Data privacy

Basic principle

NVT takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection provisions and this privacy policy.

It is ordinarily possible to use our website without supplying personal data. If personal data (such as name, address or e-mail addresses) is collected on our pages, this always occurs on a voluntary basis to the extent possible. Such data is not shared with third parties without your express consent.

We point out that the transmission of data over the Internet (for example, while communicating via e-mail) can have security vulnerabilities. It is not possible to completely protect data against third-party access.

Name and address of party responsible for the processing
The controller in terms of the General Data Protection Regulation, of other applicable data protection laws in the member states of the European Union and of other provisions with a data protection character is:

NVT GmbH
Lotzenäcker 17
72379 Hechingen
phone: +49 (0) 7471 989 79 0
email: info-sh@biosensors.com

Name and address of the data protection officer
The data protection officer of the controller is:

Steffen Wacker
E-Mail: privacy@biosensors.com

Server-Log-Files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and version
• Operating system used
• Referer URL
• Hostname of the accessing computer
• Date and time of the server request
• Quantity of data sent in bytes
• Your IP address (in anonymized form, if appropriate)

This data cannot be related to specific persons. This data is not conflated with other data sources. The data is processed pursuant to Art. 6 (1)(f) GDPR based on our legitimate interest in improving the stability and functionality of our website. The data is not shared or used in any other manner. We reserve the right to review this data later if we become aware of concrete indications of unlawful use.

Please keep in mind that you can set your browser to inform you of the setting of cookies and can individually decide on accepting them or can exclude cookies for specific cases or generally. Each browser differs in the way it administers cookie settings. This is described in the help menu of each browser, which explains for you how you can change your cookie settings. You can find them for the particular browsers at the following links:

Internet Explorer:
https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

Firefox:
https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Chrome:
https://support.google.com/chrome/answer/95647?hl=en&hlrm=en

Safari:
https://support.apple.com/en-gb/HT201265

Opera:
https://help.opera.com/en/latest/web-preferences/

Please note that refusal to accept cookies can limit the functionality of our website.

SSL encryption
This site uses SSL encryption for reasons of security and to protect the transmission of confidential content, such as the queries you send to us as the site operator. You can recognize an encrypted connection by the fact that the browser address line changes from “http://” to https://” and through the padlock icon in your browser line. When SSL encryption is activated, the data you transmit to us cannot be read by third parties.

Making contact

Contact form
If you send inquiries to us by a contact form, we store your information from the inquiry form—including the contact data you supply there—for the purpose of processing the inquiry and in case of follow-up questions. We do not share this data without your consent.

The data that is entered into the contact form is thus processed exclusively based on your consent (Art. 6(1)(a) GDPR). You can revoke this consent at any time.

An informal e-mail communication to us is sufficient. The lawfulness of the data processing operations that are completed up to the revocation remains unaffected by the revocation.

Data you entered in the contact form remains with us until you ask us to delete it, you revoke your consent to store it or the purpose of the data storage no longer applies (for example, after completion of the processing of your query). Compulsory statutory provisions—especially retention periods—remain unaffected.

Query by e-mail, telephone or fax
When you contact us by e-mail, telephone or fax, your query, along with all resulting personal data (name, query), is stored and processed by us for purposes of handling your matter. We do not share this data without your consent.

This data is processed based on Art. 6(1)(b) GDPR if your query is associated with the fulfillment of a contract or is required for the performance of pre-contractual activities. In all other cases, the processing is based on your consent (Art. 6(1)(a) GDPR) and/or on our legitimate interests (Art. 6 (1)(f) GDPR) because we have a legitimate interest in the effective handling of the queries that are sent to us.

Data you sent to us via contact requests remains with us until you ask us to delete it, you revoke your consent to store it or the purpose of the data storage no longer applies (for example, after the processing of your matter is completed). Compulsory statutory provisions—especially statutory retention periods—remain unaffected.

Data processing for order handling
To process your order, we work with service providers who assist us, entirely or in part, with the performance of contracts that have been entered into. When you engage us to render a service or to ship goods, your personal data is used without your separate consent only to the extent necessary for rendering the service or performing the contract. This expressly includes the sharing of your data with carriers, credit bureaus or other service companies that are employed to render the service or process the contract.

