Privacy policy for the Family Shop
Last updated: 06/11/2025
Guidance
MEDICE Arzneimittel Pütter GmbH (hereinafter referred to as "MEDICE") takes the protection of your personal data very seriously. The following information is intended to give you an overview of how your personal data is processed when you visit and use our Health Family Shop.
An overview of the individual chapters for better orientation can be found here:
Preamble – Here you will find a brief overview of the content of the online shop and data protection issues.
Contact – How can you contact us quickly and easily?
Data processing and storage – Which of your data is stored and processed, how, for what purpose, where, by whom and for how long?
Legal basis – On what legal basis do we process your data?
Data transfer – Under what conditions do we transfer your data to third parties?
Data security – What do we do to protect your data as best as possible?
Your rights – Here you will find an overview of all your rights as a data subject.
1. Preamble
When you visit and use our online shop, personal data may be processed. The data protection term "personal data" refers to all information relating to an identified or identifiable person. The IP address can also be such personal data. An IP address is assigned to every device connected to the internet by the internet provider so that it can send and receive data. When you use the online shop, we collect information that you provide yourself. In addition, during your visit to the online shop, we automatically collect certain information about your use of the online shop.
If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain your consent.
As the controller, we have implemented numerous technical and organisational measures to ensure the most complete protection of the personal data processed.
2. Contact
You can contact us directly via the service hotline +49 2371 937-0 or the service email address info[at]medice.de. Our service hours are Monday to Friday (except public holidays) from 7:15 a.m. to 5:30 p.m.
Your enquiry will be processed by our staff within two working days to no later than two weeks after receipt of your enquiry.
The controller within the meaning of Art. 4 (7) of the EU General Data Protection Regulation (hereinafter "GDPR"), the Federal Data Protection Act (hereinafter "BDSG") and other data protection regulations is:
MEDICE Arzneimittel Pütter GmbH & Co. KG
Kuhloweg 37
58638 Iserlohn
Telephone: +49 (0)2371 937 0
Email: info[at]medice.de
Authorised representatives:
Dr Katja Pütter-Ammer
Dr Richard Ammer
Dr. rer. nat. Uwe Baumann
Annick Berreur-Igersheim
Eric Neyret
Internal Data Protection Officer:
If you have any questions about our data protection measures, the processing of your data or the protection of your rights as a data subject, you can contact our data protection team as follows:
MEDICE Arzneimittel Pütter GmbH & Co. KG
Data Protection
Kuhloweg 37
58638 Iserlohn
Telephone: +49 (0)2371 937 0
Email: datenschutz[at]medice.de
If you have any confidential concerns regarding data protection, you can contact our data protection officer directly at dsb[at]medice.de.
3. Data processing and storage
The following personal data may be collected and processed when you visit and use our online shop:
3.1 Technology
When you use our online shop for informational purposes only, we collect only those data that are technically necessary to provide the service. These are usually data that your browser transmits to our server (in so-called server log files). Our online shop collects a range of general data and information each time you or an automated system accesses a page. This general data and information is stored in the server's log files. The following may be collected:
browser types and versions used,
the operating system used by the accessing system,
the page from which an accessing system reaches our online shop (so-called referrer),
the subpages accessed via an accessing system on our online shop,
the date and time of access to the online shop,
an abbreviated Internet Protocol address (anonymised IP address) and
the Internet service provider of the accessing system.
We do not draw any conclusions about your person when using this general data and information. Rather, this information is required in order to
deliver the content of our online shop correctly,
optimise the content of our online shop and the advertising for it,
ensure the long-term functionality of our IT systems and the technology of our online shop, and
provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.
We therefore evaluate this collected data and information statistically on the one hand and with the aim of increasing data protection and data security in our company on the other, in order to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data in the server log files is stored separately from all personal data provided by a data subject.
The legal basis for data processing is Art. 6(1)(f) GDPR. Our legitimate interest arises from the purposes listed above.
3.2 Hosting by Amazon Web Services – AWS
We host our online shop with Amazon Web Services (AWS). The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg.
