This Notice applies to you if you are a Business Partners of KARL STORZ as an individual (e.g., an independent health care professional, a consultant or sole entrepreneur) or if you are an employee of a Business Partner who interacts with KARL STORZ on such Business Partner's behalf.
2. Categories of Personal Data
KARL STORZ collects, processes, and uses the following categories of personal data about you from you or from authorized third parties (e.g., your supervisor, registers, public authorities, or public resources) in connection with the business relationship between you and KARL STORZ (collectively, "Business Partner Data"), if applicable and as permitted by applicable law:
- Contact details and master data, such as: Name, academic title, gender, address, phone number, email address, fax number, employer, job position / job title, job description, specialization;
- Communication and customer relationship data, such as: Information contained in business documents, content of communication (e.g., call summaries), date and time of meetings, intended relationship activities, details of form of communication (e.g., email, phone), interests into business lines, responsible customer account;
- Payment information (e.g., if it relates to you as an individual), such as: Credit card information, bank account information, payment methods preferred;
- Authentication data for IT systems, such as: Login ID or name, passwords;
- Media (in certain circumstances), such as: Images, videos, audios;
3. Processing Purposes, Legal Bases for the Processing, and Consequences
Business Partner Data is collected, processed, and used for the following purposes (collectively, "Processing Purposes"):
a) Entering into and performing the relationship with the Business Partner, including fulfilling the contractual obligations, organize and administer personal meetings and other personal interaction/communication, invitation to events, document and expand relationship, provision of samples, product service and support, invoicing and payment, market research and legal and compliance activities
b) Security and fraud prevention activities such as prevention of fraud, misuse of IT systems, or money laundering, physical security, IT and network security, or internal investigations
Furthermore, KARL STORZ relies on the following legal grounds for the collection, processing, and use of personal data:
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (Art. 6 (1)(b) GDPR).
- The processing is necessary for compliance with a legal obligation to which KARL STORZ is subject (Art. 6(1)(c) GDPR).
- The processing is necessary for the purposes of the legitimate interests pursued by KARL STORZ or a KARL STORZ affiliate (Art. 6(1)(f) GDPR).
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes (Art. 6(1)(a) GDPR).
The provision of personal data as described above is partly a statutory requirement and partly required to enter into and carry out a (contractual) relationship with the Business Partner, and is voluntary. However, if you do not provide Business Partner Data, we might not be able to enter into and carry out a (contractual) relationship with the Business Partner.
4. Categories of Recipients and International Transfers
It is possible that we will transfer your Business Partner Data to third parties for the Processing Purposes as follows:
- Within the KARL STORZ group: Business Partner Data may be received by different recipients within the KARL STORZ group. Depending on the categories of personal data and the purposes for which the personal data has been collected, different KARL STORZ entities and the internal departments within the KARL STORZ entities may receive personal data. For example, our IT department may have access to authentication data for IT systems, and our marketing and sales departments may have access to contact details and master data or payment information. Moreover, other departments within the KARL STORZ group may have access to certain personal data about you on a need to know basis, such as the legal department, the finance department or internal auditing.
- With data processors: Certain third party service providers such as IT support and IT application providers, whether affiliated or unaffiliated, will receive your personal data to process such data under appropriate instructions ("Processors") as necessary for the Processing Purposes, in particular to provide IT and other administrative support (e.g., service providers who provide account payable support or IT hosting and maintenance support), comply with applicable laws, and other activities. The Processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.
- With other recipients: We may transfer - in compliance with applicable data protection law - personal data to law enforcement agencies, governmental authorities, judicial authorities, legal counsel, external consultants, or other business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition.
Any access to your personal data is restricted to those individuals that have a need-to-know in order to fulfill their job responsibilities. KARL STORZ may also disclose your personal data as required or permitted by applicable law to professional advisors, governmental authorities and courts.
It is possible that the recipients identified above which will receive or have access to personal data, are located inside or outside the European Economic Area ("EEA").
- For recipients located outside of the EEA, some are certified under the EU-U.S. Privacy Shield and others are located in countries with adequacy decisions pursuant to Art. 45 GDPR. Those recipients are located in the USA (if certified under the EU-U.S. Privacy Shield), Argentina, Canada and Switzerland. In each case, the transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective.
- Other recipients are located in countries which do not adduce an adequate level of protection from a European data protection law perspective (in particular, the USA (if not certified under the EU-U.S. Privacy Shield), Australia, Brazil, China, Hong Kong, India, Japan, Kazakhstan, Korea, Lebanon, Mexico, Russia, Singapore, South Africa, Taiwan, Ukraine, Cuba, Azerbaijan, Turkey, Vietnam). We will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law.
- With respect to transfers to countries not providing an adequate level of data protection, we will base the transfer on appropriate safeguards, such as standard data protection clauses adopted/approved by the European Commission or by a supervisory authority (Art. 46(2)(c) or (d) GDPR), approved codes of conduct together with binding and enforceable commitments of the recipient (Art. 46 (2)(e) GDPR), approved certification mechanisms together with binding and enforceable commitments of the recipient (Art. 46 (2)(f) GDPR), or binding corporate rules (Art. 46 (2)(b), 47 GDPR). You can ask for a copy of such appropriate safeguards by contacting us as set out in Section 8 (Questions and Contact Information).
- The data transfer to KARL STORZ affiliates is protected by standard data protection clauses adopted/approved by the European Commission (Art. 46(2)(c) or (d) GDPR).
- The data transfer to Processors which are neither certified under the EU-U.S. Privacy Shield nor located in a country with other adequacy decision will typically also be protected by such standard data protection clauses (Art. 46(2)(c) or (d) GDPR).
5. Retention Period
Your personal data will be retained as long as necessary for the Business Partner relationship. Once the relationship ended, we will either delete your personal data or anonymize your personal data, unless statutory retention requirements apply. We may retain your contact details and interests in our products or services for a longer period of time if KARL STORZ is allowed to send you marketing materials. Also, we may be required by applicable law to retain your personal data for a period of 10 years after the relevant taxation year. We may also retain your personal data after the termination of the contractual relationship if your personal data are necessary to comply with other applicable laws or if we need your personal data to establish, exercise or defend a legal claim, on a need to know basis only. To the extent possible, we will restrict the processing of your personal data for such limited purposes after the termination of the contractual relationship.
6. Your Rights
If you have declared your consent regarding certain collecting, processing and use of your personal data (in particular regarding the receipt of direct marketing communication via email, SMS/MMS, fax, and telephone), you can withdraw this consent at any time with future effect as set out in the relevant marketing communication. Further, you can object to the use of your personal data for the purposes of marketing (free of charge).
Pursuant to applicable data protection law, you may have the right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; (vi) object to the processing of your personal data (including objection to profiling); (vii) exercise other rights in connection with automated decision-making; and (viii) lodge a complaint with the competent data protection supervisory authority (contact details of the data protection supervisory authorities can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html).
7. Questions and Contact Information
If you want to exercise your data privacy rights as stated in Section 6 above or if you have questions regarding this Notice, please contact us:
KARL STORZ SE & Co. KG
78532 Tuttlingen, Germany
Tel. +49 7461 708-0
The contact details of our data protection officer are as follows:
KARL STORZ SE & Co. KG
Data Protection Officer
78532 Tuttlingen, Germany
Tel. +49 7461 708-0