We share personal data we collect in the course of contract processing with, for example, the carrier that is engaged for the delivery, provided that this is required for the delivery of the goods. We share your payment data with the financial institution we engage in the course of payment processing, provided that such is required for payment processing. The legal basis for the sharing of the data while doing this is Art. 6 (1)(b) GDPR.

We disclose customer accounts and personal data about customers when we are legally required to do so or when such disclosure is required in order to enforce our general terms and conditions of business or other agreements or to protect our rights and the rights of our customers and those of third parties.

Rights of the data subject
Applicable data protection law affords you extensive data-subject rights (information and intervention rights) toward the controller regarding the processing of your personal data; we inform you of these rights below:

• Right to information pursuant to Art. 15 GDPR: You expressly have a right to information about your personal data that we process, the processing purposes, the categories of personal data processed, the recipients or categories of recipients to whom your data was or is disclosed, the planned duration of storage or criteria for its definition, the existence of a right to rectification, erasure or restriction of processing, the right to object to the processing, lodging a complaint with a supervisory authority, the origin of your data if we did not collect it from you, the existence of an automated decision-making process, including profiling and any meaningful information about the logic involved and the implications and intended effects on you of such processing as well as your right to be informed of the safeguards which exist pursuant to Art. 46 GDPR if your data is transmitted to a third country;

• Right to rectification pursuant to Art. 16 GDPR: You have a right to have, without undue delay, incorrect data that concerns you rectified and/or your incomplete data that is stored with us completed;

• Right to erasure pursuant to Art. 17 GDPR: You have the right to request that your personal data be erased if the requirements of Art. 17 (1) GDPR exist. However, this right expressly does not exist if processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;

• Right to restriction of processing pursuant to Art. 18 GDPR: You have the right to request that the processing of your personal data be restricted while the accuracy of your data that you have contested is being verified, when you oppose the erasure of your data in view of unlawful processing and instead request that the processing of your data be restricted, when you need your data for the establishment, exercise or defense of legal claims after we no longer need this data for the purpose of the processing or when you have objected for reasons of your special situation, pending verification whether our legitimate grounds are overriding;

• Right to notification pursuant to Art. 19 GDPR: If you have asserted the right to rectification, erasure or restriction of processing with respect to the controller, the controller is obligated to communicate such rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed about those recipients.

• Right to data portability pursuant to Art. 20 GDPR: You have the right to receive your personal data you have provided to us in a structured, commonly used and machine-readable format or to request transmission to another controller as long as this is technically feasible;

• Right under Art. 7 (3) GDPR to withdraw consents you have given: You have the right to withdraw, at any time with future effect, a consent you once gave for the processing of data. In case of withdrawal, we will erase the data at issue without undue delay, unless a continued processing is legally supportable on the basis of processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;

• Right to lodge a complaint pursuant to Art. 77 GDPR: If you feel that the processing of personal data concerning you infringes the GDPR, you have—without prejudice to any other administrative or judicial remedy—the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work or the place of the alleged infringement.

Right to information, erasure, blocking
You have the right at all times to information, without charge, about your stored personal data, its origin and recipient(s) and the purpose of the data processing as well as a right to have the data rectified, blocked or erased. For this and other questions on the subject of personal data, you may contact us at any time at the address indicated in the Imprint.

Should you have questions that this privacy policy was unable to answer or should you have questions about the processing of your personal data, you can contact our data protection officer, who is also available to respond to requests for information, suggestions or complaints.

Data security
We maintain all kinds of security measures in terms of Art. 32 GDPR (technical and organizational measures) for the protection of your personal data. If you should contact us by e-mail, we point out that the confidentiality of the transmitted information is not guaranteed. Under certain circumstances, the content of e-mails can be viewed by third parties. We therefore recommend that you send confidential information to us by conventional mail.

Objection to promotional e-mails
Contact information published for the site notice obligation may not be used to send promotional and informational materials that have not been expressly requested. The operators of the pages expressly reserve the right to take legal steps against unsolicited promotional information, such as in the form of spam.

Right to object
If in the course of a weighing of interests, we process your personal data based on our predominantly legitimate interests, you have the right to object to this processing at any time with future effect for reasons that originate from your special situation.

If you avail yourself of the right to object, we stop processing the affected data. However, we reserve the right to continue processing if we can prove compelling reasons for processing that are worth protecting and outweigh your interests, fundamental rights and freedoms, or if the processing serves the establishment, exercise or defense of legal claims.