When you visit our online shop, your personal data is processed on AWS servers. In this context, personal data may also be transferred to the parent company of AWS in the USA.
Your data is processed for the purpose of displaying our online shop in accordance with Art. 6 (1) lit. f) GDPR.
The parent company Amazon.com.Inc. is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision in accordance with Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures. To protect your data, we have also concluded agreements on order processing based on the European Commission's standard contractual clauses.
For more information on AWS's privacy policy, please visit: https://aws.amazon.com/de/privacy/?nc1=f_pr
3.3 Amazon CloudFront (content delivery network)
We use Amazon CloudFront, a web service provided by Amazon Web Services Inc., 410 Terry Avenue North, 98109, Seattle, Washington, USA.
Amazon CloudFront is a content delivery network (CDN). It directs the transfer of information between your browser and our online shop via the CloudFront network. This reduces the latency with which we can deliver static and dynamic web content. It also improves the security of our online shop through data traffic encryption and access controls.
CloudFront also stores cookies on your computer to optimise the service. CloudFront collects statistical data about visits to our online shop.
This includes, among other things:
IP address
Page accessed
Referrer URL
Browser type
Operating system
Device type
The legal basis for the processing of your personal data by CloudFront is your informed, voluntary consent in accordance with Art. 6 (1) (a) GDPR, as well as our legitimate interest in using CloudFront to optimise and improve security, and to use the content delivery network so that we do not have to operate one ourselves.
Personal data is retained by Amazon Web Services for as long as necessary to achieve the purposes described.
The parent company Amazon.com.Inc. is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Art. 45 GDPR is in place, so that personal data may be transferred without further guarantees or additional measures. To protect your data, we have also concluded agreements on order processing based on the European Commission's standard contractual clauses.
Further information can be found at: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
For more detailed information about CloudFront, please visit: https://aws.amazon.com/de/cloudfront/
3.4 Shopware e-commerce software
We use the eCommerce software from shopware AG, Ebbinghoff 10, 48624 Schöppingen, in our online shop.
Shopware stores cookies in your browser to ensure the basic functions of our shop. Cookies are used, for example, to enable the shopping basket content, login status and CSRF protection. Shopware cannot be used without cookies being enabled in your browser. Shopware only stores IDs in your browser; the assignment to the respective information takes place in the application area.
Shopware uses the session cookie to determine whether you have an active shopping basket and whether you are logged in. It therefore serves as identification between your browser and the server. No further information is stored in the browser except for the session ID. The handling of session cookies is controlled on the server side via PHP and is independent of Shopware.
In addition, Shopware generates an individual CSRF cookie when you visit the shop so that you can use the individual areas of the shop.
An SLT cookie is also set, which enables us to recognise you when you return to our online shop, even if the session has already expired. The SLT cookie can be deactivated in your browser's basic settings.
Information about the "last viewed items" is also stored in the browser's local storage.
This data is processed for the purpose of providing the online shop in accordance with Art. 6 (1) (f) GDPR.
Further information on data protection can be found at: https://www.shopware.com/de/datenschutz/
3.5 Cookies
3.5.1 General information about cookies
Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our online shop.
The cookie stores information that is related to the specific device used. However, this does not mean that we immediately become aware of your identity.
The use of cookies serves to make the use of our website more pleasant for you. For example, we use so-called session cookies to recognise that you have already visited individual pages of our online shop. These are automatically deleted after you leave our site.
In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your device for a specific period of time. If you visit our online shop again to use our services, it will automatically recognise that you have already been with us and what entries and settings you have made so that you do not have to enter them again.
On the other hand, we use cookies to statistically record the use of our online shop and to evaluate our offer for you for the purpose of optimisation. These cookies enable us to automatically recognise that you have already visited our online shop when you visit it again. The cookies set in this way are automatically deleted after a defined period of time. The respective storage period of the cookies can be found in the settings of the consent tool used.
3.5.2 Legal basis for the use of cookies
The data processed by the cookies, which is necessary for the proper functioning of the online shop, is therefore necessary to safeguard our legitimate interests and those of third parties in accordance with Art. 6 (1) lit. f) GDPR.
