With regard to the terms used, such as “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Controller (Art. 4 (7) of the EU General Data Protection Regulation (GDPR)):
altona Diagnostics GmbH
+49 40 548 06 76 – 0
+49 40 548 06 76 – 10
Owners, executives, managing directors or other leaders appointed by law or through the company:
Dr. Markus Heß
Dr. Ulrich Spengler
Information about the Collection of Personal Data
- The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is altona Diagnostics GmbH (see our legal notice and below). You can reach our data protection officers at firstname.lastname@example.org or by using our postal address with the addition of “The Data Protection Officer”.
- If you contact us by e-mail or through the contact form (https://www.altona-diagnostics.com/en/contact/contact-form.html), the data communicated by you (your e-mail address, where applicable your name and phone number) is stored by us to individually respond to your questions. We delete the data arising in this regard once its storage is no longer required, or we restrict its processing if there are statutory retention requirements. The legal bases for data processing are Art. 6 (1) 1 a GDPR and Art. 7 GDPR where your consent is granted and Art. 6 (1) 1 f GDPR after your consent is withdrawn. On the basis of our legitimate interests, we may store contact inquiries for up to three years and six months before deleting them in order to prove prior granted consent or business contact. The processing of this data is restricted to the purpose of a possible defence against claims. An individual request for erasure is possible at any time provided that the prior existence of consent or contact is confirmed at the same time. The aforementioned data is stored on the basis of our legitimate interests pursuant to Art. 6 (1) 1 f GDPR.
Provided that you have expressly granted consent pursuant to Art. 6 (1) 1 a GDPR, we will use your e-mail address to send you our newsletter on a regular basis or include you in an e-mail address list (for press releases, for example). The specification of an e-mail address is sufficient for the receipt of a newsletter or any other mass e-mail. For proof of consent, we must fully document the specific declaration of consent. If a declaration of consent is conveyed electronically, it must be stored and held available to print out at any time. In this regard, we save the data conveyed when you register for the newsletter and the confirmation of the confirmation link. The registration process is logged on the basis of our legitimate interests pursuant to Art. 6 (1) 1 f GDPR.
You can unsubscribe at any time, for example using a link at the end of each newsletter or mass e-mail or by responding to the e-mail. Alternatively, you can also send your request to unsubscribe to
email@example.com by e-mail at any time.
On the basis of our legitimate interests, we may store submitted e-mail addresses for the purpose of dispatching newsletters for up to three years and six months before deleting them, in order to prove prior granted consent or business contact. The processing of this data is restricted to the purpose of a possible defence against claims. An individual request for erasure is possible at any time provided that the prior existence of consent is confirmed at the same time. The aforementioned data is stored on the basis of our legitimate interests pursuant to Art. 6 (1) 1 f GDPR.
- If we use commissioned service providers for individual features of our website or wish to use your data for promotional purposes, we will provide you with detailed information about the processes in question below. In doing so, we will also state the specified criteria for the storage duration.
- You have the following rights with regard to us and the personal data concerning you:
– Right of access (Art. 15 GDPR)
– Right to rectification or erasure (Art. 16, 17 GDPR)
– Right to restriction of processing (Art. 18 GDPR)
– Right to object to processing (Art. 21 GDPR)
– Right to data portability (Art. 20 GDPR)
- You also have the right to lodge a complaint with a supervisory authority for data protection in relation to the processing of your personal data by us (Art. 77 GDPR).
- You have right to withdraw prior granted consent pursuant to Art. 7 (3) GDPR with effect for the future.
- You can object to the future processing of data concerning you at any time pursuant to Art. 21 GDPR. In particular, you can object to processing for the purpose of direct marketing.
Collection of Personal Data while Visiting Our Website
- If you merely use the website for information (that is, if you do not register or communicate information to us in any other way), we collect only the personal data that your browser communicates to our servers or to those of our hosting providers (see section 8). When you request to view our website, we collect the following data that we require from a technical perspective to display our website for you and ensure stability and security (the legal basis is Art. 6 (1) 1 f GDPR):
– IP address
– Date and time of the request
– Time zone difference to Greenwich Mean Time (GMT)
– The content of the request (the specific page)
– Access status/HTTP status code
– The amount of data transmitted in each case
– Website from which the request arrives
– Operating system and its interface
– Language and version of the browser software
The aforementioned information is stored for a maximum duration of seven days for the stated purposes and then erased. Data that must be stored for longer for evidential purposes is excluded from the erasure until the final clarification of the incident in question.
