I. Name and contact details of the controller, as well as of the company’s data protection officer
1. The controller
The controller within the meaning of the GDPR, of other national data protection laws, and of other provisions of a data protection nature, is:
MVZ Labor Dr. Limbach & Kollegen GbR
Im Breitspiel 16, D-69126 Heidelberg
Tel.: +49 6221 3432-0
Fax: +49 6221 3432-8511
2. Data protection officer
The data protection officer of the controller is:
Alkemade IT-Security e.K.
Egerländer Str. 9
Tel.: +49 6002 939593
II. General information on data processing
1. The scope for the processing of personal data
As a matter of principle, we only process the personal data of visitors to our website to the extent necessary to provide a functioning website as well as our content and services.
2. The legal basis for the processing of personal data
Art. 6(1)(a) GDPR serves as the legal basis insofar as the processing of personal data is effected on the basis of the consent of the data subject.
Art. 6(1)(b) GDPR serves as the legal basis insofar as the processing of personal data is necessary for the performance of a contract to which the data subject is party. This also applies to processing that is necessary in order to take steps prior to entering into a contract.
Art. 6(1)(c) GDPR serves as the legal basis insofar as the processing of personal data is necessary for compliance with a legal obligation to which the controller is subject.
Art. 6(1)(d) GDPR serves as the legal basis insofar as processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person.
Art. 6(1)(f) GDPR serves as the legal basis for processing insofar as processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Such interests may not be overridden by the interests or fundamental rights and freedoms of the data subject.
3. Data erasure and duration of storage
The data subject’s personal data will be erased or their processing restricted as soon as the purpose for which they were processed ceases to apply. They may also be processed if the European Parliament or a national legislature has provided for this in EU regulations, in statutes or in other legal provisions to which the controller is subject. Processing will furthermore be restricted or data erased when a storage period prescribed by the aforementioned provisions expires, unless the data still need to be stored prior to entering into or for the performance of a contract.
III. Collection and storage of personal data as well as type and purpose of their use when visiting the website
1. When visiting the website
When you visit our website www.labor-limbach.de, the browser used on your device automatically sends information to our website’s server. This information is temporarily stored in a “log file”. The following information is collected without your intervention and stored until it is automatically erased:
• the IP address of the requesting computer,
• the date and time of access,
• the name and URL of the retrieved file,
• the website from which access is made (referrer URL),
• the browser used and, if applicable, the operating system of your computer, as well as the name of your access provider.
We process these data for the following purposes:
• to ensure trouble-free connection to the website,
• to ensure convenient use of our website,
• to evaluate system safety and stability, as well as
• for other administrative purposes.
The legal basis for data processing is Art. 6(1), first sentence, (f) GDPR (a legitimate interest). Our legitimate interest arises from the purposes listed above for data collection. Under no circumstances do we use the data collected for the purpose of drawing conclusions as to your identity.
We reserve the right to subsequently verify these data or have them verified should we become aware of concrete indications of unlawful use.
The data are erased as soon as they are no longer needed to achieve the purpose for which they were collected. In the case of the collection of data for the purpose of providing the website, this is the case when the session in question has ended.
If the data are stored in logfiles, they will be erased after seven days at the latest. They may be stored beyond this period (e.g. for security reasons, such as to clarify acts of misuse or fraud, storage for evidentiary purposes). In this case, the IP addresses of the users will be erased or anonymised so that they can no longer be attributed to the client accessing the site.
The collection of data required to provide the website and the storage of data in log files is absolutely necessary in order to operate the website. Consequently, there is no possibility for the user to object.
IV. Contact form and contact by e-mail
1. Description and scope of data processing
Our website contains a contact form for requesting information material which can be used for establishing electronic contact. If a user makes use of this facility, the data entered in the input mask will be transmitted to us and stored. These data are:
• first name and surname
• e-mail address
• topic/content of the message
The following data will furthermore be stored at the time when the message is sent:
• user’s IP address
• date and time of registration
Alternatively, you can contact us via the e-mail address provided. In this case, the personal data of the user transmitted with the e-mail will be stored.