For all other cookies, you have given your consent in accordance with Art. 6 (1) (a) GDPR via our opt-in cookie banner.
3.5.3 Information on avoiding cookies in common browsers
You can delete cookies, allow only selected cookies or deactivate cookies completely at any time via the settings of your browser.
Further information is available on the support pages of the respective providers:
Chrome: https://support.google.com/chrome/answer/95647?tid=311178978
Safari: https://support.apple.com/de-at/guide/safari/sfri11471/mac?tid=311178978
Firefox: https://support.mozilla.org/de/kb/cookies-und-Online-Shop-daten-in-firefox-loschen?tid=311178978
Microsoft Edge: https://support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09
3.5.4 Consent Management
We use Vinegar, a self-hosted consent management platform (CMP) from Werkbank GmbH, Viktoriastraße 75, 44787 Bochum, to manage user consent to cookies and other tracking technologies on our platform. This tool ensures compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws by allowing users to review and adjust their cookie settings at any time.
Vinegar collects and processes the following data:
User consent settings for cookies and tracking technologies
Anonymised user IDs to store settings across sessions
Timestamps of consent actions
The collected data is processed and stored on the servers of our service provider Werkbank GmbH. There are no plans to transfer the data to third parties or to countries outside the EU. To this end, a corresponding agreement on data processing on behalf of the client in accordance with Art. 28 GDPR has been concluded with the service provider.
3.5.5 Cookies used on this online shop
Below you will find a list of the cookies currently used in this online shop. This list contains the names of the individual cookies, a brief description of their function, their duration and information on whether or not these cookies are subject to consent in accordance with the EU Cookie Directive.
The names of the individual cookies displayed in the page settings may vary, depending, among other things, on which browser you use, which websites you visited before visiting this online shop, or whether you were redirected to this online shop from a website/social media page.
Cookie name: Vinegar
Provider: Werkbank GmbH
Duration: 1 year
Description: Vinegar: This tool is used to obtain and document your consent to the use of cookies in your browser. For more information about Vinegar, see section 3.4.4.
Consent requirement: NoCookie name: Google Analytics / Remarketing
Provider: Google Ireland Limited
Duration: 2 years
Description: Google Analytics/Remarketing: This function is used to monitor data traffic, search queries and visits to this platform. It serves to distinguish between users. If cookies have been accepted, they are personalised for analysis and performance purposes. If they have been rejected, they remain anonymous. For more information about Google Analytics/Remarketing, see section 3.10.
Consent requirement: Anonymous data: No; Personalised data: YesCookie name: Google Tag Manager
Provider: Google Ireland Limited
Duration: 1 day
Description: Google Tag Manager: By using Google Tag Manager, we can automatically track which button, link or personalised image you have actively clicked on. The aim is to make our platform content more interesting. Further information on Google Tag Manager can be found in section 3.11.
Consent requirement: YesCookie name: Matomo
Provider: InnoCraft Ltd.
Duration: 13 months
Description: Matomo: We use this software tool for web analysis, i.e. to collect, gather and evaluate data about the behaviour of visitors to our platform. Further information about Matomo can be found in section 3.10.
Consent requirement: Yes
3.6 Opening a customer account/using the Family Shop
You have the option of registering in our Health Family Shop by providing personal data and creating a customer account.
Alternatively, you can order from the shop using a guest account without creating a customer account.
The following data is collected and processed for the purpose of providing the customer/guest account and as part of order processing by MEDICE and the service providers commissioned by us:
Contact details (title (optional), first and last name, email address, billing address, delivery address, telephone number if applicable)
Demographic data (title)
Customer number
Customer group (standard, employee, PTA)
Account status active/inactive
Order data (items ordered, order number, date and time of order, order status, delivery status, tracking number)
Billing data (order value, shipping costs, voucher redeemed yes/no, payment status, payment method)
Technical data (IP address, date and time of registration)
Password (encrypted)
Your personal data is processed for the purpose of fulfilling the services contractually agreed with you in connection with your order in accordance with Art. 6 (1) (b) GDPR.
