has no effect on the core functionality of the app. The legal basis for access requiring consent is Article 10/2 of the Belgian Data Protection Act of July 30, 2018 in conjunction with Art. 6 (1) lit. a) GDPR.
E. Data transfer to third parties and processors
We only pass on your data to third parties if this is permitted by law or if you have given your consent.
- Processors: We use carefully selected service providers (e.g. for hosting, technical maintenance) who process data on our behalf. These are contractually bound to our instructions in accordance with Art. 28 GDPR and are obliged to comply with strict data protection standards. Our hosting service provider is Microsoft Azure Cloud in the EU.
- Salesforce (third country transfer): As part of lead generation (see C.4.), we transfer your contact details to Salesforce, Inc., based in the United States. This transfer is legally secured by:
- The EU Commission's adequacy decision for the EU-U.S. Data Privacy Framework (Art. 45 GDPR), under which Salesforce is certified.
- Additionally, by concluding standard contractual clauses (Art. 46 GDPR) as part of our contract with Salesforce to ensure a consistently high level of protection.
We have a legitimate interest in continuously improving our products and services, ensuring the security of our app, and compiling statistical analyses of market developments. For this purpose, we process technical usage and metadata from your app usage (e.g. functions used, loading times, device model, operating system version) in order to anonymise it.
The legal basis for this processing for the purpose of anonymisation is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. As part of the necessary balancing of interests, we have ensured that your interests worthy of protection do not outweigh ours. We only use pseudonymised data that does not allow any direct conclusions to be drawn about your person and take comprehensive technical measures to ensure data protection.
You have the right to object to this processing at any time for reasons arising from your particular situation (Art. 21 GDPR).
After completion of the anonymisation process, which is designed according to the state of the art to permanently and irreversibly remove any personal reference, the anonymous data is also transferred to the parent company.
F. Storage period
We only store your personal data for as long as is necessary to achieve the respective purposes or as required by statutory retention periods (e.g. under commercial or tax law). Once the purpose has been achieved or the retention periods have expired, the data will be routinely deleted unless it is still required for the fulfilment or initiation of a contract. Data from your user account will be deleted after the account has been deleted, subject to statutory retention obligations.
G. Your rights as a data subject
You have the following rights with regard to your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure ("right to be forgotten") (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to object to processing (Art. 21 GDPR), provided that the processing is based on Art. 6(1)(f) GDPR.
- Right to data portability (Art. 20 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR) with effect for the future.
- Right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR)
To exercise your rights, you can contact us or our data protection officer at any time.
H. Data security
We take comprehensive state-of-the-art technical and organisational security measures (TOMs) to protect your data against accidental or intentional manipulation, loss, destruction or access by unauthorised persons.
I. Changes to this privacy policy
We are constantly developing our app. We therefore reserve the right to amend this privacy policy as necessary. The current version is available at any time within the app.