Privacy statement (information obligations in accordance with Art 13 GDPR)

We believe that data protection should be transparent, intelligible and, most importantly, fair to all parties. The aim of this privacy statement is therefore on the one hand to inform you which of your personal data we collect and use, whether these data may be disclosed to third parties and, if so, to which, how long we store your data and what rights you have if you have any objection to our reasonable use of your data. If you still have any questions after you have read this comprehensive privacy statement, please do not hesitate to contact us using the contact details below.

Definitions
The following definitions are to ensure that we have the same understanding of the terms. In this way, all parties will know what we mean in this statement.

Personal data: This is all information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing: This means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements is called profiling.

Pseudonymisation: Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Controller: This is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Recipient: Any natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party: This is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent: This means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

1. Name and contact details of the controller

The controller for the data processing is

Medical Helpline Worldwide GmbH
Am Speicher XI 11
28217 Bremen
Germany

You can contact us by post, by email at info@medical-helpline.com or by telephone on +49 4 21 / 222 27 - 0.

2. Data protection officer

You can contact our data protection officer using the following contact details:

IT-Kanzlei Lutz
Stefan Lutz, LL.M.
IT Lawyer
Borgfelder Landstr. 2
28357 Bremen
Germany
Tel.: +49 421/322889-0
Email: info@hb-law.de
Website: www.hb-law.de

3. Collection of personal data during use for information purposes

If you use our website purely for information purposes, i.e. you do not register or send any further information to us, we shall only collect the personal data that your browser transfers to our server. If you wish to access our website, we collect the following data that is technically necessary for us in order to present our website to you and to guarantee stability and security (the legal basis for this is sentence 1 of Art. 6 (1) (f) GDPR):

  • IP address
  • Date and time of access
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific site)
  • Access status / HTTP status code
  • Website the request has come from
  • Browser
  • Operating system and interface
  • Language and version of the browser software.

4. Use of cookies

(1) Moreover, by using this website, cookies will be stored on your computer. Cookies are small text files that are stored and assigned to the browser you have used on your hard drive and via which information is provided to the entity that places the cookie (i.e. us in this case). Cookies cannot execute programs or transfer viruses to your computer. They serve to make the website generally more user-friendly and effective.
We place cookies so that we can identify you if you visit our site again if you have an account with us. Otherwise, you would have to log in again each time you visit the site.

a) This website uses the following types of cookies the scope and functionality of which are described below:

  • Transient cookies (see b)
  • Persistent cookies (see c)

b) Transient cookies are automatically deleted when you close your browser. These particularly include session cookies. These store a so-called session ID, which is used to assign your browser’s various requests to a joint session. This allows your computer to be recognised if you return to our website. Session cookies are deleted if you log out or close the browser.
c) Persistent cookies are deleted automatically after a specific period, which varies depending on the type of cookie. You can delete cookies in your browser's security settings at any time.
d) You can configure your browser settings as you wish and e.g. refuse third party cookies or all cookies. Please note that you may not be able to use all functions of this website.

(2) This stored information is stored separately from any other data you have provided to us. In particular, the cookie data is not linked to your other data.

(3) You can object to this data processing at any time with future effect.

5. Use of our website's functions

(1) In addition to using our website for purely informative purposes, we also offer various services that you can use if you are interested. You will usually need to provide additional personal data for this, which we use in order to provide the respective service. If other details are optional, these are identified accordingly.

(2) When contacting us by email or using the contact form, we will store your email address and, if you have provided it, your name and your telephone number so that we can answer your questions.

6. Using the online application form

(1) If you wish to apply for our product online, you need to provide your personal data that we require in order to process your application in order for the contract to be concluded. The details required for this are marked separately; any other details are voluntary. We process the data you have provided in order to process your application. We may also disclose your payment details to our bank or other payment service provider. The legal basis for this is the first sentence of Art 6 (1) (b) GDPR.

A customer account will be created that you can use e.g. to store and release medical data. You can object to the storage of data at any time.

If you have given us your consent, we may also process the data you have provided in order to inform you about further products in our range that may be of interest to you or to send you emails containing technical information.

(2) We are obliged to store your address, payment details and order details for a period of ten years on the basis of commercial law and tax law provisions.

(3) In order to prevent unauthorised third parties from accessing your data, particularly financial and medical data, the ordering process is encrypted using TLS technology.