When you register in our online shop, the IP address assigned by your Internet service provider (ISP), the date and the time of registration are also stored. This data is stored because it is the only way to prevent misuse of our services and, if necessary, to enable the investigation of criminal offences.
Where necessary, we verify your identity on the legal basis of Article 6(1)(b) and (f) GDPR, using information from service providers. The justification for this arises from the protection of your identity and the prevention of fraud attempts at our expense. The fact and result of our request will be stored in your customer account or guest account for the duration of the contractual relationship.
MEDICE stores and uses the data you provide for the duration of the contract. After the contract has been fully executed/your customer account has been deleted, your data will be blocked in accordance with tax and commercial law retention periods and deleted after these periods have expired, unless other legal requirements prevent this.
3.6.1 Single sign-on
Single sign-on (SSO) is an authentication process that allows users to access multiple applications with a single set of login credentials. With SSO, users no longer need to remember multiple login credentials for different applications.
This means:
When you register for our services, the data collected during registration is also stored and managed in the Keycloak identity and access management tool connected to the platform. The identity and access management tool is managed by the service provider Werkbank GmbH (Viktoriastraße 75, 44787 Bochum), which is subject to MEDICE's instructions.
This enables you to authenticate yourself for other offers on this platform without having to register again.
Our offers for which you can log in via SSO include:
Health Family Shop
Health Academy
PTA Family
Professional access
ADHD platform/digital hospital
The legal basis for the transfer and processing of your data is your voluntary consent in accordance with Art. 6 (1) (a) GDPR.
The data collected is processed and stored on the servers of the service provider Werkbank GmbH. There are no plans to transfer the data to third parties or to countries outside the EU. To this end, a corresponding agreement on data processing on behalf of the service provider has been concluded in accordance with Art. 28 GDPR.
3.6.2 Order processing and handling
We work with various service providers (transport companies and credit institutions responsible for payment processing) to process your order. Depending on their assignment, personal data about you will be transferred to these service providers at .
We pass on your name, delivery address and, if necessary for delivery, your telephone number to the transport company responsible for delivery, solely for the purpose of delivering the goods.
We pass on your payment details to the commissioned credit institution as part of the payment processing, insofar as this is necessary for the payment processing. If payment service providers are used, we will explicitly inform you of this below.
The legal basis for the processing and transfer of your data is the fulfilment of the services contractually agreed with you in connection with your order in accordance with Art. 6 (1) (b) GDPR.
We only transfer your personal data to third parties if this is necessary for the execution of the contract. No further transfer of data takes place, or only if you have expressly consented to the transfer. Your data will not be passed on to third parties without your express consent, for example for advertising purposes.
As part of order processing, we offer various payment options to enable you to shop smoothly in our online shop.
We use the following payment service provider: Mollie
Regardless of which payment method you use, we use Mollie B.V., Keizersgracht 121, NL-1015CJ Amsterdam, Netherlands, as our payment service provider for payment processing.
Your personal data (name, address, account number, bank code, credit card number if applicable, invoice amount, currency and transaction number) and information about your order will be passed on to the service provider in order to fulfil the contractually agreed services within the scope of your order in accordance with Art. 6 (1) (b) GDPR.
Your data will only be passed on for the purpose of payment processing and only to the extent necessary for this purpose.
You can object to the processing of your data at any time by sending a message to Mollie. However, Mollie may still be entitled to process your personal data if this is necessary for contractual payment processing. A revocation does not affect the validity of past data processing operations.
The Mollie payment provider offers the following payment methods:
PayPal, Klarna invoice, Klarna Sofort, SEPA bank transfer (prepayment), Mastercard, Visa, American Express, Apple Pay.
For more information on data protection by Mollie, please refer to Mollie's privacy policy: https://www.mollie.com/de/privacy.
3.6.3 Universal vouchers
When you purchase a universal voucher, the data required for the purchase will be forwarded to the provider Living Bytes Kundenbindungs- und Kundengewinnungsprogramme GmbH, Holsteiner Chaussee 183a, 22457 Hamburg, in order to fulfil the services contractually agreed with you within the scope of your order in accordance with Art. 6 (1) lit. b) GDPR.
