Privacy

1. Data protection information

Compliance with data protection regulations is very important to CMC Consumer Medical Care GmbH (hereinafter “CMC”, “we” or “us”). We would therefore like to inform you below about the processing of your personal data, in particular about the purposes of the respective data processing as well as the processed data categories, subdivided according to individual services or forms of use and about the rights to which you are entitled. With regard to the related terminology, such as “personal data” or “processing”, we refer to the relevant definitions in Art. 4 of the General Data Protection Regulation (GDPR).

If you are a customer, supplier of or applicant to CMC, you can find information about the processing of your personal data here:

Customers can find the information here
Suppliers can find the information here
Applicants can find the information here

We ask you to regularly check the content of our privacy policy, as we will adapt the privacy policy as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Status of the privacy policy: 06.07.2022

Responsible person and contact

Person responsible:
CMC Consumer Medical Care GmbH
Eichendorffstrasse 12-14
89567 Sontheim/Brenz
Phone: +49-7325-9244-0
E-mail: [email protected]

Contact data Data protection:
PAUL HARTMANN AG
Data Protection Officer
Paul-Hartmann-Strasse 12
89522 Heidenheim
E-mail: [email protected]

Do you have general questions or comments about this privacy policy or specific questions about the processing of your data? We will be happy to answer them for you.

2. Legal bases and purposes of data processing

In accordance with Artt. 13, 14 DS-GVO we inform you about the legal basis of our data processing. Unless the legal basis is explicitly stated in this or separate privacy statements, the following applies:

The legal bases for obtaining consent are Art. 6 para. 1 lit. a and Art. 7 DS-GVO as well as Art. 9 para. 2 lit. a and Art. 7 DS-GVO (e.g. registration on offered portals/creation of customer accounts, delivery of user-specific offers and information about our products and services, surveys on our websites, analysis of the use of our products, services and websites, personalization of offers on the Internet, by e-mail, fax and on other channels, advertising or market and opinion research), the legal basis for the processing for the fulfillment of our services and implementation of contractual measures as well as answering inquiries is Art. 6 para. 1 lit. b DS-GVO (e.g. registration on offered portals/creation of customer accounts, execution of contract and/or service, payment processing for purchases and other services, processing due to a complaint, communication in particular via telephone, e-mail, fax, live chat, video call, supply advice), the legal basis for processing to fulfill our legal obligations is Art. 6 para. 1 lit. c DS-GVO (e.g. compliance with legal retention periods) and the legal basis for processing to protect our legitimate interests mentioned below is Art. 6 para. 1 lit. f DS-GVO (e.g. analysis and clarification of misuse or attacks on the communication systems, legitimation and authentication; protection against or identification of possible fraudulent transactions, communication via telephone, e-mail, fax, live chat, video call and other channels; sending of samples, premiums, products and information, delivery of user-specific offers and information about our products and services, surveys on our websites, personalization of offers on the Internet, via e-mail, fax and other channels, determination of the effectiveness of our advertising). In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d DS-GVO as the legal basis.

3. Security measures

We meet in accordance with Artt. 24, 32 DS-GVO, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to personal data, as well as access to, input, disclosure, ensuring availability of and separation of personal data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, deletion of personal data and response to threats to personal data. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Art. 25 DS-GVO).

The security measures include, in particular, the encrypted transmission of data between your browser and our server. Third-party security measures include, in particular, IP masking (pseudonymization of your IP address).

4. Joint responsibility, information acc. Art. 26 par. 2 GDPR”

Due to the close cooperation in some areas, we may also process your personal data jointly with another controller within the meaning of Art. 26 DS-GVO. The respective partners are determined by the individual cooperation with regard to the purposes outlined below. Information on how the partners process your personal data can be found in their respective privacy statements. To guarantee your rights in particular and taking into account the requirements of the GDPR, we have concluded an agreement on this in each individual case, which sets out rules on the processing of your personal data. Thus, as so-called joint controllers, we are jointly responsible for the processing of your personal data.