If we process your personal data in order to engage in direct advertising, you have the right to object at any time to the processing of personal data about you for purposes of such advertising. You can make the objection as described above. If you avail yourself of the right to object, we stop processing the affected data for purposes of direct advertising.

Duration of the storage of personal data
The duration of the storage of personal data is calculated with reference to the respective statutory retention period (e.g. commercial and taxation-related retention periods). Upon expiration of the period, the corresponding data is routinely erased unless it is still required for contract performance or initiation and/or a legitimate interest in continued storage persists on our part.

Update of the privacy policy
This privacy policy shall be updated if and when NVT launches new products or services, changes Internet procedures or if Internet and computer security technology develops. We will publish the changes here.

General Information Obligations

Which of your data do we process? And for what purposes?

If we have received data from you, we will only process it for the purposes for which we received or collected it.

Data processing for other purposes is only considered if the necessary legal requirements pursuant to Art. 6 (4) GDPR are met.

In the following, we inform you about the purposes for which we process your data in particular.

Duty to inform website visitors

Purpose and legal basis of data processing (Art. 13 (1c) GDPR)

• Handling and processing of inquiries when using the contact form integrated into the website (Art. 6 para. 1 f GDPR)
• Technical operation of the website (Art. 6 para. 1 f GDPR)
• Optimization of the website offer by evaluating website usage data (Art. 6 para. 1 f GDPR)

Interests of the controller in the balancing of interests (Art. 13 (1d) GDPR)

• Assertion of legal claims and defense in legal disputes
• Ensuring the company's IT security and IT operations
• Prevention of criminal offenses
• Measures for business management and further development of services and products

Recipients or categories of recipients of the personal data (Art. 13 (1e) GDPR)
Software manufacturer of third-party components, advertising agency, affiliated companies, IT service providers.

Transfer to third countries (Art. 13 para. 1f GDPR)
Data may be transferred to affiliated companies in Switzerland and Singapore.

Storage period in accordance with statutory retention obligations (Art. 13 para. 2a GDPR)
Personal data is generally erased within ten years of termination of the contractual relationship or earlier if the purpose of storage no longer applies and there are no statutory retention obligations to the contrary.

Existence of a requirement to provide personal data (Art. 13 para. 2e GDPR)
The data collected is required for the technical operation of the website and the processing of your inquiries.

Duty to inform customers

Purpose and legal basis of the data processing (Art. 13 para. 1c GDPR)

• Processing of customer inquiries and orders transmitted in person, by email, telephone or other technical means of communication (Art. 6 (1b) GDPR)
• Processing of complaints (Art. 6 para. 1c GDPR)
• Billing purposes (Art. 6 para. 1b GDPR)
• Implementation of brand ting measures (Art. 6 para. 1a GDPR)
• Implementation and documentation of product training measures (Art. 6 para. 1a GDPR & Art. 6 para. 1c GDPR)
• Informing customers in the event of a product recall (Art. 6 (1d) GDPR)
• Fulfillment of legal obligations (Art. 6 para. 1c GDPR)
• Sending information material (Art. 6 para. 1b GDPR)
• Support of operational processes by service providers (Art. 28 GDPR)

Interests of the controller in the balancing of interests (Art. 13 (1d) GDPR)

Transfer to third countries (Art. 13 para. 1f GDPR)
Data may be transferred to affiliated companies in Switzerland and Singapore.

Storage period in accordance with statutory retention obligations (Art. 13 para. 2a GDPR)
All documents relevant to commercial or tax law are stored for at least 10 years, in special circumstances for 18 years due to other legal requirements. The storage of e-mail correspondence is stored in our archiving system for at least 10 years regardless of deletion from the respective mailbox.

Existence of a requirement to provide personal data (Art. 13 para. 2e GDPR)
The data collected is required for the conclusion of the purchase contract or for legal information purposes. Data for marketing purposes is provided voluntarily.

Information obligation for interested parties

Purpose and legal basis of the data processing (Art. 13 para. 1c GDPR)

• Contacting and establishing contact by an affiliated company, a customer or a medical advisor on the basis of transmitted contact data (e.g. business card) (Art. 6 para. 1a GDPR)
• Processing of contact requests (Art. 6 para. 1f GDPR)
• Preparation of offers for interested parties (Art. 6 para. 1f GDPR)
• Conclusion of purchase or commercial contracts (Art. 6 para. 1f GDPR)
• Fulfillment of legal obligations (Art. 6 para. 1c GDPR)

Interests of the controller when weighing up interests (Art. 13 (1d) GDPR)

Recipients or categories of recipients of the personal data (Art. 13 (1e) GDPR)
IT service providers, affiliated companies

Transfer to third countries (Art. 13 para. 1f GDPR)
Data may be transferred to affiliated companies in Switzerland and Singapore.