- In addition to the data mentioned above, cookies are stored on your computer when you use our website. Cookies are small text files that are assigned to the browser that you use, stored on your hard drive and used to supply the entity that sets the cookie (which is us in this case) with certain information. Cookies cannot run programmes or transmit viruses to your computer. They are used to make our online content more user-friendly and effective overall.
- a) This website uses the following types of cookies (you can also find information about their scope and how they work below):
– Transient cookies (see b)
– Persistent cookies (see c).
- b) Transient cookies are deleted automatically when you close the browser. In particular, they include session cookies. These cookies store a “session ID” that is used to assign various requests from your browser to the collective session. As a result, your computer can be identified again when you return to our website. The session cookies are deleted when you log out or close the browser.
- c) Persistent cookies are deleted automatically after a predefined time period, which can differ depending on the cookie. You can delete the cookies at any time in your browser security settings.
- d) You can adapt your browser settings to your requirements and, for example, refuse to accept third party cookies or all cookies. Please note that you then may not be able to use all the features of this website.
- e) The flash cookies used are not registered by your browser, but by your flash plug-in. In addition, we use HTML5 storage objects that are stored on your end device. These objects store the necessary data regardless of the browser that you use and do not have an automatic expiry date. If you do not want processing by flash cookies, you must install an appropriate add-on (for example, “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/en-GB/firefox/addon/betterprivacy/) or the Adobe Flash Killer Cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using private mode in your browser. Furthermore, we recommend that you delete your cookies and the browser history manually on a regular basis.
Working with Contract Processors and Third Parties
- Insofar as we disclose data to other individuals and companies (contract processors or third parties), pass the data on to them, or grant them access to the data in any other way within the context of our data processing, this is done only on the basis of legal permission (for example, pursuant to Art. 6 (1) b GDPR for the fulfilment of a contract), if you have granted consent, if this is required due a legal obligation, or on the basis of our legitimate interests (for example, when using authorised representatives, web hosting providers, and so on).
- Insofar as we commission third parties with the processing of data on the basis of a “contract data processing agreement”, this is done on the basis of Art. 28 GDPR.
Transfers to Third Countries
Insofar as we process data in a third country (that is, outside of the European Union (EU) or the European Economic Area (EEA)) or insofar as this happens within the context of using the services of third parties or the disclosure or transfer of data to third parties, this is done solely to fulfil our (pre)contractual obligations, on the basis of your consent, due to a statutory obligation, or on the basis of our legitimate interests. Conditional upon statutory or contractual permissions, we process data or have it processed in third countries only where the special requirements of Art. 44 ff. GDPR are met. Processing therefore takes place, for example, on the basis of special guarantees such as an officially recognised declaration of a data protection level equivalent to that of the EU (for example, through the “Privacy Shield” for the USA) or the observance of officially recognised special contractual obligations (“standard contractual clauses”).
Erasure of Data
- Pursuant to the legal requirements in Germany, the data is retained in particular for 6 years as per § 257 (1) HGB (the German commercial code) (regarding account books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, and so on) and for 10 years as per § 147 (1) AO (the German fiscal code) (regarding books, records, status reports, accounting documents, commercial and business letters, documents relevant for taxation, and so on).
- Insofar as specific incidents could result in civil claims against us, the data is retained up to the expiry of the limitation periods, taking any suspensions of limitation periods into account, which is therefore generally for ten years plus six months.
We also process contractual data (for example, the subject matter of the contract, term, customer category) and payment data (for example, bank details, payment history) from our customers, interested parties and business partners for the purpose of fulfilling contractual services, customer service and care, marketing, advertising and market research.
We use hosting services to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services that we use for the purpose of operating our online content.
Fulfilment of Contractual Services
- We process user data (for example, the names, address and contact details of users) and contract data (for example, services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 (1) b GDPR. The entries marked as mandatory in online forms are required to initiate the conclusion of a contract.
- The data is erased once statutory guarantee obligations and comparable obligations have expired. The need to retain the data is checked every three years; in the case of statutory archiving obligations, the erasure is carried out once they expire.
Administration, Financial Accounting, Office Organisation, Contact Management
- We process data as part of our management duties such as the organization of our company, financial accounting and compliance with statutory provisions (for example, archiving). In doing so, we process the same data that we process while fulfilling our contractual services. The bases for processing are Art. 6 (1) c GDPR and Art. 6 (1) f GDPR. The data processed relates to customers, interested parties, business partners and website visitors. The purpose of and our interest in the processing concerns administration, financial accounting, office organization and data archiving; that is, tasks that serve to maintain our business, perform our duties and provide our services. The erasure of data in relation to contractual services and contractual communication equates to the information specified in these processing activities.
- In this case, we disclose or convey data to the fiscal authority, consultants such as tax advisors or auditors and other billing offices and payment service providers.
