DATA PRIVACY STATEMENT OF WWW.MDO-SKIN.COM
This data privacy statement describes how we, MDO Cosmetic Dermatology GmbH (“Service Provider”/ “Data Controller”), process the personal data of users of our website www.mdo-skin.com (“Website” / “Webshop”).
Name and contact details of the Service Provider/Controller
MDO Cosmetic Dermatology GmbH
8045 Zurich, Switzerland
Tel.: 0800 58 57 56 55
Email address: firstname.lastname@example.org
Name and contact details of our representative within the EU
MDO Cosmetic Dermatology GmbH
80333 Munich, Germany
Tel.: 0800 58 57 56 55
Email address: email@example.com
Contact details of our data protection officer
Please contact our data protection officer if you have any questions concerning how your personal data are processed:
Dachauer Str. 65
80335 Munich, Germany
Email address: firstname.lastname@example.org
Overview of the processing of personal data
When you visit our Website, we process the following personal data: data that your browser automatically sends to our server when you visit our Website; your first name, surname, your email address, delivery and billing address, payment details and information about your order if you order something from our Webshop; data that you send as part of a customer service enquiry; data that you provide when you register for our newsletter or take part in a competition; and information that we collect using cookies or analysis technologies.
Full details on all types of personal data processed, the purpose of processing in each case and the legal grounds for the processing in question will be provided in the sections of the data privacy statement envisaged for this (see “Full details about the processing of personal data”) or promptly provided via explanatory texts that are displayed before the data is collected. Where eligible interests are given as the legal grounds, we would, upon request, be delighted to provide you with more detailed information on the balancing of interests.
Personal data may be provided voluntarily by users or collected automatically when this Website is used. Unless indicated otherwise, the provision of all data requested by this Website is obligatory.
Should the user refuse to provide required data, this may mean we are unable to provide the user with this Website’s services. In cases where this Website expressly describes the provision of personal data as voluntary, the user is permitted to opt not to provide the data, without this having any impact on the availability or functionality of the service.
Users who are unclear as to which personal data is obligatory may consult the Service Provider.
Our Website is not intended for children under 13 years of age. No one under age 13 may provide any personal data to us or on the Website. We do not knowingly collect personal information from children under 13.
Recipients; legal grounds and place of data processing; storage term
RECIPIENTS AND CATEGORIES OF RECIPIENTS
In addition to the Controller, other people may, where necessary, have access to the user’s personal data. For example, we send your personal data to suppliers in order to be able to send you orders you have placed in our Webshop. We are also able to share your personal data with government authorities, courts, external consultants and similar third parties to the extent this is legally required or permitted.
Furthermore, processors used by us, such as our hosting provider Amazon Web Services, Inc. or our customer services contractor TELEG AG, are given access to the user’s personal data. In addition, we use the services of Mailchimp to send out email marketing campaigns. The processors are contractually obliged to put in place appropriate technical and organisational measures to protect and secure personal data and to process the personal data only within the scope of our instructions.
The Service Provider may at any time request an up-to-date list of those involved.
OVERVIEW OF THE LEGAL GROUNDS FOR PROCESSING
The Service Provider is only permitted to process users’ personal data if one of the following legal grounds exists:
the user has given their consent for one or more specific purposes;
the data processing is necessary for the performance of a contract with the user and/or for pre-contractual steps taken at the user’s request;
the processing is required for the performance of a legal obligation to which the Service Provider is subject;
the processing is necessary to protect the vital interests of the user or another natural person;
the processing is necessary for the performance of a task which is in the public interest or occurs in the exercise of official authority conferred on the Service Provider;
the processing is required for to safeguard the legitimate interests of the Service Provider or a third party unless these are outweighed by the interests or basic rights and essential freedoms of the user which require the protection of personal data.
More detailed information on the legal grounds relevant in each case is available under “Comprehensive information on the processing of personal data”. In case of ambiguity, the Service Provider will be happy to provide information about the specific legal grounds on which the processing is based, particularly on whether the sharing of personal data is a statutory or contractual obligation or a precondition for conclusion of a contract.