The data will not be passed on to third parties as part of this process. The data will only be used to process the conversation.
2. The legal basis for data processing
The legal basis for processing the data is the consent of the user within the meaning of Art. 6(1)(a) GDPR.
The legal basis for processing the data transmitted as part of sending an e-mail is furthermore Art. 6(1)(f) GDPR. If the e-mail contact has the purpose of concluding a contract, then the legal basis for processing is additionally Art. 6(1)(b) GDPR.
3. The purpose of data processing
We only process the personal data from the input mask for the purpose of establishing contact. If you contact us by e-mail, this also constitutes the necessary legitimate interest in processing the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form, and to ensure the security of our information technology systems.
4. Duration of storage
The data are erased as soon as they are no longer needed to achieve the purpose for which they were collected. As concerns the personal data from the input mask in the contact form and the data that were sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation has ended when it can be inferred from the circumstances that the enquiry in question has been conclusively clarified.
The additional personal data collected during the sending process will be erased after a period of seven days at the latest.
5. Possibility of objection and removal
The user has the possibility to revoke his or her consent to the processing of personal data at any time. If the user contacts us by e-mail, he or she can object to the storage of his or her personal data at any time. The conversation cannot be continued in such a case.
A declaration of revocation, alteration, correction and updating of such data may be made in writing, by fax or by e-mail to MVZ Labor Dr. Limbach & Kollegen GbR.
All personal data that were stored in the process of establishing contact will be erased in this case.
Data processing for the purpose of registering for an event takes place in accordance with Art. 6(1), first sentence, (a) GDPR on the basis of your voluntary consent.
V. Use of Google Maps
We integrate the maps provided by the “Google Maps” service of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in order to present geographical information in visual form. When Google Maps is used, Google also processes data on the use of the Maps functions by visitors to the websites. Google may transfer the information obtained via Maps to third parties where required to do so by law, or where such third parties process these data on Google’s behalf. Google will not under any circumstances link your IP address with any other data held by Google. It would nevertheless be technically possible for Google to identify at least individual users on the basis of the data received. Personal data and personality profiles of users of our website might be processed by Google for other purposes that are beyond our control. Further information on data processing by Google is available at www.google.com/policies/privacy/, Opt-Out: adssettings.google.com/authenticated. You can change your individual settings in Google’s Privacy Center, so that your own data can be managed and protected (https://support.google.com/accounts/answer/3024190).
By using this website, you consent to the collection, processing and use of data collected by automated means by Google Inc, its agents and third parties.
You can find the Google Maps Terms of Service at “Google Maps/Google Earth Additional Terms of Service”.
VI. Forwarding of data
Your personal data will not be forwarded to third parties for any other purposes than those stated below.
We only pass your personal data to third parties if:
• you have given your explicit consent to this in accordance with Art. 6(1), first sentence, (a) GDPR,
• their forwarding is necessary in accordance with Art. 6(1), first sentence, (f) GDPR for the purposes of asserting, exercising or defending legal claims and there is no reason to presume that you have an overriding interest which requires protection in your data not being forwarded,
• there is a legal obligation to pass them on in accordance with Article 6(1), first sentence, (c) GDPR, as well as
• this is legally permissible and necessary in accordance with Article 6(1), first sentence, (b) GDPR for the performance of a contract with you.
1. Cooperation with data processors and third parties
Insofar as we disclose data to other persons and companies (data processors or third parties) as part of our processing, transmit them to them or otherwise grant them access to the data, this only takes place on the basis of legal permission (e.g. if the transmission of the data to third parties, such as payment service providers in accordance with Art. 6(1)(b) GDPR, is necessary for the performance of a contract), insofar as you have consented, for compliance with a legal obligation, or on the basis of the legitimate interests pursued by ourselves (e.g. when using agents, web hosts, etc.).
