DATA PROTECTION

Data protection is important for us!

Below you will find various privacy policies that may be relevant to your contact with Use-Lab.

Privacy Policy

1. An overview of data protection

General information

The following information will provide you with an easy to navigate overview of what will happen with your personal data when you visit this website. The term “personal data” comprises all data that can be used to personally identify you. For detailed information about the subject matter of data protection, please consult our Data Protection Declaration, which we have included beneath this copy.

Data recording on this website

Who is the responsible party for the recording of data on this website (i.e., the “controller”)?

The data on this website is processed by the operator of the website, whose contact information is available under section “Information about the responsible party (referred to as the “controller” in the GDPR)” in this Privacy Policy.

How do we record your data?

We collect your data as a result of your sharing of your data with us. This may, for instance be information you enter into our contact form.

Other data shall be recorded by our IT systems automatically or after you consent to its recording during your website visit. This data comprises primarily technical information (e.g., web browser, operating system, or time the site was accessed). This information is recorded automatically when you access this website.

What are the purposes we use your data for?

A portion of the information is generated to guarantee the error free provision of the website. Other data may be used to analyze your user patterns.

What rights do you have as far as your information is concerned?

You have the right to receive information about the source, recipients, and purposes of your archived personal data at any time without having to pay a fee for such disclosures. You also have the right to demand that your data are rectified or eradicated. If you have consented to data processing, you have the option to revoke this consent at any time, which shall affect all future data processing. Moreover, you have the right to demand that the processing of your data be restricted under certain circumstances. Furthermore, you have the right to log a complaint with the competent supervising agency.

Please do not hesitate to contact us at any time if you have questions about this or any other data protection related issues.

2. Hosting

We are hosting the content of our website at the following provider:

IONOS

The provider is the IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany (hereinafter referred to as: IONOS). Whenever you visit our website, IONOS records various logfiles along with your IP addresses. For details, please consult the data privacy policy of IONOS: https://www.ionos.de/terms-gtc/terms-privacy.

We use IONOS on the basis of Art. 6 (1)(f) GDPR. Our company has a legitimate interest in presenting a website that is as dependable as possible. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

3. General information and mandatory information

Data protection

The operators of this website and its pages take the protection of your personal data very seriously. Hence, we handle your personal data as confidential information and in compliance with the statutory data protection regulations and this Data Protection Declaration.

Whenever you use this website, a variety of personal information will be collected. Personal data comprises data that can be used to personally identify you. This Data Protection Declaration explains which data we collect as well as the purposes we use this data for. It also explains how, and for which purpose the information is collected.

We herewith advise you that the transmission of data via the Internet (i.e., through e-mail communications) may be prone to security gaps. It is not possible to completely protect data against third-party access.

Information about the responsible party (referred to as the “controller” in the GDPR)

The data processing controller on this website is:

Use-Lab GmbH
Am Campus 2
48565 Steinfurt

Vertreten durch:
Torsten Gruchmann

Phone: +49(0)2551-962483
E-mail: info@use-lab.com

The controller is the natural person or legal entity that single-handedly or jointly with others makes decisions as to the purposes of and resources for the processing of personal data (e.g., names, e-mail addresses, etc.).

Storage duration

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for which it was collected no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted, unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, the deletion will take place after these reasons cease to apply.

General information on the legal basis for the data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9 (2)(a) GDPR, if special categories of data are processed according to Art. 9 (1) DSGVO. In the case of explicit consent to the transfer of personal data to third countries, the data processing is also based on Art. 49 (1)(a) GDPR. If you have consented to the storage of cookies or to the access to information in your end device (e.g., via device fingerprinting), the data processing is additionally based on § 25 (1) TDDDG. The consent can be revoked at any time. If your data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, if your data is required for the fulfillment of a legal obligation, we process it on the basis of Art. 6(1)(c) GDPR. Furthermore, the data processing may be carried out on the basis of our legitimate interest according to Art. 6(1)(f) GDPR. Information on the relevant legal basis in each individual case is provided in the following paragraphs of this privacy policy.