- Furthermore, we store information about suppliers, event organisers and other business partners (to make later contact, for example) on the basis of our business interests. We generally store this data, the majority of which is company-related, permanently.
Business Analysis and Market Research
- To run our business economically and identify market trends and customer and user requirements, we analyse the data available to us relating to business transactions, contracts and inquiries and data from Google Analytics analysis, and so on. In doing so, we process user data, communication data, contract data, payment data, usage data and metadata on the basis of Art. 6 (1) f GDPR, and the individuals affected include customers, interest parties, business partners and visitors and users of the website.
- The analyses are carried out for the purposes of economic assessments, marketing and market research. The analyses help us to increase user-friendliness, optimise our website and operate efficiently. The analyses are solely for us and are not disclosed externally unless they are anonymised with summarised values.
Insofar as these analyses relate to individuals, they are erased or anonymised at the end of the business relationship or two years after the conclusion of a contract. Otherwise, the overall business analyses and general trend provisions are compiled anonymously wherever possible.
Information on Data Protection in the Application Process
- Data from applicants is processed only for the purpose and within the context of the application process pursuant to the statutory provisions. Processing is performed to fulfil our (pre)contractual obligations as part of the application process within the meaning of Art. 6 (1) b GDPR and Art. 6 (1) f GDPR, insofar as the data processing is required by us as part of legal procedures, for example (§ 26 BDSG, the German federal data protection act).
- The application process requires that applicants convey applicant data to us. The applicant data required is highlighted, insofar as we provide an online form; otherwise, it is based on the job descriptions. Such data generally includes information about the person, postal and contact addresses and the documents belonging to the application, such as cover letters, curriculum vitae and references. Furthermore, applicants may freely disclose additional information to us.
- Insofar as special categories of personal data as defined in Art. 9 (1) GDPR (for example, ethnic origin or data concerning health such as a severe disability) are freely disclosed as part of the application process, they shall be processed additionally pursuant to Art. 9 (2) b GDPR.
- If available, applicants can send their applications to us using an online form on our website. The data is encrypted using the latest technology and transmitted to us.
- In addition, applicants can send their applications to us by e-mail. In doing so, however, we ask you to note that e-mails are generally not encrypted when sent and the applicant himself or herself must provide the encryption. As a result, we cannot accept any responsibility for the transmission of the application between leaving the sender and its receipt on our server and therefore recommend using the online form where available or the postal service. The applicant continues to have the option of submitting the application to us by post instead of applying through the online form, if provided, or e-mail. Finally, data can be sent as an encrypted attachment to an unencrypted e-mail, and the password required to open the attachment can be disclosed by other means.
- In the event of a successful application, the data provided by the applicant may be further processed by us for the purposes of the employment relationship. Otherwise, applicant data is erased if the application for a vacancy is unsuccessful. The applicant data is also erased if an application is withdrawn, which the applicant is entitled to do at any time.
- Unless the applicants legitimately withdraw, the data is erased after a period of six months has passed to ensure that we can respond to any follow-up questions to the application and can meet our duties of proof pursuant to equality law. Invoices related to reimbursement for travel costs are archived in accordance with tax law provisions.
- As part of the application, we give applicants the opportunity to be included in our “Talent Pool” for a period of two years on the basis of their consent as defined in Art. 6 (1) b and Art. 7 GDPR.
- The application documents in the Talent Pool are processed solely within the context of future job postings and employee recruitment and are destroyed once the period passes at the latest. The applicants are informed that their consent to be included in the Talent Pool is voluntary, has no influence on the current application process, and that they can withdraw this consent with effect for the future at any time or can object as defined by Art. 21 GDPR.
- Google is certified under the Privacy Shield agreement and as such provides a guarantee to comply with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use this information on our behalf to analyse the use of our website by users, to compile reports about the activities within this website and to provide us with additional services related to the use of this website and internet usage. In doing so, it may create pseudonymous usage profiles for users from the processed data.
- We use Google Analytics only with IP anonymisation activated. This means that the user IP address is truncated by Google within Member States of the European Union or in other states that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.
- Google does not combine the IP address transmitted from the browser of the user with other data. Users can prevent the storage of cookies by configuring the appropriate settings in their browser software; users can also prevent Google from collecting the data generated by the cookie and the data relating to their use of the website and prevent Google from processing this data by downloading and installing the browser plugin available from the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
- The personal data of users is erased or anonymised after 14 months.
On our website, we use maps from the “Google Maps” service from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In particular, the data processed may include user IP addresses and location data, which cannot, however, be collected without the consent of the user (this is usually confirmed in the settings on their mobile devices).The data may be processed in the USA.