LOCATION/TRANSMISSION OF DATA TO THIRD COUNTRIES
The data are processed at the Service Provider’s establishment and wherever the entities involved in the data processing are located. Some recipients of your personal data are based outside the European Union (EU) or the European Economic Area (EEA), in the USA, for example, where the data privacy laws may offer a different level of protection from the laws of your country and for which no adequacy decision exists on the part of the European Commission. Countries which have an appropriate level of protection in terms of data protection law include Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand and Uruguay. Recipients in the USA can be certified under the EU-U.S. Privacy Shield and hence offer a reasonable level of data protection under data protection law. Where personal data are sent to countries that, from the European point of view, do not have an appropriate level of data protection, transmission occurs on the basis of appropriate guarantees such as the conclusion of EU standard contractual clauses adopted by the European Commission with the recipients, where this is necessary in the particular case. A copy of the relevant measure is available upon request.
Personal data are processed and stored for as long as the purpose for which they were collected requires.
Hence it follows that:
personal data collected for the purposes of contract performance for a contract entered into by the Service Provider and user will be stored until contract completion.
personal data collected to safeguard the legitimate interests of the Service Provider are stored for as long as the
the processing is necessary to protect the vital interests of the user or another natural person;
the processing is necessary for the performance of a task which is in the public interest or occurs in the exercise of official authority conferred on the Service Provider;fulfilment of that purpose requires.
Furthermore, the Service Provider is permitted to store personal data for a longer period if the user has consented to such processing, provided such consent has not been withdrawn. Furthermore, the Service Provider may be obliged to retain the personal data for a longer period if this is necessary for the fulfilment of a statutory obligation or on the instructions of an authority. For example, personal data received in contracts, communications and business correspondence may be subject to statutory retention obligations which may require their retention for up to ten years.
The personal data will be erased upon expiry of the retention period.
Purposes of the processing
Personal data about the user are processed to enable the Service Provider to perform the services offered on this Website. In the following sections of this document users can find further detailed information on such processing purposes, on the personal data used for the particular purpose and on the legal grounds for processing in a particular case.
Comprehensive information on the processing of personal data
Personal data are processed for the following purposes on the basis of the following legal grounds:
VISITS TO OUR WEBSITE
If you visit our Website, your browser automatically sends our server the following user data:
the IP addresses or domain names of the computers of users of this Website, the URI addresses (Uniform Resource Identifiers), the time of the request, the method used to send the request to the server, the size of the response file received, the numeric code indicating the status of the server response (successful results, error etc.), the country of origin, the functions of the user’s browser and operating system, the different dates and times for each request (e.g. how much time was spent on each page of the Website) and information about the pathway followed within an application, particularly the order in which pages were visited, along with other information on the device’s operating system and/or the user’s IT environment.
The processing of this data is technically required in order to enable you to access and browse our Website. The legal grounds for the associated processing of your personal data are our legitimate interests in the provision of an operational Website under Article 6 (1)f) GDPR.
ORDERS IN OUR WEBSHOP
When you place an order in our Webshop, we process the data you provide as part of the order process; i.e., your name, your delivery and billing address, your payment information and information about your order so as to process the order and perform the contract entered into with you. These data are provided voluntarily but orders in our Webshop cannot be fulfilled unless this information is provided. These are considered contractual purposes under Article 6 (1)b) GDPR and constitute the legal grounds for the associated processing of your personal data.
As part of the order process, you also have the option of voluntarily indicating your age; if you do so, we process this information for market analysis purposes. Our legitimate interest, under Article 6 (1)f) GDPR, in being able to analyse the market relevant to us constitutes the legal grounds for such processing.
CONTACTING OUR CUSTOMER SERVICE
You have the option of contacting our customer service via the email address or telephone number provided on our Website should you have questions regarding our products or about an order made in our Webshop. In such case, we process your name, contact details and the information provided in the context of your request in order to respond to your request. The data is provided voluntarily but without processing your data we are unable to respond to your request. The legal grounds for the associated processing of your personal data are, depending on the nature of the request, contractual purposes under Article 6 (1)b) GDPR or a legitimate interest in your request being responded to, under Article 6 (1)f) GDPR.
You can register on our Website to receive our newsletter and will need to provide your email address for this. Registration is voluntary; if you register for the newsletter, we process your email address in order to send out the newsletter. The legal ground for the associated processing of your personal data is your consent under Article 6 (1)a) GDPR.
COMPETITION ENTRY AND CONSENT TO USE FOR PROMOTIONAL PURPOSES
If you register on our Website to participate in a competition, you need to provide your email address for this. Competition entry is voluntary. If you register, we process your data so as to be able to identify and notify you should you win. The legal ground for the associated processing of your personal data is your consent under Article 6 (1)b) GDPR.
