Company Information
contact: info@hema.to
Local court München HRB 270276
Managing directors and responsible accord. to §5 Telemedia Act (Telemediengesetz):
Dr. Hannes Lüling & Dr. Christiaan Adrianus Miermans
V.A.T. identification number:
DE348156268
Information about the processing of your personal data (www.hema.to)
Care and transparency is the basis for a trusting cooperation with our customers. Therefore, we inform you about how we process your data and how you can exercise your rights that you are entitled to under the General Data Protection Regulation. Which personal data we process and for what purpose depends on the respective contractual relationship.
1. Who is responsible for data processing (Controller)?
The Controller is:
hema.to GmbH
Metzstraße 14B
81667 Munich
2. How do you reach the data protection officer?
Rhenus Office Systems GmbH
Patrick Wellbrock (Patrick.Wellbrock@rhenus.com)
Rhenus-Platz 1
59439 Holzwickede
3. Which of your personal data do we use?
If you have an enquiry, order documents for a haematological analysis or conclude a contract with us, we process your personal data. In addition, we also process your personal data, among other things, to fulfil legal obligations, to protect a legitimate interest or on the basis of consent given by you. Depending on the legal basis, this involves the following categories of personal data:
- First name, last name,·
- Address,·
- Communication data (telephone, e-mail address),·
- Date of birth,·
- Contract master data, in particular order number, order date, type of contract,·
- Invoice data/sales data,·
- Payment details/ Account information,
4. What are the sources of the data?
We process personal data that we receive from our customers.
5. For what purposes do we process your data and on what legal basis?
- Art. 6 I lit. aGDPR serves us as the legal basis for processing operations in which we obtain consent for a specific processing purpose.
- If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Article 6 I lit. bGDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services.
- If our company is subject to a legal obligation through which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.
- Processing operations could also be based on Art.6 I lit. f GDPR if the processing is necessary for the protection of a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, sentence 2 of theGDPR).
- If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is the performance of our business activities for the benefit of the well-being of all our employees and our shareholders.
6. Who will your data be passed on to?
Your personal data will only be disclosed to third parties if this is permitted by law or if you have given your consent.
7. Is your data transferred to countries outside the European Union (so-called third countries)?
We operate our website on servers in data centers located exclusively in Frankfurt am Main (Germany/EU).
We use the Cloudfront content delivery network (CDN) to serve the website globally.This is a service provided by Amazon Web Services Inc, 410 Terry Avenue North,Seattle, WA 98109-5210. It makes duplicates of a website's data available on various AWS servers distributed around the world.
These servers located in non-EU countries are only accessed if this website is called up from a network in a non-EU country. This means: If you visit the website from an internet access point in Germany or the EU, the website will be loaded from our servers in Germany / the EU. Only then, if you call up our website from outside the EU, will it be provided by a nearest server outside the EU.
This allows us to achieve faster website load times, greater resilience and increased protection against data loss. Some of the images and files embedded on this website are then loaded from the Cloudfront CDN when the page is called up.
Through this retrieval, information about your use of our website (such as your IPaddress) is transmitted to Amazon servers in other EU countries and stored there. This happens as soon as you enter our website. The use of Amazon WebServices and the Amazon CDN Cloudfront is in the interest of a higher reliability of the website, increased protection against data loss and a better loading speed of this website. This represents a legitimate interest within the meaning of Art. 6 (1) f GDPR.
To learn more about Amazon Web Services' privacy practices, visit: https://aws.amazon.com/de/data-protection/
The current AWS privacy policy can be found at: https://aws.amazon.com/de/privacy/.
AWS has contractually committed to ensure compliance with the level of data protection applicable in the EU under the EU Standard Contractual Clauses.
8. How long will your data be stored?
We store your personal data as long as it is necessary for the fulfilment of our legal and contractual obligations.If storage of the data is no longer necessary for the fulfilment of contractual or legal obligations, your data will be deleted.
9. What rights do you have in connection with the processing of your data?
As a data subject, you have the following rights:
- in accordance with Art. 15 GDPR the right to request information about your personal data processed by us to the extent specified therein;
- in accordance with Art. 16 GDPR the right to demand the immediate correction of incorrect or completion of your personal data stored by us;
- in accordance with Art. 17 GDPR the right to demand the deletion of your personal data stored by us, insofar as the further processing is not prohibited.