4.1. Purposes of data processing in the context of joint responsibility

Joint responsibility may exist in the context of the processing of your personal data, in particular for the following purposes:

  • Integration of our services on third-party websites, e.g. integration of wizards, plug-ins or other technical means;
  • Integration of third-party services on our websites, e.g. integration of wizards, plug-ins or other technical means;
  • Conducting surveys, interviews and their analysis;

4.2. Categories of data processed in the context of shared responsibility

In particular, we process the following categories of personal data:

  • Inventory data (e.g., first and last name);
  • Contact details (e.g. telephone number, e-mail address);
  • Content data (e.g. communication content);
  • Metadata (e.g. IP address).

4.3. Contact information to exercise your rights

We have agreed on a case-by-case basis with our respective partner on how we will ensure your rights and have specified in more detail which obligations are incumbent on each partner to comply with the obligations of the GDPR. Particularly relevant is ensuring the exercise of your rights as a data subject as well as the fulfillment of the information obligations pursuant to Art. 13 and 14 DS-GVO towards you. We will be happy to answer general inquiries or comments using the contact information provided in number 1 of this privacy information. To exercise your rights, please use the contact form linked in number 14 of this privacy information.

Independently of the contact point set up with us, you can also assert your rights directly against the respective partner.

Note: Insofar as your personal data – beyond the joint responsibility – is processed by a partner, the separate exercise of rights against this partner is open to you.

5. Cooperation with third parties and processors

If we disclose personal data to third parties and companies – including group companies – within the scope of our processing, transfer it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transfer of data to third parties, such as to payment service providers, is required for the performance of the contract pursuant to Art. 6 (1) lit. b DS-GVO), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

Insofar as we commission so-called processors with the processing of personal data on the basis of a so-called “order processing agreement” and thereby secure for ourselves, among other things, the necessary influence or control powers with regard to the processing and use of the personal data, this is done on the basis of an agreement on order processing in accordance with Sec. Art. 28 DS-GVO.

6. Transfers to third countries

If we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using third-party services or disclosing, or transferring personal data to third parties, this will only be done if it is done to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow personal data to be processed in a third country only if the special requirements of Art. 44 et seq. DS-GVO are met. This means, for example, that processing takes place on the basis of special guarantees, such as the officially recognized determination of a level of data protection that corresponds to the EU or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

7. Additional information for website users

This information informs you about the nature, scope and purpose of the processing of personal data within our online offer and the websites, functions and content associated with it, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”). Supplementary information on this can be found in our customer data protection information.

7.1 Cookies, analysis, tracking, optimization

Supplementary information on the cookies we use can be found in our Cookie Policy. We provide information about technologies from us or from third parties that are used not only to provide a function within our online offering, but also exclusively or additionally to analyze user behavior, tracking, optimize our marketing activities, or for other purposes in this privacy policy and in our cookie policy.

7.2 Purposes of data processing

We process your personal data in particular for the following purposes:

Provision of the online offer, its content and functions; marketing, advertising, public relations and market research; security measures; tracking (e.g. interest/behavior-based profiling, use of cookies); remarketing; visit action evaluation, interest-based and behavior-based marketing, profiling (creation of user profiles); conversion measurement (measurement of the effectiveness of marketing measures); targeting (determination of target groups relevant for marketing purposes or other output of content); cross-device tracking (cross-device processing of user data for marketing purposes).

7.3 Data categories

In particular, we process the following categories of data:

Usage data (e.g. web pages visited, use of services, interest in content, access times); meta/communication data (e.g. device information, IP addresses, browser type); location data (data indicating the location of an end user’s terminal device).

7.4 Collection of access data and log files

We collect data on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f DS-GVO data about each access to the server on which this service is located (so-called server log files). Access data includes the path of the website accessed, associated files, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider, as well as other browser header data. In particular, the processing of your IP address as a personal data is necessary for the communication between your browser and our server.

Log file information is stored for security reasons (e.g. for the clarification of abuse or fraud) for a period of 6 months and then deleted. Data whose further retention is required for evidentiary purposes is exempt from deletion until final clarification of the respective incident. As a matter of principle, this data will not be passed on to third parties unless it is necessary for the prosecution of our claims or there is a legal obligation to do so in accordance with the German Data Protection Act. Art. 6 par. 1 lit. c GDPR.

