As the data controller within the meaning of Article 4 No. 7 of the GDPR, we process personal information of natural persons (personal data). Compliance with legal data protection regulations, especially the European General Data Protection Regulation (GDPR), is not only a legal obligation for us as a company. In this privacy policy, we primarily aim to provide affected individuals with a meaningful overview of how we process your data in a perceivable, understandable, and clearly comprehensible manner.
EcoCare GmbH
Kolberger Str. 7,
40599 Düsseldorf
Germany
Tel.: +49 211 41872902
E-Mail: carecenter@ecocare.de
Managing Director: Gonca Demir
If we determine the purposes and means of processing jointly with other controllers according to Article 26 GDPR, we have presented this under the respective purposes and legal bases.
IBS data protection services and consulting GmbH
Mr. Marc Neumann
Tel.: +49 40 5409097 - 80
E-Mail: dsb@ibs-data-protection.de
Note: The contact details of the Data Protection Officer are exclusively for inquiries regarding data protection. Please do not use the contact details of the Data Protection Officer for support requests or general questions regarding EcoCare products!
(1) When you visit one of our websites, receive an email, or use an app that links to this privacy policy, we collect pseudonymized connection data required to display the desired website or app (e.g., IP address, referrer URL, destination page, timestamp) and store this data in so-called server log files. Additionally, we store pseudonymized information in certain cases in the browser or app, in so-called cookies/local storage/session storage, as far as necessary to display our website or app or enable necessary functions (so-called technically necessary services or cookies).
(2) If you use a contact form on a website or app provided by us, we collect the data you enter, at least the information marked as mandatory. The data is transmitted to our servers encrypted via https (SSL) and forwarded to us via email. In any communication via email, alongside entered data (message content), connection data (e.g., IP address, mail client, timestamp), and metadata (e.g., size of transmitted data) as well as any attachments containing personal data are processed. Emails are generally scanned by technical means for unwanted content (e.g., viruses, spam).
(3) If you use additional IT systems provided by us, we process pseudonymized (e.g., IP address) or personalized data (e.g., email, username) in addition to the respective purposes to protect our systems through technical means and to log accesses to the systems as well as any activities in our systems in so-called log files.
(4) You are obliged to provide this data, without any legal or contractual obligation. Visiting our websites, using our app or one of our contact forms, sending an email to us, or using our IT systems is not possible or only possible with limitations without providing this information.
(5) The storage of information in the end-user's device or access to already stored information in the end-user's device is necessary under § 25 Abs. 2 No. 2 TTDSG to provide the telemedia service you expressly requested.
The processing for the purpose of providing our websites and IT systems is carried out to pursue overriding legitimate interests according to Article 6 Abs. 1 lit. f GDPR. Our legitimate interests are ensuring the functionality and security of our IT systems and asserting, exercising, and defending legal claims.
(1) If you wish to use our services and open a customer account, we collect the information necessary for providing a personal customer account (e.g., name, email, password).
(2) If you wish to use services for family members and they should not open their own customer account, it is possible to register these individuals in your customer account. In this case, we collect the information necessary for providing our services in your personal customer account.
(3) We store this information in connection with the use of the customer account as far as necessary for ordering, activating and evaluating a test (HomeKit), booking appointments, or for further services we provide.
(4) Further information regarding the desired services (e.g., activation and evaluation of a test (HomeKit), appointment booking) about family members will be collected either by them or by you and linked to your customer account. We assume that you are legally authorized to represent them and that the data is processed lawfully by you in your customer account.
(5) You are obliged to provide the required data, without any legal obligation. However, there is a contractual obligation to communicate the required information in order to fulfill the contractual obligations within the provision of the services associated with the customer account. The use of services linked to the customer account is not possible without providing this data.
The processing for the purpose of providing a customer account and the services contained therein is carried out to fulfill a contract with the affected person according to Article 6 Abs. 1 lit. b, Article 9 Abs. 2 lit. h, f GDPR.
(1) If you order in our online shop, we collect the information necessary for payment, processing, and shipping of the order (e.g., billing address, shipping address, payment method).
(2) Ordering a test (HomeKit) in our online shop requires the opening of a customer account as part of the ordering process. The order will be linked to your customer account, and the HomeKit will be activated through your customer account. This also applies if the order is made for a family member who cannot or should not open their own customer account.
(3) If you want to order a test for another person who will later register their own customer account, you can also make a guest order without opening a customer account.
(4) The data required for the order will be stored for later orders and displayed in your customer account, unless you made a guest order. In this case, the data of an order will only be stored on documents that must be created and retained due to commercial and tax regulations (e.g., delivery note, invoice).