In addition, you have the option of consenting to the processing by us of the personal data you have shared with us as part of entering a competition, for promotional purposes. Consent to use for promotional purposes is voluntary; where you give us this, we will process your name and your email address for such promotional purposes. The legal ground for the processing of your personal data for this purpose is your consent under Article 6 (1)a) GDPR.
In addition, we are able to process your personal data, where relevant, also for purposes of legal enforcement. The legal grounds for any such processing of your personal data are our legitimate interests in enforcement under Article 6 (1)f) GDPR.
Our Website may contain links to other websites, including social media sites, which may have privacy policies that differ from our own. We are not responsible for the collection, use or disclosure of information collected through third-party websites and expressly disclaim any liability related to such collection, use or disclosure. We are not responsible for any information or content contained on such sites. Links to other websites are provided solely as a convenience. Your browsing, use and interaction on any other websites, including websites which have a link to this Website, are subject to that website’s own rules and policies. Please review the data privacy statement posted on any website that you may access through, or which links to this Website.
Please note that if you provide information to us via a social media site or participate in a social media site linked to this Website, you consent to our use of your information for any reason in accordance with this Data Privacy Statement as if it were submitted to us directly via this Website.
Users may exercise certain rights in relation to the data processed by the Service Provider.
Users are entitled to do the following:
Withdraw consent at any time. Where users have previously consented to the processing of personal data, they may withdraw their own consent at any time with future effect. The withdrawal of consent does not affect the legality of the processing which has been done on the basis of the consent up until its withdrawal.
Receive information about their data. Users are entitled at any time to find out whether personal data relating to them are being processed by the Service Provider and, in such case, to receive information about specific aspects of the processing and to receive a copy of the data. This right is not unrestricted, however, as the rights of others may restrict the right to receipt of a copy. The right to information is also restricted under the Federal Data Protection Act, e.g. if the data (a) is only stored because they cannot be erased due to data retention requirements in law or articles of incorporation, or (b) only serve the purposes of data protection or data protection controls, and the provision of information would require disproportionate expense, and processing for other purposes using appropriate technical and organisational measures is ruled out.
Rectification. Users are entitled to request the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, users are entitled to request that incomplete personal data is completed, also by means of a supplementary statement.
Request restriction of processing of their data. Users are entitled, under certain circumstances, to request that the Service Provider restrict the processing of their personal data. In such case, the Service Provider marks the data and processes them only for specific purposes.
Request the erasure of personal data. Users areentitled, under certain circumstances, to request that the ServiceProvider erase their personal data. The right to erasure does not existunder the Federal Data Protection Act, however, if, due to theparticular nature of the storage, erasure is not possible in the case ofnon-automated data processing or would only be possible atdisproportionate expense, and the user’s interest in erasure isconsidered minor. In such case, erasure will be replaced with arestriction on processing.
Receive their data and transfer the data to a different controller. Users have the right to receive the personal data they have given us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance. This provision applies where the processing is carried out by automated means and the processing is based on the user’s consent pursuant to point (a) of Article 6 (1) GDPR or on a contract with the user pursuant to point (b) of Article 6 (1) GDPR.
Submit complaints. Users have the right to submit a complaint to the competent supervisory authority.
Right to object
In certain circumstances, users are entitled to object at any time to the processing of personal data relating to them on legitimate grounds relating to their particular situation and the Service Provider may be required not to continue to process their personal data.
Where personal data are processed for the purposes of direct marketing, users also have the right to object at any time to the processing of personal data relating to them for the purpose of such direct marketing. This also applies to profiling to the extent that it is related to such direct marketing.
HOW RIGHTS MAY BE EXERCISED
All queries relating to the exercise of user rights may be directed to the Service Provider using the contact details indicated in this document. Requests may be made free of charge and shall be processed by the Service Provider as soon as possible, normally within a month at the latest.
Amendments; definitions of terms
AMENDMENTS TO THIS DATA PRIVACY STATEMENT
The Service Provider reserves the right to amend this data privacy statement at any time by informing its users on the Website and/or, where technically and legally possible, by notifying the users via one of the contact details shared with the Service Provider. Furthermore, users are advised to view this page on a regular basis and when doing so to check the date of the last amendment indicated at the bottom of the page.
Where amendments affect data use based on the user’s consent, the Service Provider will obtain fresh consent where required.
DEFINITIONS OF TERMS
“Personal data” (or “Data”)
Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The person using the Website who, unless specified otherwise, corresponds to the data subject.
The natural person to whom the personal data relate.
Processor (or data processor)
Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Controller (or Service Provider)
Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Last updated: January 8, 2020