Customers can find the information here – German | English
Suppliers can find the information here – german | english
Applicants can find the information here – German | English

8. Use of video conferencing tools

When you communicate with us via video conferencing, we and the provider of the respective video conferencing platform (hereinafter referred to as “platform(s)”) process your personal data. With the following specific privacy policy, we inform you about the processing of your personal data within the scope of use.

8.1. Purposes and legal bases

We use platforms, for example, to offer certain services (e.g., conducting webinars or training courses, etc.) or simply to enable communication (both internal and external). The use of the platforms and other related purposes is therefore necessary for the provision of our services and, in principle, for the provision of our products and services. necessary for the performance of contracts (cf. Art. 6 para. 1 lit. b DS-GVO, § 26 para. 1 BDSG).

In addition, the use of the platforms is regularly in our legitimate interest (cf. Art. 6 para. 1 lit. f DS-GVO), as it simplifies the implementation or provision of our services and accelerates communication (both internal and external) or even makes it possible in the first place, especially if face-to-face events should not be possible. In the context of the provision of use, it may also be in our legitimate interest to carry out troubleshooting and generate evaluations.

Furthermore, the platforms may also be used on the basis of consent (cf. Art. 6 para. 1 lit. a DS-GVO), in particular in connection with any recording within the scope of use. We will inform you of this separately in advance in each case, in particular with regard to the personal data processed in connection with the recording (e.g. recording of image and spoken contributions or transcription of these).

8.2. The processed (personal) data

When using the platforms, we process (personal) data. Which (personal) data is processed and to what extent depends in particular on the service offered, the platform used, the technical functions used and the information you provide before, during or after participating in a meeting, e.g. a webinar. During a meeting, content can therefore also be exchanged, uploaded or otherwise made available. Typically, we process the following (personal) data in particular:

Meeting participant details: In order to participate in a meeting or enter the meeting room, at least the first and last name must usually be entered (depending on the platform used). Under certain circumstances, it is also possible to enter only a pseudonym. In addition to first and last name, we process the e-mail address and the access password to the meeting, optionally the profile picture and the telephone number.

If necessary, the information will be processed after the meeting for further purposes (e.g. issuance of participation confirmations). As a rule (depending on the platform and configuration used), the information is deleted 30 days after the end of the meeting. More information about the duration of personal data storage and deletion can be found below under No. 5.

Metadata: The following metadata may be generated as part of a meeting: Time and date of meeting, duration of meeting, interruptions of meeting, log-in and log-out time(s), measurement of behavior in the meeting, e.g. share of speech (optional), participant IP addresses, information on hardware and software used.

If necessary, metadata is used after the meeting for troubleshooting or evaluation, among other things. Metadata is usually deleted 30 days after the meeting ends (depending on the platform and configuration used). More information about the duration of personal data storage and deletion can be found below under No. 5.

Text, audio and video data: It is possible (if the function is enabled) to use the chat, question or poll function in a meeting. Text entries made are processed in order to display them in the meeting and log them if necessary. In addition, to enable the display of video and the playback of audio, (personal) data from the video camera and the microphone of the terminal device are processed during the duration of the meeting. The video camera and/or microphone can be switched off or muted by the user at any time.

Text, audio and video data will only be processed for specific purposes after the meeting (e.g. providing a link to view the webinar afterwards). After the purpose ceases to apply (e.g. expiry of the validity of the link), the data is deleted as a matter of principle, insofar as no further purpose justifies the processing. More information about the duration of personal data storage and deletion can be found below under No. 5.

Recording, storage: Optionally, video, audio and presentation recordings are made or, if necessary, a transcription of the spoken word. Recordings require that the camera and microphone are switched on, the screen is shared if necessary and the resulting functions are also used. If necessary, the transcription can also be used anonymously (depending on the platform and configuration used) by setting.

If the chat function is also used, the information you provide will be stored in the meeting chat text file. This also applies to sent files.