7. Transfer of data to third parties

(1) We will only disclose your data to third parties if we offer special offers, competitions or the joint conclusion of contracts with a third party provider. In this case, you will be informed specifically about the transfer to third parties before the disclosure of your data.
If you are a dive card professional / professional indemnity customer and have provided your PADI membership number, we disclose data to PADI that are necessary for you to obtain an active teaching status. This information is: Your forename and surname, your date of birth, your customer number and the term of your contract.
If you have concluded a contract via one of our business partners, we shall provide the latter with data in order to check their invoicing. This information is: Your forename and surname, the type of contract and the term of your contract.

2) We sometimes use external providers to process your data. We select these external providers carefully and appoint them in writing. These are bound by our instructions and we review them on a regular basis. The service providers shall not disclose these data to third parties. If these service providers are located in the USA, we shall inform you of this together with their respective functions. This data processing shall also take place in accordance with the applicable legal position.

7.1. Use of Matomo

(1) This website uses the web analytics service Matomo in order to analyse and regularly improve the use of our website. Using these statistics, we can improve our offer and make it more interesting for you as a user. The legal basis for the use of Matomo is the first sentence of Art 6 (1) (f) GDPR.

(2) Cookies (see Clause 3 for more details) are stored on your computer for this analysis. The controller shall only store the information obtained in this way on their server in Germany.
You can stop the analysis by deleting available cookies and preventing the storage of cookies. If you prevent the storage of cookies, please note that you may not be able to use all the features of this website. It is possible to prevent the storage of cookies using the settings in your browser. You can also prevent the use of Matomo by unchecking the following box, thus activating the opt-out plugin:

(3) This website uses Matomo with the extension “anonymizeIP”. This allows IP addresses to be processed in an abbreviated form in order to exclude any direct association to a specific person. The IP address sent from your browser using Matomo will not be consolidated with any other data collected by us.

(4) The program Matomo is an open source project. You can find information from the third party provider about data protection at http://Matomo.org/privacy/policy.

7.2. Use of social media plugins

(1) We currently use the following social media plugins: Facebook

We use the so-called two click solution for this. This means that when you visit our site, no personal data are initially sent to the plugin provider. You will recognise the plugin provider by the logo or the information that is shown when the cursor is hovered above it. The button enables you to communicate directly with the plugin provider. The plugin provider only obtains information that you have accessed the respective page of our respective website if you click on the highlighted field and thereby activate it. The data specified at Clause 3 of this statement are also transferred. In the case of Facebook and Xing, the IP address is anonymised immediately after collection according to the respective providers in Germany. By activating the plugin, your personal data are therefore transferred to the respective plugin provider and stored there (in the USA for American providers). As the plug-in provider particularly collects data using cookies, we recommend that you delete all cookies using your browser’s security settings before clicking on the greyed out box.

(2) We do not have any influence on the collected data and data processing procedures, nor do we have any knowledge regarding the full scope of the data collection, the purposes for processing or the storage periods. We also have no information regarding the plugin provider’s erasure of the collected data.

(3) The plugin provider stores the data about you it has collected as a user profile and uses this for the purposes of advertising, market research and / or the needs-oriented design of its website. This sort of evaluation particularly takes place (even for users who aren’t logged in) in order to present targeted advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of this user profile; you need to contact the respective plugin provider to exercise this right. We use plugins to offer you the opportunity to interact with the social networks and other users in order to enable us to improve our offer and to present ourself in a more interesting way for you as a user. The legal basis for the use of plugins is the first sentence of Art 6 (1) (f) GDPR.

(4) Data are transferred irrespective of whether you have an account with the plugin provider and are logged in to such account. If you are logged in with the plugin provider, the data that we have collected concerning you shall be assigned directly to your existing account with the plugin provider. If you click on the activation button and e.g. link the websites, the plugin provider shall also store this information in your user account and publicly share this with your contacts. We recommend that you log out regularly after using a social network, particularly before activating the button, so that you can avoid any assignment to your profile by the plugin provider.

(5) You can find further information regarding the purpose and scope of the data collection and processing by the plugin provider in the provider's privacy statement mentioned below. Here, you can also find further information regarding your rights in this regard and the settings options for protecting your privacy.

(6) Addresses of the respective plugin providers and URLs for their privacy statements:

a)Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook is subject to the EU-US privacy shield, https://www.privacyshield.gov/EU-US-Framework.