- to exercise the right to freedom of expression and information;
- to fulfil a legal obligation; for reasons of public interest,
- is necessary for the assertion, exercise or defence of legal claims;
- in accordance with Art. 18 GDPR, the right to demand the restriction of the processing of your personal data, insofar as
- the accuracy of the data is disputed by you;
- the processing is unlawful but you object to itserasure
- we no longer need the data, but you need it for the assertion, exercise or defence of legal claims or defence of legal claims or
- you have objected to the processing in accordance withArt. 21 GDPR;
- in accordance with Art. 20 GDPR, the right to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller;
- in accordance with Art. 77 GDPR, you have the right to complain to a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.
To exercise your rights, you can contact the data controller or the data protection officer using the contact details provided or contact customer service: datenschutz@hema.to. We will process your requests promptly and in accordance with the legal requirements and inform you of the measures we have taken.
10. Is there an obligation to provide your personal data?
In order to enter into a business relationship, you must provide us with the personal data that is required for the implementation of the contractual relationship or that we must collect due to legal requirements.
If you do not provide us with this data, then the implementation and processing of the contractual relationship is not possible for us.
11. Data collection by this website
Each time you use our website, we collect the data that your browser automatically transmits to enable you to visit the website. These are in particular:
- Domain name or IP address of the requesting terminal device File request of the client (file name and URL)
- http response code
- Date and duration of the visit
- Address of the accessed website and the requesting website
The data processing is necessary to enable the visit of the website and to ensure the permanent functionality and security of our systems. The aforementioned data is also temporarily stored in internal log files for the purposes described above, in order to create statistical information about the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices with which the pages are accessed increases) and to generally maintain our website administratively.
Pursuant to Art. 6 para. 1 lit. b GDPR, personal data will continue to be collected and processed if you provide it to us for the performance of a contract or when opening a customer account. Which data is collected can be seen from the respective input forms. Deletion of your customer account is possible at any time and can be done by sending a message to the above address of the person responsible. We store and use the data provided by you for the purpose of processing the contract. After complete processing of the contract or deletion of your customer account, your data will be blocked with regard to tax and commercial law retention periods and deleted after expiry of these periods, unless you have expressly consented to further use of your data or a legally permitted further use of data was reserved by us.
When using these general data and information, we do not draw any conclusions about the data subject.
12. Contact form
If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not pass on this data without your consent. The processing of this data is based on Art. 6 (1) lit. b GDPR, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6(1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR), if this has been requested. The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions - in particular retention periods -remain unaffected.
13. Request by e-mail, telephone or fax
If you contact us by e-mail, telephone or fax, your enquiry including all personal data arising from it (name, enquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent. The processing of this data is based on Art. 6 (1) lit. b GDPR, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us(Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested. The data you send to us via contact requests will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g.after processing your request has been completed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.
14. Registration on this website
You can register on this website to use additional functions on the site. We use the data entered for this purpose only for the purpose of using the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise we will reject the registration. For important changes, for example in the scope of the offer or in the case of technically necessary changes, we will use the e-mail address provided during registration to inform you in this way. The data entered during registration is processed for the purpose of implementing the user relationship established by registration and, if necessary, for initiating further contracts (Art. 6 para. 1 lit. b GDPR). The data collected during registration will be stored by us for as long as you are registered on this website and will then be deleted. Legal retention periods remain unaffected.
15. Changes to this information
If there is a significant change in the purpose or manner in which we process your personal data, we will update this information in a timely manner and notify you of the changes in a timely manner.
16. Data transmission to third parties
Our website also contains services from third-party providers. If you give your consent in the context of our cookie banner, we transfer data to the respective provider to the extent necessary (e.g. your IP address). If you consent to the activation of these services via our cookie banner, it cannot be ruled out that personal data will be transferred to providers in countries outside the European Economic Area ("EEA") which, from the point of view of the European Union (“EU”), do not guarantee an “adequate level of protection” for the processing of personal data in accordance with EU standards. Possible risks that cannot currently be ruled out are in particular:
- Your personal data could possibly be passed on beyond the actual purpose by the third-party providers to other third parties who, for example, use your data for advertising purposes.
- You may not be able to assert or enforce your rights to information against the third-party provider in the long term.
- There may be a higher probability that incorrect data processing may occur, as the technical and organizational measures taken by third-party providers to protect personal data do not fully meet the requirements of the GDPR in terms of quantity and quality.