(5) You are obliged to provide the required data, without any legal obligation. However, there is a contractual obligation to communicate the required information to fulfill the contractual obligations within the order. An order in our online shop is not possible without providing this data.
The processing for the purpose of ordering in our online shop is carried out to fulfill a contract with the affected person according to Article 6 Abs. 1 lit. b GDPR.
(1) If you use our services at partner locations (e.g., pharmacy) or link services offered by our partners to your customer account, we collect the information necessary to provide the services or to link and display the respective information in your customer account (e.g., diagnostic data).
(2) In this case, we are jointly responsible with the respective partner in accordance with Article 26 GDPR. You can assert your rights as an affected person against both us and the respective partner. Further detailed information about the agreement according to Article 26 GDPR, which we conclude with all partners, can be found in this document.
(3) You are obliged to provide the required data, without any legal obligation. However, there is a contractual obligation to communicate the required information to fulfill the contractual obligations within the provision of the services linked to the customer account. The use of services linked to the customer account is not possible without providing this data.
The processing for the purpose of providing a customer account and the services contained therein is carried out to fulfill a contract with the affected person according to Article 6 Abs. 1 lit. b, Article 9 Abs. 2 lit. h, f GDPR.
(1) If you subscribe to receive our newsletter, we process the email address you provide to send you regular news about interesting updates and offers from EcoCare GmbH.
(2) You are not obliged to provide this data; there is also no legal or contractual obligation. However, the registration for the newsletter and the subsequent sending of emails to you is not possible without processing your email address.
The processing for the purpose of sending newsletters is based on the consent of the affected person according to Article 6 Abs. 1 lit. a GDPR. The consent can be revoked at any time with effect for the future.
(1) If you apply to us, we collect all personal data you provide us during the application process. An application can be made either spontaneously or based on one of our published job advertisements. Subsequently, we process your personal data in the application process to invite you to a personal interview if necessary and to decide on the establishment of an employment relationship.
(2) If the application is rejected, we process the data in case of a legal dispute. Alternatively, with your explicit consent, we can also store the application documents for a later date and consider them or share them with other responsible parties within our corporate group.
(3) If an employment relationship is established after the completion of the application process, we collect additional data about you (e.g., certificate of good conduct, social insurance data, tax data) from the responsible authorities (e.g., agencies, social security carriers, tax administration) to establish the employment relationship. This may also include special categories of personal data, as far as this concerns religious affiliation for tax purposes.
(4) For applying with us, you are neither contractually nor legally obliged to provide the data. However, conducting an application process is not possible or only possible to a limited extent without communicating certain data about you. When establishing an employment relationship, you are, however, legally obliged to provide certain information (e.g., registration with social security) to comply with legal reporting and cooperation obligations. Otherwise, the establishment of the employment relationship is not possible.
The processing for the purpose of conducting application processes is carried out to decide on the establishment of an employment relationship and, after the establishment of the employment relationship, to conduct it according to § 26 Abs. 1 BDSG. Furthermore, in the case of a rejected application, the processing can take place to assert overriding legitimate interests according to Article 6 Abs. 1 lit. f GDPR. Our legitimate interest is the assertion, exercise, or defense of legal claims. As far as consent was explicitly granted in the case of a rejection of the application, to store the application data for a later date and consider it or share it with other companies, the processing takes place based on consent according to Article 6 Abs. 1 lit. a GDPR. The consent can be revoked at any time with effect for the future, without this affecting a renewed application.
(1) When you visit our profile on social networks such as "LinkedIn," "Instagram," or "Facebook," follow us, or interact with us (e.g., message, comment), the respective social media operators process personal data to provide us with aggregated information ("Page Insights"). No information is provided that allows us to track the behavior of individual users.
(2) For the processing of personal data for the purpose of providing Page Insights, we and the social media operators are jointly responsible according to Article 26 GDPR. The operators ensure the lawful collection of user data, appropriate security for the storage of data in the social network, and compliance with data protection requirements. You can assert your rights directly against the operators. Regardless, your rights are also valid against us.
(3) Furthermore, the social media operators process personal data under their own responsibility to the extent necessary for operating the social network in accordance with their respective terms of use. This is the case, for example, when you interact with our profile (e.g., comment, read, follow) and provide us with your user data (e.g., profile name, message content) from the operator. We collect this information directly from you by using the social network.
(4) The use of social networks is independent of the provision of your data; however, contacting us or visiting our profile is not possible without the operators providing us with this data.
The processing for the purpose of conducting business activities on social networks is carried out to pursue overriding legitimate interests according to Article 6 Abs. 1 lit. f GDPR. Our legitimate interests are the public representation of our company and business networking with customers, partners, prospects, and employees.