Further information on data protection at Living Bytes can be found here: https://www.livingbytes.de/datenschutz/
3.6.4 MEDICE Health Family Bonus programme
The MEDICE Health Family Bonus Programme rewards registered users for actively participating in and using the platform's offerings. Registered users from the professional groups of pharmacists, pharmacy technicians, pharmacy assistants or pharmacy clerks can collect points for successfully completed tasks, such as participating in training courses, surveys, purchases in the shop, etc. These points can be redeemed for rewards in the Health Family Shop.
As part of the bonus programme, we process personal data to enable you to participate in the programme, to automate the awarding of points and the creation of vouchers, to generate reports on programme behaviour and to carry out internal evaluations, for example using a control group.
Your data is collected and processed in Salesforce Loyalty Hub, an add-on to the Salesforce platform, provided by salesforce.com Inc. ("salesforce"), One Market Street, Suite 300, San Francisco, CA 94105, USA, on servers in Germany.
The following data will be collected and processed:
Contact details (title, first and last name, private email address/postcode, billing address, delivery address, telephone number if applicable)
Qualification data (job title: PTA, PKA, pharmacist, other pharmacy specialist staff)
Customer number
Transactions
Billing data (order value, shipping costs, voucher redeemed yes/no, payment status, payment method)
Programmes and levels
Number of points collected (available and total)
History of points awarded, e.g. 200 points for newsletter registration or completion of training
Competition history and status, e.g. participation in competition XY, status = open
Consent status, e.g. consent to receive newsletters = open
This data may be collected and processed in connection with the following offers and services related to the bonus programme:
360Learning training platform (training courses) – Points can be collected by successfully completing the various training modules.
HFP / PTA websites (competitions/interactions/surveys) - Points can be collected by participating in competitions, interactions or surveys.
KeyCloak/DjangoDB/registration process (date of birth) – Points can be collected by voluntarily providing your date of birth.
Self-service area (consents) – In the self-service area, you can give further consents for which you receive points, e.g. for the dispatch of newsletters and marketing information.
ventari (events) – Points can be credited for participating in events.
This data is only collected and processed with your voluntary, informed consent in accordance with Art. 6 (1) (a) GDPR.
In order to redeem your collected points in our shop, the necessary data may be forwarded to our partner systems (e.g. Shopware, LivingBytes) to enable the creation and redemption of your vouchers.
MEDICE stores and uses the data collected from you until the described processing purposes have been fulfilled, at the latest until you revoke your consent/delete your user account and all statutory retention periods have expired (in the case of voucher redemption). The statutory retention obligations arise in particular from commercial or tax law regulations.
3.7 Profiling
We process your data in a partially automated manner with the aim of evaluating certain aspects of your person (profiling).,We use profiling in the following cases, for example:
We use evaluation tools to provide you with targeted information and advice about products. These enable needs-based communication and advertising, including market and opinion research.
We may use scoring to assess your creditworthiness. This takes into account experience from previous business relationships.
3.8 Marketing and newsletter distribution
As part of our marketing activities, we send out digital newsletters containing information about products, events, promotions, offers and advertising for the Health Family Shop.Our marketing activities are primarily aimed at customer loyalty and retention, information sharing, market and opinion research, improving our offerings, and automating communication.
Your contact details (name, email address) are used to send the newsletters. Tools and software solutions from various mailing service providers are used for this purpose.
These are:
Brevo
We use the mailing service provider Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. You can view Brevo's privacy policy at: https://www.brevo.com/de/datenschutz-uebersicht/.