Recipients of personal data

In the scope of our business activities, we cooperate with various external parties. In some cases, this also requires the transfer of personal data to these external parties. We only disclose personal data to external parties if this is required as part of the fulfillment of a contract, if we are legally obligated to do so (e.g., disclosure of data to tax authorities), if we have a legitimate interest in the disclosure pursuant to Art. 6 (1)(f) GDPR, or if another legal basis permits the disclosure of this data. When using processors, we only disclose personal data of our customers on the basis of a valid contract on data processing. In the case of joint processing, a joint processing agreement is concluded.

Revocation of your consent to the processing of data

A wide range of data processing transactions are possible only subject to your express consent. You can also revoke at any time any consent you have already given us. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation.

Right to object to the collection of data in special cases; right to object to direct advertising (Art. 21 GDPR)

IN THE EVENT THAT DATA ARE PROCESSED ON THE BASIS OF ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO AT ANY TIME OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA BASED ON GROUNDS ARISING FROM YOUR UNIQUE SITUATION. THIS ALSO APPLIES TO ANY PROFILING BASED ON THESE PROVISIONS. TO DETERMINE THE LEGAL BASIS, ON WHICH ANY PROCESSING OF DATA IS BASED, PLEASE CONSULT THIS DATA PROTECTION DECLARATION. IF YOU LOG AN OBJECTION, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA, UNLESS WE ARE IN A POSITION TO PRESENT COMPELLING PROTECTION WORTHY GROUNDS FOR THE PROCESSING OF YOUR DATA, THAT OUTWEIGH YOUR INTERESTS, RIGHTS AND FREEDOMS OR IF THE PURPOSE OF THE PROCESSING IS THE CLAIMING, EXERCISING OR DEFENCE OF LEGAL ENTITLEMENTS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

IF YOUR PERSONAL DATA IS BEING PROCESSED IN ORDER TO ENGAGE IN DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR AFFECTED PERSONAL DATA FOR THE PURPOSES OF SUCH ADVERTISING AT ANY TIME. THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS AFFILIATED WITH SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT ADVERTISING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

Right to log a complaint with the competent supervisory agency

In the event of violations of the GDPR, data subjects are entitled to log a complaint with a supervisory agency, in particular in the member state where they usually maintain their domicile, place of work or at the place where the alleged violation occurred. The right to log a complaint is in effect regardless of any other administrative or court proceedings available as legal recourses.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you should demand the direct transfer of the data to another controller, this will be done only if it is technically feasible.

Information about, rectification and eradication of data

Within the scope of the applicable statutory provisions, you have the right to demand information about your archived personal data, their source and recipients as well as the purpose of the processing of your data at any time. You may also have a right to have your data rectified or eradicated. If you have questions about this subject matter or any other questions about personal data, please do not hesitate to contact us at any time.

Right to demand processing restrictions

You have the right to demand the imposition of restrictions as far as the processing of your personal data is concerned. To do so, you may contact us at any time. The right to demand restriction of processing applies in the following cases:

  • In the event that you should dispute the correctness of your data archived by us, we will usually need some time to verify this claim. During the time that this investigation is ongoing, you have the right to demand that we restrict the processing of your personal data.
  • If the processing of your personal data was/is conducted in an unlawful manner, you have the option to demand the restriction of the processing of your data instead of demanding the eradication of this data.
  • If we do not need your personal data any longer and you need it to exercise, defend or claim legal entitlements, you have the right to demand the restriction of the processing of your personal data instead of its eradication.
  • If you have raised an objection pursuant to Art. 21(1) GDPR, your rights and our rights will have to be weighed against each other. As long as it has not been determined whose interests prevail, you have the right to demand a restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data – with the exception of their archiving – may be processed only subject to your consent or to claim, exercise or defend legal entitlements or to protect the rights of other natural persons or legal entities or for important public interest reasons cited by the European Union or a member state of the EU.

