Data Protection Policy
Thank you for your interest in the Data Protection Policy of GHD GesundHeits GmbH Deutschland (GHD), the parent company of the GHD Group. You can generally use the GHD website without stating any personal data. Where a data subject wishes to use particular services of our company through our website, it may be necessary to process personal data for this purpose. Where it is necessary to process personal data and if there is no legal basis for this processing, we shall obtain the consent of the data subject.
Personal data, e.g. the name, address, e-mail address or phone number of a data subject, shall be processed at all times in accordance with the General Data Protection Regulation (GDPR) and the country-specific data protection regulations that apply for GHD. The purpose of this Data Protection Policy is to inform the general public of the type, scope and purpose of the personal data collected, used and processed by us. In addition, this Data Protection Policy serves to inform data subjects of their rights.
GHD, as the controller, has implemented technical and organisational measures to ensure the greatest possible protection of the personal data processed on this website. Nevertheless, there are inherent security risks in transmitting data through the Internet, which makes it impossible to completely safeguard the data. For this reason, every data subject is at liberty to transmit personal data through alternative channels, e.g. by phone.
The GHD Data Protection Policy is based on the definitions set forth in the EU GDPR. To facilitate the readability and transparency of our Data Protection Policy, we hereby explain the definitions we use as follows:
a) Personal data
‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A ‘data subject’ is every identified or identifiable natural person whose personal data is processed by the controller.
‘Processing’ means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
‘Restriction of processing’ means the marking of stored personal data with the aim of limiting the processing of such in the future.
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
‘Pseudonymisation’ means the processing of personal data such that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Recipient’ means a natural or legal person, public authority, agency or other body to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.
2. Name and address of the controller
The controller within the meaning of the GDPR, other data protection laws that apply within the member states of the European Union and other provisions relating to data protection is:
GHD GesundHeits GmbH Deutschland
22926 Ahrensburg, Germany
tel.: +49 (0)4102 / 51 67-0
Fax: +49 (0)4102 / 51 67-27
3. Contact details of the Data Protection Officer
GHD is a member of the GHD GesundHeits GmbH Deutschland Group. GHD has appointed a company Data Protection Officer pursuant to Art. 37 (2) GDPR. You can contact him/her as follows:
GHD GesundHeits GmbH Deutschland
22926 Ahrensburg, Germany
tel.: +49 (0)4102 / 5167 0
All data subjects may directly contact our Data Protection Officer at any time with any questions or suggestions relating to data protection.
By using cookies, GHD can offer the users of this website more user-friendly services, which would not be possible without cookies.
The data subject can prevent cookies from being installed by our website by adjusting the browser settings accordingly at any time; this disables the setting of cookies on a permanent basis. Cookies that have already been installed can be deleted at any time through a browser or other software programme. All common browsers offer this option. Where the data subject refuses to allow cookies to be installed on his/her browser, not all functions of our website may be available in their full capacity.
5. Collection of general data and information
The GHD website collects a range of general data and information each time the website is accessed by a data subject or by an automated system. This general data and information is stored in the server’s log files. The following can be collected: the (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrers), (4) the sub-web pages on our website retrieved via an accessing system (5) the date and time the website is accessed, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information used to ward off attacks on our information technology systems.
In its use of this general data and information, GHD draws no conclusions about the data subject. Rather, this information is required to (1) correctly deliver the contents of our website, (2) to optimise the content of our website and its advertising, (3) to ensure the long-term functioning of our information technology systems and the technology of our website, and (4) to provide law enforcement authorities with the information necessary for law enforcement in the event of a cyberattack. GHD thus evaluates the anonymously collected data and information statistically as well as with the aim of enhancing data protection and data security in our company to ensure ultimately the best possible level of protection for the personal data we process. The anonymous data of the server log files is stored separately from all personal data that a data subject provides.
6. Routine deletion and blocking of personal data
The controller processes and stores the data subject’s personal data only for the period necessary to achieve the purpose of the storage, or insofar as this was provided for by the European issuer of directives or regulations or by any other legislator in laws or regulations which the controller is subject to.
If the purpose of storage no longer applies or if a storage period prescribed by the European issuer of directives and regulations or any other relevant legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.
7. Disclosure of Data
Unless it is necessary for the purpose of a contract execution or you have expressly consented, there will be no disclosure of your personal data to third parties. For example, it may be necessary to share your address and order details with your wholesale partner when ordering products. As far as we engage external service providers, these are carefully selected and in compliance with Art. 28 GDPR obliged to adhere to all data protection regulations.