Mailgun
We use the Mailgun email service from MessengerPeople GmbH, St.-Martin-Straße 63, 81669 Munich, as a self-hosted on-premise software solution. For more information on Mailgun's privacy policy, please visit: Our current privacy policy | Mailgun
Salesforce
We use CRM solutions from salesforce.com Inc. ("salesforce"), One Market Street, Suite 300, San Francisco, CA 94105, USA. We use these CRM (customer relationship management) solutions to manage customer and consent data, for sales management, and for the automated dispatch of newsletters. Salesforce.com Inc. is a US company certified under the EU-US Data Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies and thus confirms an adequate level of data protection. Further information on Salesforce can be found at: https://www.salesforce.com/de/company/privacy/
MEDICE Arzneimittel Pütter GmbH & Co. KG only uses service providers with whom a corresponding contract agreement in accordance with Art. 28 GDPR exists.
The legal basis for the processing of your data in the context of sending the newsletter is either a contractual agreement concluded with you (e.g. when participating in a competition) in accordance with Art. 6 (1) (b) or your voluntary consent in accordance with Art. 6 (1) (a) GDPR.
You can revoke your consent at any time without giving reasons and unsubscribe from the newsletter. For this purpose, there is a corresponding link/contact in every newsletter.
The legal basis for sending newsletters as a result of the sale of goods or services is Section 7(3) UWG. You can also unsubscribe from the newsletter at any time. For this purpose, there is a corresponding link in every newsletter.
3.9 Web analysis
Google Analytics 4 (GA4)
In our online shop, we use the web analysis service Google Analytics 4 (GA4) from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). This creates pseudonymised usage profiles and uses cookies (see section 3.4 "Cookies").
The following data on your use of the online shop is collected by the cookies, among other things:
IP address (short-term collection without permanent storage)
Location data
Browser type/version
Operating system used
Referrer URL (previously visited page)
Time of server request
The pseudonymised data may be transferred by Google to a server in the USA and stored there. The information is used to evaluate the use of the online shop, to compile reports on shop activities and to provide other services related to shop use and internet use for the purposes of market research and the needs-based design of the online shop. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of the company.
These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR via the corresponding cookie banner.
The default data storage period set by Google is 14 months. Otherwise, personal data will be stored for as long as it is necessary to fulfil the purpose of processing. The data will be deleted as soon as it is no longer required to fulfil the purpose.
The parent company Google LLC is certified as a US company under the EU-US Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies and thus confirms an adequate level of data protection.
For more information on Google LLC's privacy policy regarding the use of GA4, please visit: https://support.google.com/analytics/answer/12017362?hl=de
Google Analytics Remarketing
We have integrated Google Remarketing services into this online shop. The operator of Google Remarketing services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Remarketing is a feature of Google AdWords that enables a company to display advertisements to Internet users who have previously visited the company's website. The integration of Google Remarketing therefore allows a company to create user-related advertising and consequently display interest-relevant advertisements to the Internet user.
The purpose of Google Remarketing is to display interest-based advertising. Google Remarketing enables us to display advertisements via the Google advertising network or on other websites that are tailored to the individual needs and interests of Internet users.
Google Remarketing places a cookie on the IT system of the person concerned. By placing the cookie, Google is able to recognise visitors to our online shop when they subsequently visit websites that are also members of the Google advertising network. Each time you visit a website on which the Google Remarketing service has been integrated, your internet browser automatically identifies itself to Google. As part of this technical process, Google obtains knowledge of personal data such as your IP address or surfing behaviour. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical process to third parties.
These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR via the corresponding cookie banner.
The parent company Google LLC is certified as a US company under the EU-US Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies and thus confirms an adequate level of data protection.
For more information on Google LLC's privacy policy regarding the use of remarketing, please visit: https://www.google.de/intl/de/policies/privacy/
Matomo
We have integrated the open source web analytics service Matomo from InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, into this online shop. Matomo is a software tool for web analysis, i.e. for collecting, gathering and evaluating data on the behaviour of visitors to websites or applications.
Among other things, data is collected about which website a data subject came to a website from (known as the referrer), which subpages of the website were accessed, how often and for how long a subpage was viewed. This is used to optimise the website and for cost-benefit analysis of internet advertising.
The software is operated on the server of the controller, and the log files, which are sensitive in terms of data protection, are stored exclusively on this server.