SSL and/or TLS encryption

For security reasons and to protect the transmission of confidential content, such as purchase orders or inquiries you submit to us as the website operator, this website uses either an SSL or a TLS encryption program. You can recognize an encrypted connection by checking whether the address line of the browser switches from “http://” to “https://” and also by the appearance of the lock icon in the browser line.

If the SSL or TLS encryption is activated, data you transmit to us cannot be read by third parties.

4. Recording of data on this website

Cookies

Our websites and pages use what the industry refers to as “cookies.” Cookies are small data packages that do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or they are permanently archived on your device (permanent cookies). Session cookies are automatically deleted once you terminate your visit. Permanent cookies remain archived on your device until you actively delete them, or they are automatically eradicated by your web browser.

Cookies can be issued by us (first-party cookies) or by third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services of third-party companies into websites (e.g., cookies for handling payment services).

Cookies have a variety of functions. Many cookies are technically essential since certain website functions would not work in the absence of these cookies (e.g., the shopping cart function or the display of videos). Other cookies may be used to analyze user behavior or for promotional purposes.

Cookies, which are required for the performance of electronic communication transactions, for the provision of certain functions you want to use (e.g., for the shopping cart function) or those that are necessary for the optimization (required cookies) of the website (e.g., cookies that provide measurable insights into the web audience), shall be stored on the basis of Art. 6(1)(f) GDPR, unless a different legal basis is cited. The operator of the website has a legitimate interest in the storage of required cookies to ensure the technically error-free and optimized provision of the operator’s services. If your consent to the storage of the cookies and similar recognition technologies has been requested, the processing occurs exclusively on the basis of the consent obtained (Art. 6(1)(a) GDPR and § 25 (1) TDDDG); this consent may be revoked at any time.

You have the option to set up your browser in such a manner that you will be notified any time cookies are placed and to permit the acceptance of cookies only in specific cases. You may also exclude the acceptance of cookies in certain cases or in general or activate the delete-function for the automatic eradication of cookies when the browser closes. If cookies are deactivated, the functions of this website may be limited.

Which cookies and services are used on this website can be found in this privacy policy.

Consent with Complianz

Our website uses Complianz’s consent technology to obtain your consent to store certain cookies on your device or for the use of certain technologies and to document this consent in a manner compliant with data protection regulations. The provider of this technology is Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen, the Netherlands (hereinafter “Complianz”).

Complianz is hosted on our servers, so no connection to the servers of the provider of Complianz is established. Complianz stores a cookie in your browser in order to be able to allocate the consents granted to you or their revocation. The data collected in this way is stored until you request us to delete it, delete the Complianz cookie yourself or until the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.

Complianz serves to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6(1)(c) GDPR.

5. Social media

eRecht24 Safe Sharing Tool

Users may share the content of this website and its pages in a data protection law compliant manner on social networks, such as Facebook, X et al. For this purpose, this website uses the eRecht24 Safe Sharing Tool. This tool does not establish a direct connection between the network and the user until the user has actively clicked on one of the buttons. The click on this button constitutes content as defined in Art. 6(1)(a) GDPR and § 25 (1) TDDDG. This consent may be revoked by the user at any time, which shall affect all future actions.

This tool does not automatically transfer user data to the operators of these platforms. If the user is registered with one of the social networks, an information window will pop up as soon as the social media elements of Facebook, X et al is used, which allows the user to confirm the text prior to sending it.

Our users have the option to share the content of this website and its page in a data protection law compliant manner on social networks, without entire browsing histories are being generated by the operators of these networks.

This service is used to obtain the consent to the use of certain technologies required by law. The legal basis for this is Art. 6(1)(c) GDPR.

6. Plug-ins and Tools

Google Fonts (local embedding)

This website uses so-called Google Fonts provided by Google to ensure the uniform use of fonts on this site. These Google fonts are locally installed so that a connection to Google’s servers will not be established in conjunction with this application.

For more information on Google Fonts, please follow this link: https://developers.google.com/fonts/faq and consult Google’s Data Privacy Declaration under: https://policies.google.com/privacy?hl=en.