8. Rights of the data subject
If a data subject wishes to make use of any of the following rights, they may contact our data protection officer at any time.
a) Right to confirmation
Each data subject has the right, as granted by the European issuer of directives and regulations, to require the controller to confirm whether or not personal data relating to them is being processed. If a data subject wishes to make use of this confirmation right, they may contact our data protection officer at any time.
b) Right to information
Each data subject whose personal data is processed has the right, granted by the European issuer of directives and regulations, to obtain from the controller, free of charge and at any time, information concerning the personal data stored about them and a copy of said information. The European issuer of directives and regulations has also granted the data subject the right to be provided with the following information:
- the processing purposes
- the categories of personal data being processed
- the recipients or categories of recipients to whom the personal data has been disclosed or is still being disclosed, in particular in case of recipients in third countries or international organisations
- if possible, the planned duration for which the personal data will be stored or, if that is not possible, the criteria for determining that duration
- the existence of a right to correction or deletion of the personal data concerning them or to a restriction of processing by the controller or a right to object to such processing
- the existence of a right of appeal to a supervisory authority
- if the personal data is not collected from the data subject: All available information about the origin of the data
- the existence of automated decision-making, including profiling according to Article 22(1) and (4) of the GDPR and – at least in these cases – conclusive information about the logic and the scope involved and intended impact of such processing on the data subject
In addition, the data subject has a right to information as to whether personal data has been transmitted to a third country or to an international organisation. If that is the case, then the data subject has the right to obtain information about the appropriate guarantees in connection with the data transmission.
If a data subject wishes to make use of this right to information, they may contact our data protection officer at any time.
c) Right to correction
Each data subject whose personal data is processed has the right, granted by the European issuer of directives and regulations, to demand the immediate correction of inaccurate personal data concerning them. The data subject also has the right to request the completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing.
If a data subject wishes to make use of this right to correction, they may contact our data protection officer at any time.
d) Right to deletion (right to be forgotten)
Each data subject whose personal data is processed has the right, granted by the European issuer of directives and regulations, to require the controller to immediately delete the personal data concerning them, provided that one of the following reasons applies and that the processing is not required:
- The personal data has been collected or otherwise processed for purposes for which it is no longer necessary.
- The data subject withdraws their consent on which the processing was based in accordance with Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
- The data subject objects to the processing in accordance with Article 21(1) of the GDPR, and there are no legitimate reasons for the processing, or the data subject objects to the processing in accordance with Article 21(2) of the GDPR.
- The personal data was processed unlawfully.
- The deletion of the personal data is necessary to meet a legal obligation according to EU law or the law of Member States to which the controller is subject.
- The personal data was collected in relation to information society services offered in accordance with Article 8(1) for the GDPR.
If one of the above reasons applies and a data subject wishes to arrange for the deletion of personal data stored at GHD, they may contact our data protection officer at any time. GHD’s data protection officer will ensure that the request for deletion is met without delay.
If the personal data has been made public by GHD and if our company, as the controller, is responsible for deleting personal data in accordance with Article 17(1) of the GDPR, GHD shall take appropriate measures including technical ones, taking into account the available technology and the implementation costs, in order to inform other data controllers processing the published personal data that the data subject has requested the deletion of all links to such personal data or copies or replications of such personal data from those other data controllers, unless the processing is necessary. GHD’s data protection officer will take the necessary steps in individual cases.
e) Right to restriction of processing
Each data subject whose personal data is processed has the right, granted by the European issuer of directives and regulations, to require the controller to restrict the processing if one of the following conditions applies:
- The accuracy of the personal data is contested by the data subject, and for a period of time that allows the controller to check the accuracy of the personal data.
- The processing is unlawful, the data subject rejects deletion of their personal data and instead requests restriction of the use of their personal data.
- The controller no longer needs the personal data for the purposes of the processing, but the data is needed by the data subject for the establishment, exercise or defence of legal claims.
- The data subject has objected to processing pursuant to Art. 21(1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.
If one of the above preconditions applies and a data subject wishes to limit the storing of personal data by GHD, they may contact our data protection officer at any time. GHD’s data protection officer will arrange for the processing to be limited.
f) right to data portability
Each data subject whose personal data is processed has the right, granted by the European issuer of directives and regulations, to receive the personal data concerning them provided by the data subject to a controller in a structured, common and machine-readable format. They shall also have the right to transmit such data to another controller without obstruction by the controller to whom the personal data has been made available, provided that the processing is based on the consent provided for in Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and that the processing is carried out using automated procedures, unless the processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the controller.