Matomo sets cookies on your IT system. Setting the cookie enables us to analyse the use of our online shop. Each time the online shop is accessed, the Matomo component automatically prompts the internet browser on your IT system to transmit data to our server for the purpose of online analysis. As part of this technical process, we obtain personal data, such as the IP address of the data subject, which we use, among other things, to track the origin of visitors and clicks. We do not pass this personal data on to third parties.
These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR via the corresponding cookie banner.
The privacy policy of InnoCraft Ltd. can be found at: https://matomo.org/privacy/
3.10 Plugins and other services
Google Tag Manager
We use the Google Tag Manager service in this online shop. Google Tag Manager is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
This tool allows "tags" (i.e. keywords that are embedded in HTML elements) to be implemented and managed via an interface. By using Google Tag Manager, we can automatically track which button, link or personalised image you have actively clicked on and can then record which content in our online shop is of particular interest to you.
The tool also triggers other tags, which may in turn collect data. Google Tag Manager does not access this data. If you have deactivated tracking at the domain or cookie level, this will remain in effect for all tracking tags implemented with Google Tag Manager.
These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR via the corresponding cookie banner.
The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision has been made in accordance with Art. 45 GDPR, so that personal data may be transferred without further guarantees or additional measures.
Further information on Google Tag Manager and Google's privacy policy can be found at: https://www.google.com/intl/de/policies/privacy/
Google Web Fonts
We use so-called web fonts provided by Google to ensure a uniform presentation of fonts on our website. When you visit a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.
For this purpose, the browser you are using must connect to the servers of the service providers commissioned by MEDICE, Amazon Web Services (EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg) and Werkbank GmbH (Viktoriastraße 75, 44787 Bochum), and the service providers learn that this website has been accessed via your IP address. Corresponding contractual agreements have been made with both service providers in accordance with Art. 28 GDPR.
The legal basis for the processing of your data is our legitimate interest in the uniform presentation of the typeface on our website in accordance with Art. 6 (1) lit. f) GDPR.
If your browser does not support web fonts, a standard font from your computer will be used.
Further information on Google LLC's privacy policy regarding the use of web fonts can be found at: https://policies.google.com/privacy?hl=de.
3.11 Purposes of processing
Personal data is processed for the following purposes:
to provide the Health Family Shop
to fulfil contractual obligations or in the context of pre-contractual measures
to protect the rights and interests of MEDICE Health Family and third parties (e.g. users)
for communication and establishing contact
to fulfil legal obligations
to provide and permanently guarantee the technical functionality and user-friendliness of the online shop
in rare cases, to defend against legal claims or to combat fraud
for market research and marketing purposes
3.12 Storage and deletion periods
Unless otherwise stated in this privacy policy, we only store your personal data for as long as is necessary to fulfil the aforementioned processing purposes, fulfil our contractual or legal obligations, or pursue and defend against legal claims.
The statutory retention obligations arise in particular from commercial or tax law regulations.
You can delete your user account at any time. If you delete your account, your data will only be processed by MHF to a limited extent if this is required by law in accordance with Art. 6 (1) (c).
4. Legal basis
The legal basis for the processing of your personal data may be your informed, voluntary consent in accordance with Art. 6 (1) (a) in conjunction with Art. 7 GDPR/§ 25 (1) TDDDG, the performance of a contract to which you are a party, or the performance of pre-contractual measures pursuant to Art. 6 (1) lit. b) GDPR, the fulfilment of a legal obligation pursuant to Art. 6 (1) lit. c) or the protection of our legitimate interests or those of a third party pursuant to Art. 6 (1) lit. f) GDPR.
5. Data transfer
We only pass on your personal data to third parties if:
you have given us your express consent to do so in accordance with Art. 6 (1) (a) GDPR,
the transfer is permissible under Art. 6 (1) lit. f) GDPR to safeguard our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
in the event that there is a legal obligation to disclose data in accordance with Art. 6(1)(c) GDPR, and
this is legally permissible and necessary for the performance of contractual relationships with you in accordance with Art. 6 (1) (b) GDPR.