7. eCommerce and payment service providers

Processing of Customer and Contract Data

We collect, process, and use personal customer and contract data for the establishment, content arrangement and modification of our contractual relationships. Data with personal references to the use of this website (usage data) will be collected, processed, and used only if this is necessary to enable the user to use our services or required for billing purposes. The legal basis for these processes is Art. 6(1)(b) GDPR.

The collected customer data shall be deleted upon completion of the order or termination of the business relationship and upon expiration of any existing statutory archiving periods. This shall be without prejudice to any statutory archiving periods.

8. Online-based Audio and Video Conferences (Conference tools)

Data processing

We use online conference tools, among other things, for communication with our customers. The tools we use are listed in detail below. If you communicate with us by video or audio conference using the Internet, your personal data will be collected and processed by the provider of the respective conference tool and by us. The conferencing tools collect all information that you provide/access to use the tools (email address and/or your phone number). Furthermore, the conference tools process the duration of the conference, start and end (time) of participation in the conference, number of participants and other “context information” related to the communication process (metadata).

Furthermore, the provider of the tool processes all the technical data required for the processing of the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.

Should content be exchanged, uploaded, or otherwise made available within the tool, it is also stored on the servers of the tool provider. Such content includes, but is not limited to, cloud recordings, chat/ instant messages, voicemail uploaded photos and videos, files, whiteboards, and other information shared while using the service.

Please note that we do not have complete influence on the data processing procedures of the tools used. Our possibilities are largely determined by the corporate policy of the respective provider. Further information on data processing by the conference tools can be found in the data protection declarations of the tools used, and which we have listed below this text.

Purpose and legal bases

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6(1)(b) GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest in the meaning of Art. 6(1)(f) GDPR). Insofar as consent has been requested, the tools in question will be used on the basis of this consent; the consent may be revoked at any time with effect from that date.

Duration of storage

Data collected directly by us via the video and conference tools will be deleted from our systems immediately after you request us to delete it, revoke your consent to storage, or the reason for storing the data no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence on the duration of storage of your data that is stored by the operators of the conference tools for their own purposes. For details, please directly contact the operators of the conference tools.

Conference tools used

We employ the following conference tools:

Microsoft Teams

We use Microsoft Teams. The provider is the Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to the Microsoft Teams privacy policy: https://privacy.microsoft.com/en-us/privacystatement.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

9. Custom Services

Handling applicant data

We offer website visitors the opportunity to submit job applications to us (e.g., via e-mail, via postal services on by submitting the online job application form). Below, we will brief you on the scope, purpose and use of the personal data collected from you in conjunction with the application process. We assure you that the collection, processing, and use of your data will occur in compliance with the applicable data privacy rights and all other statutory provisions and that your data will always be treated as strictly confidential.

Scope and purpose of the collection of data

If you submit a job application to us, we will process any affiliated personal data (e.g., contact and communications data, application documents, notes taken during job interviews, etc.), if they are required to make a decision concerning the establishment or an employment relationship. The legal grounds for the aforementioned are § 26 BDSG according to German Law (Negotiation of an Employment Relationship), Art. 6(1)(b) GDPR (General Contract Negotiations) and – provided you have given us your consent – Art. 6(1)(a) GDPR. You may revoke any consent given at any time. Within our company, your personal data will only be shared with individuals who are involved in the processing of your job application.

If your job application should result in your recruitment, the data you have submitted will be archived on the grounds of § 26 BDSG and Art. 6(1)(b) GDPR for the purpose of implementing the employment relationship in our data processing system.

Data Archiving Period

If we are unable to make you a job offer or you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to 6 months from the end of the application procedure (rejection or withdrawal of the application). Afterwards the data will be deleted, and the physical application documents will be destroyed. The storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the expiry of the 6-month period (e.g., due to an impending or pending legal dispute), deletion will only take place when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your agreement (Article 6(1)(a) GDPR) or if statutory data retention requirements preclude the deletion.

Admission to the applicant pool

If we do not make you a job offer, you may be able to join our applicant pool. In case of admission, all documents and information from the application will be transferred to the applicant pool in order to contact you in case of suitable vacancies.