8. Recipients or categories of recipients

If we disclose your personal data to third parties, you will be explicitly informed of this in the description of the respective data processing (e.g. when using our contact form). Of course, we also use external service providers for the technical and organisational processing for which we have concluded appropriate order processing contracts within the meaning of Art 28 GDPR (§ 11 of the German Federal Data Protection Act (BDSG) until 25.5.2018). These include e.g. service providers for web hosting, sending emails and post, the maintenance and servicing of our IT systems etc.

9. Your rights

This section provides you with detailed information about the rights to which you are entitled.

9.1. Right to information

You have the right to obtain information from us at any time as to whether we process personal data concerning you. In this case, you have the right to be informed of the information specified in the second half of Art 15 (1) GDPR.

You have the right to be informed whether personal data concerning you are transferred to a third country or to an international organisation. If this is the case, you can request to be informed of the appropriate safeguards pursuant to Art 46 GDPR relating to the transfer.

9.2. Right to rectification

In accordance with Art 16 GDPR, you also have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

9.3. Right to erasure (‘right to be forgotten’)

You also have the right to request that we erase personal data concerning you without undue delay. We are obliged to comply with this request and to erase personal data unless we are obliged or entitled to continue to process your data. Please refer to Art 17 GDPR for more details on this.

9.4. Right to restriction of processing

You have the right to request from us restriction of processing if the statutory prerequisites in accordance with Article 18 GDPR are met.

9.5. Right to be informed

In accordance with Art 19 GDPR, you have the right to request rectification, erasure or restriction of processing. We are obliged to communicate this rectification or erasure of data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed unless this proves impossible or involves disproportionate effort.
You have the right to be informed by us about these recipients.

9.6. Right to Data Portability

If we process your data with your consent or on the basis of a contract, you have the right to receive the data concerning you in a structured, commonly used and machine-readable format. You also have the right to transfer these data to another controller if the statutory prerequisites in accordance with Art 20 GDPR are met.

9.7. Right to object

Right to object in individual cases
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art 6(1) GDPR, including profiling based on those provisions.

We shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Right to object to the processing of data for direct marketing purposes
If your personal data are processed for direct marketing purposes, you shall have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

9.8. Right to withdraw the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time. If you withdraw consent, the lawfulness of the processing based on consent before its withdrawal shall not be affected.

9.9. Automated decision-making in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

a) is necessary for entering into, or performance of, a contract between you and the data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests;
c) or is based on your explicit consent.

In any event, these decisions shall not be based on special categories of personal data referred to in Article 9 (1) GDPR, unless point (a) or (g) of Article 9 (2) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In relation to the cases referred to in points (a) and (c), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

9.10. Right of complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art 78 GDPR.

Our competent supervisory authority is:

Die Landesbeauftragte für Datenschutz und Informationsfreiheit
(State Commissioner for Data Protection and Freedom of Information)
Arndtstraße 1
27570 Bremerhaven
Germany
Tel.: +49 421 3612010 or +49 471 5962010
Fax: +49 421 49618495
Email: office@datenschutz.bremen.de

10.    Legal bases for processing

Unless specified for the individual types of processing in the above clauses, the legal bases according to which we process data are set out below.

Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) is the legal basis if we have obtained consent from the data subject for processing operations with personal data.
Article 6 (1) (b) GDPR is the legal basis when processing personal data is necessary for the performance of a contract to which the data subject is party. This also applies to processing operations that are necessary in order to take steps prior to entering into a contract.

Article 6 (1) (c) GDPR is the legal basis if the processing of personal data is necessary for compliance with a legal obligation to which our company is subject.
Article 6 (1) (d) GDPR is the legal basis if processing personal data is necessary due to the vital interests of the data subject or of another natural person.

Article 6 (1) (f) GDPR is the legal basis for processing if processing is necessary for the purposes of a legitimate interest pursued by our company or by a third party and such interests are not overridden by the interests, fundamental rights and freedoms of the data subject.

11.    Term of storage of personal data

The data subject’s personal data shall be erased or blocked as soon as the reason for storage lapses. The data may continue to be stored if this is provided in European or national statutes in EU Regulations, laws or other provisions to which the controller is subject. Data shall also be blocked or erased if the storage period set out in the above standards lapses unless further storage of the data is necessary in order to conclude a contract or to perform a contract.