Recordings or other stored data are generally only processed after the meeting to the extent that this is necessary to achieve the purpose (e.g. subsequent provision of a link to view the webinar). If the purpose ceases to apply (e.g. expiry of the validity of the link), the records or other stored data are deleted as a matter of principle, insofar as no further purpose justifies the processing. More information about the duration of personal data storage and deletion can be found below under No. 5.

Dialing in with the telephone: As a rule, the phone number and country are processed, optionally location and connection data.

Where necessary, dial-in data is used after the meeting, e.g. for troubleshooting or evaluation. They are usually deleted 30 days after the end of the meeting (depending on the platform and configuration used). More information on the subject of the duration of storage of personal data and deletion can be found below under No. 5.

8.3. Platforms used, recipients of the (personal) data

To fulfill the aforementioned purposes, we currently use the following platforms in particular: Teams and Skype from Microsoft, GoToMeeting from LogMeIn, WebEx from Cisco and Zoom from Zoom Video Communications.

The data protection declarations of the platform providers (hereinafter “Providers”), with each of which we have concluded a commissioned processing agreement pursuant to Art. 28 DS-GVO, can be found here:

Teams and Skype from Microsoft:
https://docs.microsoft.com/de-de/microsoftteams/teams-privacy

GoToMeeting from LogMein:
LogMeIn (USA) Privacy Policy

WebEx from Cisco:
Cisco Online Privacy Statement – Cisco

Zoom from Zoom Video Communications:
Privacy | Zoom

Within our company, (only) those internal departments or employees receive personal data insofar as they need it to fulfill the aforementioned purposes in particular (enabling communication via a platform by creating a meeting). However, the data recipients are each required to use personal data only to the extent necessary.

If we transfer personal data to other (external) persons, companies or other third parties (e.g. downstream transfer of the recording of the meeting to participants) or grant them other access to personal data, this will only be done on the basis of legal permission or appropriate consent. If we commission third parties with the processing of personal data on the basis of a so-called “order processing agreement” and thereby secure the necessary powers of influence or control with regard to the processing and use of personal data, among other things, this is done on the basis of Art. 28 DS-GVO. However, we remain responsible to you for the lawfulness of the data processing. In this context, we also ensure that the providers maintain appropriate technical and organizational measures to protect personal data.

In addition, providers may also process personal data for their own purposes. Please note that in this case, the providers themselves are responsible and must fulfill the obligations arising from the GDPR (e.g. obligation to inform, obligation to delete after the purpose has been achieved, etc.). You can find more information in the privacy statements of the providers (see above).

8.4. Processing of personal data in a third country

As far as possible, we will carry out the processing of personal data on the territory of the Federal Republic of Germany, in another member state of the European Union or in another state party to the Agreement on the European Economic Area (e.g., we will store (have stored) the data generated in the course of use in an “EU cluster”).

However, if processing of personal data in third countries (e.g. USA) is necessary, in particular in connection with the commissioning of providers, we will ensure that the specific legal requirements for such processing operations are met and thus that an adequate level of data protection prevails in the respective third country. This includes, in particular, checking whether the European Commission has decided that an adequate level of protection exists in a third country (cf. Art. 45 GDPR) or whether suitable or adequate safeguards (e.g. standard contractual clauses) are in place and the enforcement of your rights is guaranteed, as well as whether sufficient technical and organizational measures are in place to protect the personal data.

For information on the appropriate or adequate safeguards and how and where to obtain a copy of them, please contact [email protected].

8.5. Duration of storage of personal data, deletion

In principle, we process or store personal data for the duration of a meeting or webinar and any subsequent services/processes (e.g. issuing certificates of attendance, providing the link to a webinar or transcription, etc.). In addition, we may also process or store personal data for other purposes, such as troubleshooting and evaluation purposes.

If the processing or storage is no longer necessary, we delete the personal data. This does not apply if, among other things, legally prescribed retention periods prevent deletion (cf. Art. 17 (3) DS-GVO) and/or another case of Art. 17 (3) DS-GVO applies. 3 GDPR exists and/or a new purpose justifies further processing.