Admission to the applicant pool is based exclusively on your express agreement (Art. 6(1)(a) GDPR). The submission agreement is voluntary and has no relation to the ongoing application procedure. The affected person can revoke his agreement at any time. In this case, the data from the applicant pool will be irrevocably deleted, provided there are no legal reasons for storage.

The data from the applicant pool will be irrevocably deleted no later than two years after consent has been granted.

Data Protection Notice for Clients and Interested Parties.
In accordance with Art. 13, 14 and 21 General Data Protection Regulation (GDPR)

The following information provides an overview of how we process your data and your right with regards to this data.

1.Who is responsible for processing my data and whom can I contact with questions?

The responsible party within the meaning of the General Data Protection Regulation and other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is:

Use-Lab GmbH
Am Campus 2
48565 Steinfurt
Germany

info@use-lab.com
+49 (0) 2551 / 7092-0
https://use-lab.com/

Data Protection Officer

Nils Möllers
Keyed GmbH
Siemensstraße 12
48341 Altenberge
Germany

info@keyed.de
+49 (0) 2505 – 639797
https://keyed.de

2.What data and sources do we use?

We process personal data that we have received from you in context of our business relationship. To the extent necessary to provide our services, we also process personal data that we have legitimately received from third parties with your permission or received to preserve our justified interests.

Relevant personal data includes details like your name, address and other contact data. In addition, this data may include order data, data gathered while fulfilling our contractual obligations, advertising and sales data, documentation data (in particular consultation minutes), register data, data about your use of our digital media (in particular, times at which you have visited our website or opened our newsletter, which pages you’ve viewed on our website, etc.) as well as other comparable data. When necessary, we also work with personal data from publicly available sources (in particular, records of debtors, land registers, commercial and association registers, the press, media) to which we have gained access in a lawful manner and which we are allowed to process.

3.To what end and on what legal basis are we processing your personal data?

We process personal data in accordance with the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

a) Based on your consent (Art. 6 para. 1 lit. a) GDPR)

If you have given us your consent to process personal data for specific purposes (in particular the forwarding of data and the evaluation of data for marketing purposes), the legality of this processing is based on your consent. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent that were issued to us prior to the validity of the DSGVO, i.e. before 25 May 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

b) To fulfil contractual obligations (Art. 6 para. 1 lit. b) DSGVO)

The processing of personal data is carried out to execute our contracts with you and the execution of your orders, as well as all necessary activities in connection with this and also pre-contractual measures. The purposes of the data processing are primarily based on the specific content of the contract.

c) Within the framework of legitimate interests (Art. 6 para. 1 lit. f) GDPR)

As far as necessary, we process your data beyond the actual fulfilment of the contract in order to protect the legitimate interests of us or third parties. These are in particular:

  • Examination and optimisation of procedures for the analysis of requirements and direct customer contact;
  • advertising or market and opinion research, unless you have objected to the use of your data in this regard;
  • assertion of legal claims and defence in the event of legal disputes;
  • guaranteeing IT security;
  • Measures for business management and further development of services and products.

4.Who receives your data?

Your personal data will be given to those who require it in order for us to fulfill our contractual and legal obligations. External processors (Art. 28 DSGVO) whom we have engaged may also receive your Data for the purposes given. These include, among others, IT service providers, logistics, printing services, telecommunications, collection, advice and consulting and sales and marketing and address research. We may only disclose information about you if we are legally required to do so, if you have given your consent, or if we are authorized to.

Under these requirements, recipients of personal data might be, for example:

  • Relevant authorities (in particular notaries and courts)
  • Other recipients of data might be any units for which you have given your consent to the transfer of data.

5.For how long will your data be stored?

We process and store your personal data as long as it is necessary for the performance of our contractual obligations, which includes the initiation and completion of a contract. We are also obligated to uphold various statutory retention and documentation requirements; these time limits are up to ten years in duration. Finally, how long we store your data depends on statutes of limitation, which are generally three years, but in some cases may be up to thirty years.