Storage period in accordance with statutory retention obligations (Art. 13 para. 2a GDPR)
Personal data is generally deleted within ten years or earlier if the purpose of the processing no longer applies (e.g. if a prospective customer does not become a customer) or the data subject requests this, provided that there are no statutory retention obligations to the contrary.

Existence of a requirement to provide personal data (Art. 13 para. 2 e GDPR)
The data collected is required to process inquiries from interested parties, to prepare offers, to conclude purchase or commercial contracts or to carry out business operations.

Information obligation for suppliers and service providers

Purpose and legal basis of the data processing (Art. 13 para. 1c GDPR)

• Purchase and processing of services and deliveries of goods (Art. 6 (1f) GDPR)
• Fulfillment of legal obligations (Art. 6 para. 1c GDPR)
• Sending information material (Art. 6 para. 1b GDPR)
• Support of operational processes by service providers (Art. 28 GDPR)

Interests of the controller when weighing up interests (Art. 13 (1d) GDPR)

Recipients or categories of recipients of the personal data (Art. 13 para. 1e GDPR)
Public authorities, companies with a public mandate (DEKRA/TÜV, auditors), IT service providers, banks, suppliers and service providers, purchasing groups, consultants, affiliated companies

Transfer to third countries (Art. 13 para. 1f GDPR)
Data may be transferred to affiliated companies in Switzerland and Singapore.

Existence of a requirement to provide personal data (Art. 13 (2e) GDPR)
The data collected is required for the conclusion and performance of the supplier or service relationship.

Duty to inform patients

Purpose and legal basis of the data processing (Art. 13 para. 1c GDPR)

• Supporting operational processes as a service provider for clinics and distributors in assessing the suitability of patient anatomies for our medical devices on the basis of pseudonymized computer tomographies (Art. 6 para. 1f GDPR).
• If a pseudonymization of the CT scans is not sufficient to clearly identify a patient in the context of an implantation of our medical devices, we may also store the full name in order to avoid confusion (Art. 6 para. 1d GDPR).
• Development of a heart valve prosthesis specially made for the patient as part of a custom-made product commissioned by a clinic or distributor (Art. 6 para. 1b GDPR, Art. 6 para. 1c GDPR & Art. 6 para. 1d GDPR)

Interests of the controller when weighing up interests (Art. 13 (1d) GDPR)

Recipients or categories of recipients of the personal data (Art. 13 (1e) GDPR)
Public authorities, companies with a public mandate (DEKRA/TÜV, auditors), IT service providers, consultants, affiliated companies, distributors

Transfer to third countries (Art. 13 para. 1f GDPR)
Data may be transferred to affiliated companies in Switzerland and Singapore.

Storage period in accordance with statutory retention obligations (Art. 13 para. 2a GDPR)
All documents relevant to commercial or tax law are stored for at least 10 years, and in special circumstances for 15 years due to other legal requirements. The storage of e-mail correspondence is stored in our archiving system for at least 10 years regardless of deletion from the respective mailbox. Data on patients is stored for 8 weeks for rejected cases after receipt of the data or 8 weeks for cases after implantation. In the case of custom-made products, we store the data for up to 18 years due to legal requirements.

Existence of a necessity to provide personal data (Art. 13 para. 2e GDPR)
The data collected is necessary for the conclusion and implementation of the supplier or service relationship with our customers (dealers, hospitals) and to ensure your medical care.

Information obligation for applicants

Purpose and legal basis of the data processing (Art. 13 para. 1c GDPR)

• Processing of applications and conclusion of employment contracts (Section 26 (1) BDSG-new)

Interests of the controller in the balancing of interests (Art. 13 (1d) GDPR)
Not applicable.

Recipients or categories of recipients of the personal data (Art. 13 (1e) GDPR)
IT service providers, affiliated companies

Transfer to third countries (Art. 13 para. 1f GDPR)
Data may be transferred to affiliated companies in Switzerland and Singapore.