(1) For the processing of personal data for the purpose of providing Page Insights, we are jointly responsible with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn") according to Article 26 GDPR. You can find more information about the processing of your personal data as joint controllers at the following external link directly from LinkedIn: LinkedIn Joint Controller Addendum.
(2) Further information on the processing of personal data by LinkedIn as an independent controller can be found at the following external link: LinkedIn Privacy Policy.
(1) For the processing of personal data for the purpose of providing Page Insights, we are jointly responsible with Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta) according to Article 26 GDPR. You can find more information about the processing of your personal data as joint controllers at the following external link directly from Meta: Meta Controller Addendum.
(2) Further information on the processing of personal data by Meta as an independent controller can be found at the following external link: Instagram Privacy Policy.
(1) If you contact us to assert your rights as an affected person, we collect all personal data you provide in the context of the request. We process this data to ensure your identity, verify the applicability of the respective rights, implement your rights, and communicate with you.
(2) You are not legally or contractually obliged to provide your data. However, without the provision of certain information that enables identification or the implementation of your rights, processing the request may not be possible or may be limited.
The processing for the purpose of ensuring the rights of affected persons is carried out to fulfill legal obligations according to Article 6 Abs. 1 lit. c GDPR, as well as to pursue overriding legitimate interests according to Article 6 Abs. 1 lit. f GDPR. Our legitimate interest is the assertion, exercise, and defense of legal claims.
(1) If you contact us while using our services by post, email, chat, or phone, we collect the necessary information as well as the information you provide from the exchanged communication (e.g., time of the request, message content, communication participants) to process the request (see also 2.1).
(2) You are not legally or contractually obliged to provide your data. However, without providing certain information, processing a request may not be possible or may be limited. This is especially true if identification in connection with your customer account is required or if the request concerns family members in your customer account.
The processing for the purpose of business communication, unless already included in other processing operations listed, is carried out for the fulfillment of the contract according to Article 6 Abs. 1 lit. b GDPR when the affected person has entered into a contract with us. Otherwise, processing is carried out to pursue overriding legitimate interests according to Article 6 Abs. 1 lit. f GDPR. Our legitimate interests are the assertion, exercise, and defense of legal claims. For the processing of special categories of personal data (e.g., health data), Article 9 Abs. 2 lit. f GDPR applies. If explicit consent from the affected person has been obtained, processing is based on Article 6 Abs. 1 lit. a GDPR and Article 9 Abs. 2 lit. a GDPR. Consent can be revoked at any time with effect for the future.
(1) Within our company, only those individuals who are responsible for processing have knowledge of personal data.
(2) To the extent that certain activities are carried out not by us, but by commissioned service providers as processors according to Article 28 GDPR, these are considered recipients of personal data. In principle, we have selected service providers located in the EU/EEA and ensured through contractual and technical measures that processing takes place only within the EU.
(3) In certain cases, we may share personal data with third parties (e.g., laboratories, logistics service providers, partners, data protection officers, authorities, lawyers, courts) if this is necessary for processing and legally permissible.
(4) Transfer to third countries outside the EU/EEA is currently not planned and will only occur if the transfer is necessary for the purpose of processing and the requirements according to Article 44 et seq. (adequacy decision of the EU Commission according to Article 45 GDPR, suitable guarantees according to Article 46 GDPR, or an exception according to Article 49 GDPR) are met.
(1) To ensure the principle of storage limitation according to Article 5 Abs. 1 lit. e GDPR, we store personal data in a form that allows identification of affected persons only as long as necessary for the respective lawful purposes.
(2) The following retention periods have been established by us:
(3) Personal data that are processed based on consent will be deleted after the withdrawal of consent, unless continued storage is required due to retention obligations or to assert, exercise, or defend legal claims.
(4) Personal data that must be retained due to commercial or tax regulations according to § 147 AO, § 257 HGB will not be deleted before the expiry of 6 years or 10 years. Extended storage occurs for asserting, exercising, or defending legal claims, e.g., in ongoing tax, audit, or administrative proceedings.
(5) Personal data that we process for asserting, exercising, or defending legal claims will generally be deleted after 3 years (regular limitation period according to § 195 BGB); in certain cases (e.g., claims for damages), the limitation period is 10 years or 30 years from the occurrence of the claim according to § 199 BGB, with a maximum retention period of 30 years from the time of the damaging event.
Every natural person whose personal data we process generally has the following rights against us (depending on the respective conditions):
Please note that we are legally obligated to verify your identity when you assert rights against us. The same applies if you exercise your rights not yourself, but through a representative.
There is no automated decision-making in individual cases, including profiling.
Status: 27.03.2024