Use-Lab GmbH must take into account the retention periods of the Medical Devices Ordinance, as the clients are subject to this ordinance. In detail, manufacturers are subject to at least the following retention periods:

“Manufacturers shall keep at the disposal of the competent authorities the technical documentation, the EU declaration of conformity and, where appropriate, a copy of relevant certificates issued in accordance with Article 56, including any amendments and supplements, for at least ten years after the last product covered by the EU declaration of conformity has been placed on the market. In the case of implantable products, this period shall be at least 15 years from the date on which the last product was placed on the market”, Article 10 para. 8 MDR (Medical Device Directive).

6.Is data transferred to a third country or to an international organization?

Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is required for the execution of your orders, prescribed by law, or if you have given us your consent.

7.What are your data protection rights?

If personal data is processed by you, you are a data subject within the meaning of the GDPR and you are entitled to the following rights in relation to the person responsible:

  1. Right to information (Art. 15 GDPR)
  2. Right of rectification (Art. 16 GDPR)
  3. Right of cancellation (Art. 17 GDPR)
  4. Right to restrict processing (Art. 18 GDPR)
  5. Right to data transferability (Art. 20 GDPR)
  6. Right to object (Art. 21 GDPR)

Right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place of the alleged infringement, if you consider that the processing of your personal data is in breach of the DPA. With regard to the right of information and the right of deletion, the restrictions pursuant to Sections 34 and 35 BDSG apply.

The supervisory authority with which the complaint was lodged will inform the complainant of the status and the results of the complaint, including the possibility of a legal remedy in accordance with Article 78 GDPR. You may also contact the competent data protection supervisory authority (right of appeal under Article 77 GDPR in conjunction with Article 19 BDSG):

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia

Kavaleriestr. 2-4
40213 Düsseldorf

Phone:   +49 211 38424-0
Fax:   +49 211 38424-10

8.What data are you obligated to provide us with?

Within the scope of our business relationship, you only need to provide personal data which is necessary for the initiation and execution of a business relationship and the performance of the associated contractual obligations or which we are legally obligated to collect. As a rule, we will not be able to enter into any contract or execute the order without these data or we may no longer be able to carry out an existing contract and would have to terminate it.

9.Is automated decision-making used out or is profiling carried out?

We do not employ fully automated decision making (in accordance with Art. 22 GDPR) as basis for entering into business relationships or for maintaining these. Your data will not be used to create any profile.

Data Protection Notice for Participants

Simply put…

On May 25, 2018 the General Data Protection Regulation (GDPR) came into effect, creating a new legal framework for data protection in Germany and the European Union. Because we are an EU-based company, we are bound to follow GDPR, even when we are operating outside of the European Union.

Data protection is a matter of trust and your trust matters to us, thus, protecting your privacy is very important to us. We want to let you know how we at Use-Lab handle your personal data, so that you feel secure working with us today and any time you might participate in one of our studies in the future.

What information do we collect and why?

We collect the information you share with us, for example, by phone or via a contact form.

To discuss participation

We have to speak with you and ask questions to find out if you are interested in participating in a particular study and if you meet the requirements for participation in that study.

In most cases, we will contact you by phone, but we may also contact you by e-mail. This means we will need your phone number and your e-mail address. When we get in touch with you, we will ask questions specific to the study we are recruiting for. In this context we may collect further personal data, like your age, gender, handedness, information about any possible vision or hearing impairments, as well as information about your job and your experience with particular medical products and associated health information.

This information is important for us during the screening process for a given study, because all of these factors can influence how a person interacts with a medical device.

Examples: A scalpel for lefthanded users can only be tested by persons who are lefthanded, so we have to ask you what your dominant hand is. Or consider a walker: This device is primarily for persons who require support when walking. Thus, we have to ask you about any difficulties you might have walking.

Appointments, transportation and overnight stays

Sometimes we have projects for which participants must travel a significant time or even stay a few days. In these cases, we can support you to make travel arrangements by taxi, train, plane and, of course, support you to book hotel stays. So that we can arrange for your travel, we have to share some personal data with the respective transportation agency (e.g., taxi company or airline) and hotel so that they can identify you, for example, by name.