Insofar as we commission data processors with processing data, this will be effected on the basis of Art. 28 GDPR.
2. Transmission to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or if this is effected as part of the use of the services of third parties or of the disclosure or transfer of data to third parties, this will only be carried out if it is done in performance of our (pre)contractual duties, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permission, we only process the data in a third country or permit such if the special requirements contained in Art. 44 et seqq. GDPR are complied with. This means that processing takes place for example on the basis of special guarantees, such as the officially-recognised determination of a level of data protection corresponding to that of the EU (e.g. for the USA through the “Privacy Shield”), or compliance with officially-recognised special contractual obligations (known as “standard contractual clauses”).
3. Integration of third-party services and content
Within our website, we use, on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our website within the meaning of Art. 6(1)(f) GDPR), content or services from third parties in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as “Content”).
This is always conditional on the third-party providers of this content being aware of the user’s IP address, as they would not be able to send the content to their browsers without this address. The IP address is therefore required in order to display this content. We make every effort to only use content the respective providers of which use the IP address exclusively in order to deliver the contents. Third-party providers may also use “pixel tags” (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may furthermore be stored in cookies on the user’s device, and may contain amongst other things technical information about the browser and operating system, referring websites, duration of visit and other information about the use of our website, and may be linked to such information from other sources.
4. Web hosting
The hosting services that we use are needed in order to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services which we use for the purpose of operating this online service.
In order to do so, we or our hosting provider process existing master data, contact data, content data, contract data, usage data, meta data and communication data concerning customers, interested parties and visitors to this online service on the basis of our legitimate interest in the efficient and secure provision of this online service in accordance with Art. 6(1)(f) GDPR in conjunction with Art. 28 GDPR (Conclusion of a contract for processing).
5. Data protection on third-party websites
Information is stored in the cookie which is created in each case in connection with the specific device used. This does not however mean that we immediately become aware of your identity.
Cookies are used firstly to make using our website a better experience for you. For example, we use “session cookies” to recognise that you have already visited specific pages on our website. These cookies are automatically deleted when you leave our site.
In addition, we also use temporary cookies to optimise user-friendliness, and these are stored on your device for a specified period of time. If you come back to our site in order to use our services, it is automatically recognised that you have visited us before, and the entries and settings that you made at that time are recorded so that you do not have to re-enter them.
The data processed by cookies are necessary for the abovementioned purposes in order to safeguard our legitimate interests, as well as those of third parties, in accordance with Art. 6(1), first sentence, (f) GDPR.
Most browsers automatically accept cookies. You can however configure your browser so that no cookies are stored on your computer or a message always appears before a new cookie is generated. That said, you may not be able to use all the functions of our website if you deactivate cookies altogether.
VIII. Analysis tools/tracking tools
The tracking measure listed below and used by us is performed on the basis of Art. 6(1), first sentence, (f) GDPR. We would like to make sure with this tracking measure that we deploy that our website is designed to meet users’ needs and is continuously optimised. We furthermore use the tracking measure to statistically record the usage of our website and to evaluate it for the purpose of optimising our website for you. These interests are to be regarded as legitimate within the meaning of the aforementioned provision.
We use the open source software tool Matomo (formerly PIWIK) in order to analyse usage of our website and evaluate it for statistical purposes. Cookies are used for this purpose (see No. 4). The information generated by the cookie about website usage is transmitted to our servers and summarised in pseudonymous usage profiles. The information is used to evaluate the use of the website and to enable our website to be designed according to users’ needs. The information is not passed on to third parties.
Under no circumstances will the IP address be associated with other data relating to the user. The IP addresses are anonymised so that they cannot be traced back (IP masking).
The software is set up so that the complete IP addresses are not stored, but that 2 bytes of the IP address are masked (e.g. 192.168.xxx.xxx). This means that the truncated IP address can no longer be traced back to the requesting computer.
Art. 6(1)(f) GDPR forms the legal basis for processing users’ personal data.