Storage period in accordance with statutory retention obligations (Art. 13 para. 2 a GDPR)
The personal data will be deleted six months after the end of the application process, taking into account Section 61b para. 1 ArbGG in conjunction with Section 15 AGG.

Existence of a requirement to provide personal data (Art. 13 para. 2e GDPR)
The data collected is necessary for the application process. If it is not provided, it will not be possible to carry out the application process.

Duty to inform employees

Purpose and legal basis of the data processing (Art. 13 para. 1c GDPR)

• Management of the personnel file (Section 26 (1) BDSG-new in conjunction with Art. 88 (1) GDPR)
• Payroll accounting (Section 26 (1) BDSG-new in conjunction with Art. 88 (1) GDPR)
• Administration of pension contracts (Section 26 (1) BDSG-new in conjunction with Art. 88 (1) GDPR)
• Access and time recording (Section 26 (1) BDSG-new in conjunction with Art. 88 (1) GDPR)
• Collection of driver's license data for company car management and organization of rental cars (Art. 6 para. 1c GDPR)
• Processing of fines in road traffic (Art. 6 para. 1c GDPR)
• Displaying images of the data subject on the company website, in marketing materials or internal documents (e.g. employee handbook) with the data subject's consent (Art. 6 (1a) GDPR)
• Support of operational processes by service providers (Art. 28 GDPR)
• Exercising rights or fulfilling legal obligations under employment law, social security law and social protection law, e.g. providing health data to the health insurance fund, recording severe disability due to additional leave and determining the severely disabled person's levy (Art. 9 para. 2b GDPR)
• Processing of health data for the assessment of your ability to work (Art. 9 (2h) GDPR)
• Implementation of company integration management (Art. 9 para. 2a GDPR)

Interests of the controller when weighing up interests (Art. 13 (1d) GDPR)

• Assertion of legal claims and defense in legal disputes
• Entspring the company's IT security and IT operations
• Prevention of criminal offenses
• Measures for business management and further development of services and products

Recipients or categories of recipients of the personal data (Art. 13 para. 1e GDPR)
Authorities, companies with a public mandate (DEKRA/TÜV, auditors), IT service providers, banks, suppliers and service providers, tax office, IT service providers, consultants, affiliated companies, customers/dealers, travel and passenger transport service providers, car rental companies, advertising agencies, photographers, insurance companies, third-party debtors in the event of wage and salary garnishment, insolvency administrators in the event of personal insolvency

Transfer to third countries (Art. 13 para. 1f GDPR)
Data may be transferred to Switzerland, Singapore and China to affiliated companies and consultants as well as to other third countries (e.g. if customers are located outside the EU and Switzerland).

Storage period in accordance with statutory retention obligations (Art. 13 para. 2 a GDPR)
Personal data is deleted 3 years after the employee leaves the company. Documents relevant to remuneration are stored for 10 years for tax law reasons. In the case of documents that establish a pension entitlement, we are obliged to keep these for 30 years.

Existence of a necessity to provide personal data (Art. 13 para. 2 e GDPR)
The data collected is necessary for the conclusion and maintenance of the employment relationship and for payroll accounting.

General rights of data subjects

Right of access, rectification, erasure, restriction, data portability and objection (Art. 13 (2b) GDPR)
As a data subject, you have the right to access, rectification and erasure of your data and to restriction of processing, as well as the right to data portability, at any time. Please contact the controller using the contact details provided.

Right to object (Art. 21 (1) GDPR)
If your data is processed to protect legitimate interests, you have the right to object to this processing at any time by contacting us using the contact details provided if your particular situation gives rise to reasons that conflict with this data processing. We will then terminate this processing unless it serves overriding interests worthy of protection on our part.

Right of withdrawal (Art. 13 para. 2c GDPR)
If you have consented to the processing of your data, you have the right to revoke this consent at any time for the future. This does not affect the lawfulness of the processing up to the time of revocation. Please contact the controller using the contact details provided.

Right to lodge a complaint (Art. 13 para. 2d GDPR)
As a data subject, you can contact the responsible State Commissioner for Data Protection and Freedom of Information Baden-Württemberg at any time if you have a complaint.

Der Landesbeauftragte für Datenschutz und Informationssicherheit Baden-Württemberg
Lautenschlagerstrasse 20
70173 Stuttgart
Tel.: +49 (0) 711 6155410
E-Mail: poststelle@lfdi.bwl.de

Go back