Privacy statement of Cival Medtech GmbH
for customers, suppliers, other business partners and interested parties
The following information is intended to give you an overview of the processing of your personal data by us, and your rights under data protection law.
Cival Medtech GmbH
Stockacher Str. 134
78532 Tuttlingen Germany
T 0 74 61 9 65 77 4-0
F 0 74 61 9 65 77 4-89
The contact details for our data protection officer are as follows:
Ms. Ayse Sanverdi
c/o Cival Medtech GmbH
Stockacher Str. 134
Where do we get your personal data from?
In general, the data is collected from you. We should like to point out that we record, store, process, and use the personal data that we collect from suppliers, customers, other business partners, and interested parties – especially names, addresses, phone numbers, email addresses, contact details, customer numbers, and order and delivery details – for the purposes of initiating, establishing, and processing contractual and supply relationships, including for deliveries, payments, and any warranties or product liability.
The personal data collected from you is required for the conclusion and processing of a contract. You are not obliged to provide this data; however, we will not be able to conclude a contract with you unless we have this data.
Purposes and legal bases of the processing
The personal data provided by you is processed in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):
On the basis of consent pursuant to Article 6 (1) a) GDPR
Your personal data may be processed if you have given your consent. You may withdraw your consent at any time, effective going forward. Consent granted before the GDPR entered into force may also be withdrawn, however any processing that took place before this will remain unaffected by the withdrawal.
To fulfill contractual obligations pursuant to Article 6 (1) b) GDPR
Data may be processed in order to initiate precontractual measures that precede a contractually regulated business relationship, or to fulfill obligations arising from the contract (order) concluded with you.
Due to legal requirements pursuant to Article 6 (1) c) GDPR
Data may be processed due to legal requirements, or if this is in the public interest (e.g. compliance with retention requirements, proof of compliance with tax consultants’ obligations to notify and inform).
Within the context of a balancing of interests pursuant to Article 6 (1) f) GDPR
Data may be processed in order to safeguard our legitimate interests. It may be necessary to process the data provided by you beyond the actual fulfillment of the contract. Our legitimate interest may be used to justify the further processing of the data you have provided, unless your interests or fundamental rights and freedoms outweigh this.
In individual cases, our legitimate interest may include: the execution of your order, the transmission of documents to third parties (certification company, authorities etc.),
the assertion of legal claims, the defense against liability claims, or the prevention of criminal acts.
Who receives the personal data provided by you?
Within our company, access to the personal data provided to you is given to the areas that require this in order to fulfill their contractual and legal obligations and that are entitled to process this data.
In fulfillment of the contract (order) concluded with you, the data provided by you will only be passed on to bodies that require it for legal reasons, for example the tax authorities or other public authorities;
We pass on personal data to third parties within the scope of contractual and delivery relationships, for example to the banks/payment service providers handling payments, the transport/shipping companies handling deliveries, customs agency, notary, competent Chamber of Industry and Commerce, and insurance companies;
In providing our services, we engage processors who contribute to the fulfillment of our contractual obligations, e.g. IT service providers, document shredders, tax advisors, etc. These processors are contractually obliged by us to maintain confidentiality and comply with the requirements of the GDPR and the BDSG.
Is the data provided by you transmitted to third countries or international organizations?
Data is transferred to a third country outside the European Union, which is also not a signatory state to the Agreement on the European Economic Area only if this data transfer is necessary for the fulfillment of an existing contract between us (for example: delivery to a third country).
Does automated decision making – including profiling – take place?
No fully-automated decision making (including profiling) is used to process the data provided by you, pursuant to Article 22 GDPR.
Duration of the processing (deletion criteria)
The data provided by you is processed for as long as is necessary to achieve the contractually agreed purpose; generally for as long as our contractual relationship with you exists. After the termination of the contractual relationship, the data provided by you is processed in order to comply with statutory retention obligations or based on our legitimate interests. After the expiration of the statutory retention periods and/or after our legitimate interests cease to apply, the data provided by you will be deleted.
Anticipated time limits of the retention periods relevant to us and of our legitimate interests:
Compliance with retention periods imposed under commercial and tax legislation and rules of professional conduct. The periods for retention and/or documentation prescribed therein are two to ten years.
Information about your rights
- Right to information pursuant to Article 15 GDPR:
You have the right, upon request, to obtain information free of charge on whether any data is stored about you, what data is stored, and the purpose of storing this data.
- Right to correction pursuant to Article 16 GDPR:
You have the right to demand that the data controller correct any inaccurate personal data concerning you without undue delay. Taking account of the purposes of the processing, you have the right to require any incomplete personal data to be completed, including by means of a supplementary statement.
- Right to deletion ("right to be forgotten") pursuant to Article 17 GDPR:
You have the right to demand that the data controller delete your data without undue delay. The data controller is obliged to delete personal data promptly if one of the following reasons applies:
- Purposes for which the personal data was collected cease to apply
- You withdraw your consent to the processing. There is no other legal basis for the processing.
- You object to the processing. There is no other legal basis for the processing.
- The personal data was processed unlawfully.
- It is necessary to delete the personal data to meet a legal obligation under Union law or the laws of the Member States, to which the data controller is subject.
- The personal data was collected in relation to services offered by an information society pursuant to Article 8 (1) GDPR.
- Right to have the processing restricted pursuant to Article 18 GDPR & Section 35 BDSG:
You have the right to demand that the processing be restricted if one of the following conditions is met:
- You question the accuracy of the personal data.
- The processing is unlawful, but you decline to have it deleted.
- Personal data is no longer needed for the purposes, for which it was being processed, but you need the data in order to assert, exercise, or defend legal claims.
- You have objected to the processing in accordance with Article 21 (1) GDPR. The processing will be restricted for as long as it is not certain whether the data controller’s legitimate interests outweigh yours.
- Right to data portability pursuant to Article 20 GDPR:
You have the right to receive the data provided by you in a structured, common, and machine-readable format from the data controller. We are not permitted to prevent the data being forwarded to another data controller.
- Right to object pursuant to Article 21 GDPR:
Please contact the data controller (see above) in this regard.
- Right to file a complaint with the supervisory authority pursuant to Article 13 (2) d), and Article 77 GDPR, in conjunction with Section 19 BDSG:
If you believe that the processing of your data violates the GDPR, you have the right to file a complaint with the supervisory authority. Please contact the competent supervisory authority in this regard.
- Withdrawal of consent pursuant to Article 7 (3) GDPR:
If the processing is based on your consent pursuant to Article 6 (1) a) or Article 9 (2) a) (processing of special categories of personal data), you are entitled to withdraw the appropriately linked consent at any time without affecting the lawfulness of the processing performed on the basis of the consent up to the date that it was withdrawn.
Last Update: February 2019