In exercising their right to data portability pursuant to paragraph Art. 20(1) GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not affect the rights and freedoms of other persons.
To assert the right to data transferability, the data subject can contact our data protection officer at any time.
g) right of objection
Each person affected by the processing of personal data shall have the right, granted by the European legislator of directives and regulations, to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them based on point (e) or (f) of Art. 6(1) GDPR. This also applies to profiling based on these provisions.
In the event of an objection, GHD shall cease to process the personal data, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if the processing is for the establishment, exercise or defence of legal claims.
Where personal data is processed by GHD for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, GHD will no longer process the personal data for such purposes.
Where personal data is processed by GHD for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, the data subject, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To exercise the right of objection, the data subject can contact our data protection officer directly. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may also exercise their right to object by automated means using technical specifications.
h) automated individual decision-making, including profiling
Any data subject shall have the right, granted by the European legislator of directives and regulations, not to be subject to a decision based exclusively on automated processing, including profiling, which has legal effect against them or significantly affects them in a similar manner, provided that the decision is not (1) necessary for the conclusion or performance of a contract between the data subject and the data controller, or (2) is admissible under Union or Member State law to which the data controller is subject and such law takes appropriate measures to safeguard the rights and freedoms and the legitimate interests of the data subject, or (3) occurs with the express consent of the data subject.
If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the data controller, or (2) is taken with the express consent of the data subject, GHD shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain the intervention of a data controller, to state their own position and to challenge the decision.
If the data subject wishes to make use of rights related to automated decision-making, they may contact our data protection officer at any time.
i) right to revoke consent under data protection law
Each data subject whose personal data is processed has the right, granted by the European issuer of directives and regulations, to revoke consent for the processing of personal data concerning them.
If the data subject wishes to make use of this right to revocation of consent, they may contact our data protection officer at any time.
j) right to appeal at the responsible regulatory authority
Complaints regarding the processing of your personal data entitle you to appeal to the responsible regulatory authorities. You can contact the data protection authority, which is responsible for your place of residence or your state, or the data protection authority responsible for us, which is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
tel.: + 49 (0) 431 988-1200
fax: +49 (0)431 988-1223
9. Data protection regulations on the use and application of Google Analytics (with anonymisation function)
The data controller has integrated the Google Analytics component (with anonymisation function) into this website. Google Analytics is a web analytics service. Web analysis is the collection, compiling and evaluation of data on the behaviour of visitors to Internet sites. A web analysis service collects, among other things, data on the website from which a data subject has accessed a website (so-called referrer), which subpages of the website have been accessed, or how often and for how long a subpage has been viewed. A web analysis is mainly used to optimize a website and for cost-benefit analysis of Internet advertising.
The Google Analytics component is operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The data controller uses the suffix “_gat._anonymizeIp” for web analysis via Google Analytics. By means of this addition, Google truncates and anonymizes the IP address of the Internet connection of the data subject when accessing our Internet pages from a member state of the European Union or from another state party to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the data and information collected to evaluate the use of our website, among other things to compile online reports for us that show the activities on our website and to provide other services in connection with the use of our website.
Google Analytics places a cookie on the information technology system of the data subject. By setting the cookie, Google is able to analyse the use of our website. Each time one of the individual pages of this website is called up, which is operated by the data controller and into which a Google Analytics component has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google obtains knowledge of personal data, such as the IP address of the data subject, which enables Google to trace the origin of visitors and clicks and subsequently issue commission statements.
Through the cookie, personal information, for instance access time, location from which the website is accessed and the frequency of visits to our website by the data subject, is stored. With each visit to our websites, those personal data, including the IP address of the Internet connection used by the data subject, are transmitted to Google in the United States of America. Those personal data are stored by Google in the United States of America. Under certain circumstances, Google may forward those personal data collected via the technical process to third parties.
As already described above, the data subject can prevent the placing of cookies by our website at any time via the respective settings of the Internet browser used and thus object long-term to the placing of cookies. Changing the settings of the Internet browser in this manner would also prevent Google from placing a cookie on the information technology system of the data subject. Moreover, a cookie already placed by Google Analytics can be erased at any time via the Internet browser or another software programme.