The data are erased as soon as they are no longer needed for the purposes for which we collected them.
This will take place after three months in our case.
Your visit to this website is currently being recorded by Matomo Web Analytics. Click here if you wish your visit to no longer be recorded.
X. Data protection for applications and in the application process
The controller only processes job applicants’ personal data for the purpose of handling the application procedure, and in accordance with the legal requirements. Processing can also take place by electronic means. This is particularly the case if an applicant submits corresponding application documents to the controller by electronic means, for example by e-mail or via a web template on the website.
If the controller concludes an employment contract with an applicant, the data transferred are stored for the purpose of processing the employment relationship in accordance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically erased six months after notification of the rejection decision, insofar as no other legitimate interests of the controller preclude such erasure, or unless the applicant has consented to further processing. Another legitimate interest within this meaning is for example a burden of proof in proceedings in accordance with the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz – AGG). Invoices for any reimbursement of travel expenses are archived in accordance with the stipulations of tax law.
The processing of applicants’ data is carried out in order to fulfil our (pre)contractual obligations within the scope of the application procedure within the meaning of Art. 6(1)(b)GDPR; the application addressed to the controller is made by the applicant on a voluntary basis within the meaning of Art. 6(1)(a) GDPR.
XI. YouTube plugin
Our website uses plugins from the YouTube site operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit one of our pages featuring a YouTube plugin, you will be connected to YouTube’s servers. This will tell the YouTube server which of our pages you have visited.
If you are logged in to your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.
1. The legal basis for processing personal data in Social Media plugins
The legal basis for processing data after the user has consented is Art. 6(1)(a) GDPR. Processing is carried out in accordance with Art. 6(1)(f) GDPR in all other cases.
2. The purpose of data processing
We use the processing of personal data from social media plugins to connect our website to social networks such as Facebook, Twitter and Google Plus (opening up social marketing channels), and generate new website visitors as a result. Where social media plug-ins are used, this also constitutes the necessary legitimate interest in processing the data.
3. The duration of storage
The data will be erased as soon as they are no longer needed to achieve the purpose for which we collected them.
4. Possibility of objection and removal
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(a) GDPR.
Further information on the data protection of the individual providers can be found in their respective Privacy Policies. Please follow the respective links under the provider names above.
XII. Your rights as a data subject
You have the right to request from us:
in accordance with Art. 15 GDPR information about the personal data concerning you being processed by ourselves. In particular, you have a right to information on the purposes of the processing, the category of personal data, the categories of recipient to whom your data have been or will be disclosed, the envisaged period for which the data will be stored, the existence of the right to request rectification or erasure, or restriction of processing by the controller, or to object to processing, the existence of the right to lodge a complaint, the data source in cases where these are not collected by us, as well as the existence of automated decision-making, including profiling, and conclusive information about their details;
in accordance with Art. 16 GDPR without undue delay the rectification or completion of inaccurate personal data concerning you stored by ourselves;
in accordance with Art. 17 GDPR the erasure of personal data stored by ourselves, unless processing is necessary in order to exercise the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest, or to assert, exercise or defend legal claims;
in accordance with Art. 18 GDPR the restriction of processing of your personal data, insofar as the accuracy of the personal data is contested by you, the processing is unlawful but you oppose their erasure and we no longer need the data, but they are required by you for the assertion, exercise or defence of legal claims or you have lodged an objection to processing in accordance with Art. 21 GDPR;
in accordance with Art. 20 GDPR your personal data which you have provided to us in a structured, commonly used and machine-readable format or to have them transmitted to another controller;
in accordance with Art. 7(3) GDPR to withdraw your consent at any time. The consequence of this is that, for the future, we are no longer allowed to continue the data processing that was based on this consent, and
in accordance with Art. 77 GDPR the right to lodge a complaint with a supervisory authority. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority with which the complaint has been lodged is to inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR. The controller’s supervisory authority responsible for data protection is:
Baden-Württemberg Commissioner for the Protection of Data and Freedom of Information