Within the scope of the processing operations described in this privacy policy, personal data may be transferred to the United States. Companies in the United States only have an adequate level of data protection if they have certified themselves under the EU-US Data Privacy Framework and thus the adequacy decision of the EU Commission pursuant to Article 45 GDPR applies.
We have explicitly mentioned this in the privacy policy for the service providers concerned. In order to protect your data in all other cases, we have concluded agreements on order processing based on the standard contractual clauses of the European Commission. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49(1)(a) GDPR may serve as the legal basis for the transfer to third countries. This does not apply to data transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 GDPR.
Under these conditions, recipients of personal data may include, for example:
Companies affiliated with MEDICE, insofar as this is necessary for the purpose of data processing.
Public authorities and institutions (e.g. European Central Bank, tax authorities, Federal Central Tax Office, public prosecutors) in the event of a legal or official obligation.
Processors to whom we transfer personal data in order to conduct our business relationship with you, e.g. for services related to archiving, document processing, call centre services, controlling, compliance, data destruction, purchasing, debt collection, customer management, lettershops, marketing, media technology, reporting, support/maintenance of IT applications, risk controlling, telephony, goods dispatch, shop management, payment transactions.
Persons bound to professional secrecy (including solicitors, tax consultants, auditors) for support in fulfilling legal or official obligations, as well as for pursuing and defending legal claims and in criminal prosecution.
Other data recipients may be those entities to which you have given your consent for data transfer.
MEDICE assures that it will only pass on your data to entities that can demonstrate an appropriate data protection concept in accordance with the applicable regulations and laws and with which, if necessary, appropriate contractual agreements have been concluded in accordance with Art. 26 and Art. 28 GDPR.
6. Data security
The security of your personal information is very important to us.
Every time data is collected, stored, used and transferred, there are confidentiality risks (e.g. the possibility of identifying the person concerned). These risks cannot be completely ruled out and increase the more data can be linked together. MEDICE assures you that it will do everything possible in line with the state of the art to protect the transfer of your data.
To this end, we take the following technical and organisational measures, among others:
SSL/TLS encryption: Personal data is only transmitted via connections that are encrypted using the latest technology. We implement the applicable requirements of the Federal Office for Information Security and use this technology to protect the transmission of your data. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
Different passwords for all internally used software tools
Multi-factor authentication for access to internal systems and information
Virus protection for all IT hardware used
Firewall for our internal company network
Regular training on data security and protection for all employees
Regular updates of all software components
Regular data backups to ensure availability
Regular risk analyses of the relevant IT systems
7. Your rights
When processing your personal data, our goal is to guarantee your data protection rights at all times. Our service hours and all contact details can be found under point 2, "Contact".
You can exercise the following rights in relation to your personal data:
You can request information about the processing of your data.
You can request the correction of your personal data if it is incorrect or incomplete.
You can request the restriction of the processing of your personal data. (1) For the duration of the verification of the accuracy of the data. (2) If the processing is unlawful and you refuse to have it deleted. (3) If the data is no longer required by the controller for the purposes of processing, but you need it to assert, exercise or defend legal claims. (4) In the event of an objection to data processing, as long as the corresponding balancing of interests has not been clarified.
You may request that the data collected about you be transferred to you or to a body designated by you.
If there are grounds for complaint, you may lodge a complaint with the competent data protection authority.
The contact details of the data protection supervisory authorities of all federal states can be found at the following internet address:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
You may request the deletion of data collected about you.
You may object to the processing of your personal data at any time without giving reasons. If the processing is based on Art. 6 (1) (e) or (f) GDPR.
You can revoke your consent to data processing at any time without giving reasons.
You will not suffer any disadvantages as a result of an objection/revocation. The objection is effective for the future; previous data transfers remain lawful. From now on, your data will only be processed by MEDICE to a limited extent if this is required by the relevant legal provisions under Art. 6 (1) (c) and our legitimate interest under Art. 6 (1) (f) GDPR.
If you have any further questions about the handling of your personal data or would like to exercise your other rights, please contact our data protection team at datenschutz[at]medice.de.
For confidential matters relating to data protection, you can contact our data protection officer directly at dsb[at]medice.de.