You can find further information as well as the applicable data protection provisions of Google using the following links: https://policies.google.com/privacy and https://www.google.com/analytics/terms/gb.html. Google Analytics is explained in more detail here: https://www.google.com/intl/de_de/analytics/.
10. Legal basis for the processing
Art. 6(1)(a) GDPR serves as legal basis for our company for processing operations for which we obtain consent for a specific purpose of the processing. If processing of personal data is necessary for the performance of a contract to which the data subject is party, as for instance in the case of processing operations which are required for the supply of goods or the provision of any other performance or consideration, the processing is based on Art. 6(1)(b) GDPR. The same applies to those processing operations which are necessary for taking steps prior to entering into a contract, for instance in the case of requests regarding our products or services. If our company is subject to a legal obligation which necessitates processing of personal data, for instance the fulfilment of tax obligations, the processing is based on Art. 6(1)(c) GDPR. In rare cases, processing may be necessary in order to protect the vital interests of the data subject or of another natural person. For instance, this would be the case if a visitor to our company would be injured and as a result, his or her name, age, health insurance scheme details or any other vital information would need to be forwarded to a physician, a hospital or another third party. In that case, processing would be based on Art. 6(1)(d) GDPR.
Finally, processing operations could be based on Art. 6(1)(f) GDPR. On that legal basis are based processing operations which are not covered by any of the previous legal bases, when processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests, fundamental rights and freedoms of the data subject. We are allowed to perform such processing operations in particular because they have been specifically mentioned by the European legislator. In this respect, the legislator considered that a legitimate interest could be assumed where the data subject is a client of the controller (recital 47 sentence 2 GDPR).
When processing special categories of personal data (e.g. data regarding health), we generally obtain consent from the data subject pursuant to Art. 9(2)(a) GDPR. If no consent has been given, we base such processing on Art. 9(2)(b) and/or (c). The exercise of the rights of the data subject and controller in the field of social protection law and the protection of vital interests of the data subject.
11. Legitimate interests in the processing which are pursued by the controller or a third party
If processing of personal data is based on Article 6(1)(f) GDPR, our legitimate interest is the conducting of our business activities for the benefit of all of our employees and shareholders.
12. Data protection in the course of applications and the application process
The controller collects and processes the personal data of the applicants for the purposes of handling the application process. Processing can also be carried out electronically. This is particularly the case where an applicant transmits the respective application documents to the controller electronically, for instance via e-mail or via a web form on the website. If the controller enters into a contract of employment with an applicant, the data transmitted is stored for the purposes of handling the employment relationship with due regard to the statutory provisions. If the controller does not enter into a contract of employment with the applicant, the application documents are erased automatically two months following the notification regarding the rejection of the application, provided that no other legitimate interests of the controller stand in the way of such erasure. An example of a legitimate interest in this sense is a burden of proof in proceedings under the General Act on Equal Treatment (Allgemeines Gleichbehandlungsgesetz (AGG)).
13. Period for which the personal data will be stored
The criterion for the storage period of personal data is the respective statutory storage period. Once the period expires, the respective data are routinely erased, provided they are no longer necessary for the performance or initiation of a contract.
14. Statutory or contractual provisions regarding the provision of personal data; necessity for the entering into of a contract; obligation of the data subject to provide personal data; potential consequences of failure to provide such data
We would like to inform you that the provision of personal data is partly required by statute (e.g. tax provisions) or can result from contractual provisions (e.g. information about the contracting party).
To enter into a contract, the data subject may occasionally have to provide us with personal data which subsequently needs to be processed by us. For instance, the data subject is obliged to provide us with personal data where our company enters into a contract with that data subject. Failure to provide such personal data would have the consequence that the contract with the data subject cannot be entered into.
Prior to the data subject providing the personal data, the data subject should contact our data protection officer. Our data protection officer will inform the data subject on a case-by-case basis as to whether the provision of personal data is a statutory or contractual requirement, or a requirement for entering into the contract, whether there is an obligation to provide the personal data, and of the consequences of failure to provide such personal data.
15. Existence of automated decision-making
We generally do not use fully automated decision-making pursuant to Art. 22 GDPR to establish and conduct the business relationship. If we use this process on an individual basis, we will inform you separately about it and about your respective rights, provided that this is required by statute.
We process your data in part by automated means with the aim of evaluating certain personal aspects (profiling). For instance, we use profiling in cases where we want to inform you in a targeted manner about products and services. This allows for needs-based communication and marketing, including market research and opinion research.