Business Partner Data Protection Notice
KARL STORZ SE & Co. KG, Dr.-Karl-Storz-Straße 34, 78532 Tuttlingen, Germany (contact information see Section 7 below) ("KARL STORZ" or "we" or "our") provides this Business Partner Data Protection Notice ("Notice") to explain our practices as the responsible controller regarding the collection, processing, and use of personal data relating to our customers, vendors, suppliers and other business partners as well as their employees (collectively, "Business Partners"). The Notice considers the requirements of the European General Data Protection Regulation ("GDPR").
This Notice applies to you if you are a Business Partners of KARL STORZ as an individual (e.g., an independent health care professional, a consultant or sole entrepreneur) or if you are an employee of a Business Partner who interacts with KARL STORZ on such Business Partner's behalf.
2. Categories of Personal Data
KARL STORZ collects, processes, and uses the following categories of personal data about you from you or from authorized third parties (e.g., your supervisor, registers, public authorities, or public resources) in connection with the business relationship between you and KARL STORZ (collectively, "Business Partner Data"), if applicable and as permitted by applicable law:
- Contact details and master data, such as: Name, academic title, gender, address, phone number, email address, fax number, employer, job position / job title, job description, specialization;
- Communication and customer relationship data, such as: Information contained in business documents, content of communication (e.g., call summaries), date and time of meetings, intended relationship activities, details of form of communication (e.g., email, phone), interests into business lines, responsible customer account;
- Payment information (e.g., if it relates to you as an individual), such as: Credit card information, bank account information, payment methods preferred;
- Authentication data for IT systems, such as: Login ID or name, passwords;
- Media (in certain circumstances), such as: Images, videos, audios;
3. Processing Purposes, Legal Bases for the Processing, and Consequences
Business Partner Data is collected, processed, and used for the following purposes (collectively, "Processing Purposes"):
a) Entering into and performing the relationship with the Business Partner, including fulfilling the contractual obligations, organize and administer personal meetings and other personal interaction/communication, invitation to events, document and expand relationship, provision of samples, product service and support, invoicing and payment, market research and legal and compliance activities
b) Security and fraud prevention activities such as prevention of fraud, misuse of IT systems, or money laundering, physical security, IT and network security, or internal investigations
Furthermore, KARL STORZ relies on the following legal grounds for the collection, processing, and use of personal data:
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (Art. 6 (1)(b) GDPR).
- The processing is necessary for compliance with a legal obligation to which KARL STORZ is subject (Art. 6(1)(c) GDPR).
- The processing is necessary for the purposes of the legitimate interests pursued by KARL STORZ or a KARL STORZ affiliate (Art. 6(1)(f) GDPR).
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes (Art. 6(1)(a) GDPR).
The provision of personal data as described above is partly a statutory requirement and partly required to enter into and carry out a (contractual) relationship with the Business Partner, and is voluntary. However, if you do not provide Business Partner Data, we might not be able to enter into and carry out a (contractual) relationship with the Business Partner.
4. Categories of Recipients and International Transfers
It is possible that we will transfer your Business Partner Data to third parties for the Processing Purposes as follows:
- Within the KARL STORZ group: Business Partner Data may be received by different recipients within the KARL STORZ group. Depending on the categories of personal data and the purposes for which the personal data has been collected, different KARL STORZ entities and the internal departments within the KARL STORZ entities may receive personal data. For example, our IT department may have access to authentication data for IT systems, and our marketing and sales departments may have access to contact details and master data or payment information. Moreover, other departments within the KARL STORZ group may have access to certain personal data about you on a need to know basis, such as the legal department, the finance department or internal auditing.
- With data processors: Certain third party service providers such as IT support and IT application providers, whether affiliated or unaffiliated, will receive your personal data to process such data under appropriate instructions ("Processors") as necessary for the Processing Purposes, in particular to provide IT and other administrative support (e.g., service providers who provide account payable support or IT hosting and maintenance support), comply with applicable laws, and other activities. The Processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.
- With other recipients: We may transfer - in compliance with applicable data protection law - personal data to law enforcement agencies, governmental authorities, judicial authorities, legal counsel, external consultants, or other business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition.
Any access to your personal data is restricted to those individuals that have a need-to-know in order to fulfill their job responsibilities. KARL STORZ may also disclose your personal data as required or permitted by applicable law to professional advisors, governmental authorities and courts.
It is possible that the recipients identified above which will receive or have access to your personal data, are located inside or outside the European Economic Area ("EEA").
- Some of these recipients outside of the EEA are located in countries for which the EU Commission has determined that it provides an adequate level of data protection pursuant to Art. 45 GDPR, such as Argentina, Canada (for commercial organizations) and Switzerland. Thus, no further measures are required for the international transfer of your personal data.
- To the extent that recipients are located in other countries outside the EEA (in particular, Australia, Azerbaijan, Brazil, Cuba, China, Hong Kong, India, Japan, Kazakhstan, Korea, Lebanon, Mexico, Russia, Singapore, South Africa, Taiwan, Turkey, the United States, Ukraine and Vietnam) we have - to the extent required by law - implemented appropriate safeguards in accordance with Art. 46 (2) GDPR, in particular, by concluding standard data protection clauses (Art. 46(2)(c) or (d) GDPR) and by binding corporate rules (Art. 46 (2)(b), 47 GDPR). You can ask for a copy of such appropriate safeguards by contacting us as set out in Section 8 (Questions and Contact Information).
5. Retention Period
Your personal data will be retained as long as necessary for the Business Partner relationship. Once the relationship ended, we will either delete your personal data or anonymize your personal data, unless statutory retention requirements apply. We may retain your contact details and interests in our products or services for a longer period of time if KARL STORZ is allowed to send you marketing materials. Also, we may be required by applicable law to retain your personal data for a period of 10 years after the relevant taxation year. We may also retain your personal data after the termination of the contractual relationship if your personal data are necessary to comply with other applicable laws or if we need your personal data to establish, exercise or defend a legal claim, on a need to know basis only. To the extent possible, we will restrict the processing of your personal data for such limited purposes after the termination of the contractual relationship.
6. Your Rights
If you have declared your consent regarding certain collecting, processing and use of your personal data (in particular regarding the receipt of direct marketing communication via email, SMS/MMS, fax, and telephone), you can withdraw this consent at any time with future effect as set out in the relevant marketing communication. Further, you can object to the use of your personal data for the purposes of marketing (free of charge).
Pursuant to applicable data protection law, you may have the right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; (vi) object to the processing of your personal data (including objection to profiling); (vii) exercise other rights in connection with automated decision-making; and (viii) lodge a complaint with the competent data protection supervisory authority (contact details of the data protection supervisory authorities can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html).
7. Questions and Contact Information
If you want to exercise your data privacy rights as stated in Section 6 above or if you have questions regarding this Notice, please contact us:
KARL STORZ SE & Co. KG
78532 Tuttlingen, Germany
Tel. +49 7461 708-0
The contact details of our data protection officer are as follows:
KARL STORZ SE & Co. KG
Data Protection Officer
78532 Tuttlingen, Germany
Tel. +49 7461 708-0