Incorrect and/or incomplete data will be deleted according to. Art. 5 par. 1 lit. d) DS-GVO deleted or – as far as possible – corrected without delay.

8.6. Technical and organizational measures

To ensure that personal data is protected, the following technical and organizational measures are taken in particular:

  • User authentication;
  • Possibility for two-factor authentication (e.g. with Zoom and MS Teams);
  • Transport / end-to-end encryption;
  • Possibility to pixelate backgrounds after activating camera;
  • Possibility participation with video/sound by default;
  • Participation without creating account (guest account);
  • Participation without installing application (web client);
  • Recording and storage turned off by default, only after consent recording is started.

8.7. Further data protection information

Further information on the processing of your personal data, in particular on your rights, can be found in the privacy policy applicable to you as a customer, supplier, etc. (cf. privacy policies available above) or in this privacy policy.

9. Contact

When contacting us (via contact form, telephone, fax, mail or e-mail), your personal data will be used to process your request and handle it in accordance with the German Data Protection Act. Art. 6 par. 1 lit. b and lit. f DS-GVO processed. The information marked as mandatory in the contact form is required for the processing of your request.

As a rule, we delete requests 3 months after their receipt, at the latest, however, if they have been answered. In the case of legal storage obligations that must be observed, the deletion takes place after their expiration.

10. Deletion, anonymization and retention

The personal data processed by us will be deleted in accordance with Art. 17 DS-GVO. Unless expressly stated within the scope of this data protection declaration, the personal data stored by us will be deleted as soon as it is no longer required for its intended purpose and, in particular, the deletion is not precluded by any statutory retention obligations. Unless the personal data is deleted because its processing is required for other and legally permissible purposes, the processing will be restricted. This means that the personal data is blocked and not processed for other purposes.

Instead of deleting your personal data, we will, if necessary, anonymize it in a way that irreversibly excludes the possibility of recovering the personal data in the future.

According to the legal requirements, a storage takes place in particular for 6 years according to. § 257 para. 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) as well as for 10 years in accordance with the German Commercial Code (HGB). § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).

11. Your rights

You have the right to withdraw a granted consent to the processing of your personal data pursuant to. Art. 7 par. 3 DS-GVO at any time with effect for the future. Processing that took place before the revocation therefore remains lawful.

Gem. Art. 15 DS-GVO you can request information about your personal data processed by us.

Gem. Art. 16 DS-GVO, you can request the immediate correction of incorrect or completion of your personal data stored by us.

Gem. Art. 17 DS-GVO, you can demand the deletion of your personal data stored by us in accordance with the conditions stated there, unless legally prescribed retention periods prevent immediate deletion (cf. Art. 17 para. 3 DS-GVO) and/or another case of Art. 17 para. 3 GDPR exists and/or a new purpose justifies further processing.

Gem. Art. 18 par. 1 DS-GVO, you may request the restriction of data processing if one or more conditions pursuant to. Art. 18 par.1 DS-GVO lit. a to d are present.

Gem. Art. 20 par. 1 DS-GVO, you can receive the personal data we process in a structured, common and machine-readable format, as well as transfer this data to another controller without hindrance from us.

Furthermore, according to Art. 21 para. 1 DS-GVO against the processing of your personal data. In the event of an objection, we will terminate the processing of your personal data. However, the right to object only applies in the event of special circumstances arising from your personal situation. In addition, compelling legitimate grounds which justify the processing may prevail. In addition, certain processing purposes may conflict with your right to object.

Gem. Art. 21 par. 2 DS-GVO, you have the right to object to the processing of personal data concerning you for the purpose of direct marketing at any time without further requirements. This also applies to profiling, insofar as it is associated with such direct advertising. If you object, your personal data will no longer be processed for these purposes (cf. Art. 21 (3) DS-GVO).

Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with the competent supervisory authority (cf. Art. 77 DS-GVO) if you believe that the processing of your data violates data protection provisions. In this context, however, we ask you to address a possible complaint to us first. We will then try to remedy the situation as quickly and as best as possible.