Who is responsible for processing your data?

Responsible organization

Use-Lab GmbH
Represented by the managing director Torsten Gruchmann
Am Campus 2
48565 Steinfurt

Tel: +49 2551 7092-0
Fax: +49 2551 7092-29
E-Mail: info@use-lab.com

We have an ext. data protection officer. His contact information is:

Nils Möllers
Keyed GmbH
Tel: +49 2505 63 9797
Fax: +49 2505 63 9777
E-Mail: info@keyed.de

What is the legal basis?

We only process your personal data for the purposes described in this notice (participation or potential participation in a usability study).

We process personal data in accordance with the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

  1. Based on your consent (Art. 6 para. 1 lit. a) GDPR)
  2. To fulfil contractual obligations (Art. 6 para. 1 lit. b) DSGVO)
  3. Within the framework of legitimate interests (Art. 6 para. 1 lit. f) GDPR)

Who receives your data?

We will not share your personal data with our client (medical product manufacturer) without anonymizing it. If, for example, a manufacturer needs to prove that fifteen lefthanded persons participated in a study, we will document this in the report but without any additional data with which you could be identified.

Otherwise, your personal data will only be given to those who require it in order for us to fulfill our contractual and legal obligations. External processors (Art. 28 DSGVO) whom we have engaged may also receive your Data for the purposes given. These include, for example, IT service providers.

We may only disclose information about you if we are legally required to do so, if you have given your consent, or if we are authorized to.

How long will we store your data?

We will only store your data as long as it is necessary for the purposes described above or as long as legal statutes require us to.

Use-Lab GmbH must take into account the retention periods of the Medical Devices Ordinance, as the clients are subject to this ordinance. In detail, manufacturers are subject to at least the following retention periods:

“Manufacturers shall keep at the disposal of the competent authorities the technical documentation, the EU declaration of conformity and, where appropriate, a copy of relevant certificates issued in accordance with Article 56, including any amendments and supplements, for at least ten years after the last product covered by the EU declaration of conformity has been placed on the market. In the case of implantable products, this period shall be at least 15 years from the date on which the last product was placed on the market”, Article 10 para. 8 MDR (Medical Device Directive).

What are your data protection rights?

You have the following rights:

  1. Right to access (Art. 15 GDPR)
  2. Right to rectification (Art. 16 GDPR)
  3. Right to erasure (Art. 17 GDPR)
  4. Right to restrict processing (Art. 18 GDPR)
  5. Right to data portability (Art. 20 GDPR)
  6. Right to object (Art. 21 GDPR)

*The full description of the rights of data subjects can be found at: https://www.use-lab.com/en/data-protection

For better understandability, we have included more detailed explanations of the rights to erasure and to object:

Erasure

Your personal data may be erased, as long as no statutes of limitation or other legal reasons stand in the way and the data are no longer required for the reason associated with them being stored in the first place.

Right to object

Furthermore, you may always rescind your consent for us to use your personal data to contact you about participating in new studies or request that we block your data set altogether.

We take protecting your data very seriously, so feel free to get in touch with us if you have any questions. In this case, please contact our data protection officer.

You may also contact the data privacy regulatory authority (right to lodge a complaint in accordance with Art. 77 GDPR i. V. m. § 19 BDSG).

Right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place of the alleged infringement, if you consider that the processing of your personal data is in breach of the DPA. With regard to the right of information and the right of deletion, the restrictions pursuant to Sections 34 and 35 BDSG apply.

The supervisory authority with which the complaint was lodged will inform the complainant of the status and the results of the complaint, including the possibility of a legal remedy in accordance with Article 78 GDPR. They may also contact the competent data protection supervisory authority (right of appeal under Article 77 GDPR in conjunction with Article 19 BDSG):

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Cavalry tr. 2-4
40213 Düsseldorf

Telefon: +49 211 38424-0
Fax: +49 211 38424-10
E-Mail: poststelle@ldi.nrw.de