- The risk of transferring data to the USA lies in the relatively easy access to data by US authorities, as well as the fact that EU citizens would have no effective legal remedies against the far-reaching access powers of US authorities to personal data.
Please take this fact into account before you give your consent and thus enable the transfer of your data.
Further information can be found in our cookie banner.
The same also applies to the social media profiles we operate when you visit our pages on the respective social media provider (LinkedIn).
1. LinkedIn
Our website uses functions of the LinkedIn network. The provider is LinkedIn Ireland Unlimited Company (hereinafter “LinkedIn”), Wilton Plaza, Wilton Place, Dublin 2, Ireland. We are jointly responsible for the processing of data with LinkedIn. The agreement pursuant to Art. 26 GDPR can be found here. The LinkedIn data protection officer can be contacted via the following link. The contact details of our data protection officer can be found in Section II of this Privacy Policy.Personal data is processed and stored on the LinkedIn platform if you do not have a LinkedIn account yourself. Even if you are only a temporary visitor, personal data such as IP address, browser type, operating system, information on previously visited websites, location, mobile phone provider, device used, search terms used and cookie information are processed. LinkedIn also transfers data to third countries, in particular the USA. This data transfer is protected by standard contractual clauses of the EU Commission.
a. Company profile on LinkedIn
We have a LinkedIn company profile. You can regularly access our company profile on the Internet at any time, regardless of whether or not you have created a user account on the corresponding platform. If you are logged into your LinkedIn account, LinkedIn can assign this to your user account. In both cases, however, your data will be processed by LinkedIn. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by LinkedIn. If you post or comment on your data publicly on our LinkedIn profile, it can be viewed by other registered and unregistered visitors to our LinkedIn profile worldwide.
On our LinkedIn company profile, you also have the opportunity to respond to our posts, write comments, create a post on our page yourself or send us private messages. All data you provide in this context will be processed by us. We process your personal data on the basis of our legitimate interest in responding to your request in accordance with Art. 6 para. 1 lit. f GDPR and, if applicable, Art. 6 para. 1 lit. b GDPR if your request is aimed at concluding a contract.
As a rule, we receive the following data from you:
- Information about the user's profile;
- Information that you send us in your message or comment;
- If you have reacted to our post and type of reaction, or you have shared or commented on it;
- Type and manner of interaction.
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected and there are no legal obligations to retain it. For personal data from messages, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.
b. Objection options and rights of data subjects
LinkedIn members can also control the use of their personal data for advertising purposes in their account settings. If you are a LinkedIn member and do not want LinkedIn to collect data about you via our website and link it to your membership data stored on LinkedIn, you can log out of LinkedIn before visiting our website.
You can also deactivate cookies here, regardless of your LinkedIn membership: Opt-Out.
As part of the joint responsibility with LinkedIn, you can exercise your data subject rights under Art. 15, 16, 17, 18, 20, 21 GDPR both with LinkedIn and with us. LinkedIn assumes the fulfillment of the obligations under the GDPR for the processing of Insights data, in particular the safeguarding of data subject rights. If you wish to make use of your data subject rights, please contact LinkedIn directly.
Further information on this can be found in LinkedIn's privacy policy.
2. YouTube
Our website uses functions of the YouTube network operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA, which is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you visit one of our pages equipped with a YouTube channel, a connection to the YouTube servers is established. The YouTube server is informed which of our pages you have visited.
If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile.
When you interact with our YouTube channel, we receive the following categories of personal data:
- Your username and other information you have posted on your profile;
- When you subscribe or unsubscribe to our channel;
- Marking a video post with “Like” or “No longer like”;
- Recommend in a post or comment;
- Comment on, share or react to a channel post.
You can prevent this by logging out of your YouTube account. If you are not logged in, we will only receive static data without any personal reference:
- Views of the videos and average duration of video playback;
- The website from which you came;
- Percentage of likes;
- Real-time activity;
- Information on which countries visitors come from,
- Statistics on the age and gender ratio of visitors.
The purpose of processing your personal data is our legitimate interest in offering you interesting videos about our services and the Rhenus world and to make our YouTube presence more attractive (Art. 6 para. 1 lit. f GDPR).
Further information on the handling of user data can be found in YouTube's privacy policy.
Information on how to change your privacy settings at Google can be found at this link .