Privacy Policy

The following information describes how Strategy for Health deals with personal data and the way we ensures the implementation of data protection. The following is the information pursuant to Articles 13, 14 and 21 GDPR on the processing of personal data by Strategy for Health as well as the claims and rights data subjects are entitled in according to the data protection regulations.

This data protection declaration also applies to our websites and social media profiles. With regard to the definition of terms such as “personal data” or “processing”, we refer to Art. 4 GDPR.

Name and contact details of the responsible persons

Responsible person with regard to Art. 4 no. 7 GDPR is:

Strategy for Health GmbH

Dr. Stefan Kottmair
Managing Director
HRB 292461
Amtsgericht München
Address: Ritter-Hilprand-Str. 9, 82024 Taufkirchen DE
Phone: +49 (0)89 21526886
Email: info@strategy4h.com

Types of data, purposes of processing and categories of data subjects

Below we inform you about the type, scope and purpose of the collection, processing and use of personal data. 

1. Types of data that we process
   Usage data (access times, websites visited, etc.), communication data (IP address, etc.),

2. Purposes of processing according to Art. 13 Para. 1 c) GDPR
   Optimizing the website technically and economically, enabling easy access to the website, making the website user-friendly, operating the advertising and website economically, marketing / sales / advertising, avoiding SPAM and misuse, security measures, uninterrupted, secure operation of our website.

3. Categories of data subjects according to Art. 13 Para. 1 e) GDPR
   Visitors / users of the website, customers, interested parties, applicants. The data subjects are collectively referred to as “users”.

Legal basis for the processing of personal data

Below we inform you about the legal basis for the processing of personal data: 

1. If we have obtained your consent for the processing of personal data, Art. 6 para. 1 sentence 1 lit. a) GDPR constitutes the legal basis.
2. If processing is necessary to fulfill a contract or to carry out pre-contractual measures that are carried out at your request, Art. 6 para. 1 sentence 1 lit. b) GDPR constitutes the legal basis.
3. If processing is necessary to fulfill a legal obligation to which we are subject (e.g. statutory retention requirements), Art. 6 para. 1 sentence 1 lit. c) GDPR constitutes the legal basis.
4. If processing is necessary to protect the vital interests of the data subject or another natural person, Art. 6 para. 1 sentence 1 lit. d) GDPR constitutes the legal basis.
5. If processing is necessary to safeguard our or the legitimate interests of a third party and your interests or fundamental rights and freedoms do not outweigh this, Art. 6 para. 1 sentence 1 lit. f) GDPR constitutes the legal basis.

Disclosure of personal data to third parties and processors

Without your consent, we will never pass any data on to third parties. In case we pass on data, then the transfer takes place on the basis of the aforementioned legal basis, e.g. when data is passed on to online payment providers to fulfill the contract or on the basis of a court order or because of a legal obligation to disclose the data for the purposes of law enforcement, to prevent danger or to enforce intellectual property rights. We also use external service providers / processors (e.g. for web hosting of our websites and databases) to process your data. If data is passed on to an external service provider / processor as part of an order processing agreement, this is always done in accordance with Art. 28 GDPR. We carefully select our external service providers / processors, check them regularly and have given us the right to issue instructions regarding the data. In addition, the external service providers / processors must have taken appropriate technical and organizational measures and must comply with GDPR regulations.

Data transfer to third countries

The adoption of the European General Data Protection Regulation (GDPR) created a uniform basis for data protection in Europe. Your data is therefore mainly processed by companies for which GDPR applies. If processing by third parties takes place outside the European Union or the European Economic Area, they must meet the special requirements of Art. 44 ff. GDPR. This means that processing takes place on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to the EU or the observance of officially recognized special contractual obligations, the so-called “standard contractual clauses”. For US companies, submission to the so-called “Privacy Shield”, the data protection agreement between the EU and the USA, meets these requirements.

Deletion of data and storage period

Unless expressly stated in this data protection declaration, your personal data will be deleted or blocked as soon as you revoke your consent to the processing or the purpose for storage no longer applies or the data is no longer required for the purpose, unless further storage is required for evidence purposes or this is opposed to statutory retention requirements. This includes, for example, commercial law retention requirements for business letters in accordance with Section 257 (1) HGB (6 years) and tax retention requirements in accordance with Section 147 (1) AO for documents (10 years). If the prescribed retention period expires, your data will be blocked or deleted, unless the storage is still necessary for the conclusion of a contract or for the fulfillment of the contract.

Existing automated decision making

We do not use automatic decision making or profiling.

Provision of our website and creation of log files 

1. If you only use our website for information purposes (i.e. no registration and no other transmission of information), we only collect the personal data that your browser transmits to our server. If you would like to view our website, we collect the following data:
   • IP address;
   • the user’s Internet service provider;
   • date and time of access;
   • browser type;
   • language and browser version;
   • content of the call;
   • time zone;
   • access status / HTTP status code;
   • amount of data;
   • websites from which the request comes;
   • operating system.

   This data is not stored together with other personal data of yours.

2. This data is used to deliver a user-friendly, functional and secure website to you with meaningful functions and content. It is also used for optimization and statistical evaluation.
3. The legal basis for this is our legitimate interest in data processing according to Art. 6 para. 1 sentence 1 lit. f) GDPR.
4. For security reasons, we store this data in server log files for a storage period of days. After this period, these are automatically deleted, unless we need to keep them for evidence purposes in the event of attacks on the server infrastructure or due to other legal violations.

Cookies

1. We use so-called cookies when you visit our website. Cookies are small text files that your internet browser stores on your computer. When you visit our website again, these cookies provide information in order to automatically recognize you. Cookies also include the so-called “user IDs”, where user information is saved using pseudonymized profiles. When you visit our website, we will inform you by means of a reference to our data protection declaration about the use of cookies for the aforementioned purposes and how you can object to them or prevent them from being saved (“opt-out”).A distinction is made between the following types of cookies:
   • Necessary, essential cookies: Essential cookies are cookies that are absolutely necessary for the operation of the website in order to use certain functions of the website such as logins, shopping cart or user input e.g. to save the language of the website.
   • Session cookies: Session cookies are required to recognize multiple uses of an offer by the same user (e.g. if you have logged in to determine your login status). If you call up our page again, these cookies provide information in order to automatically recognize you. The information obtained in this way is used to optimize our offers and to make it easier for you to access our site. If you close the browser or log out, the session cookies are deleted.
   • Persistent cookies: These cookies remain stored even after the browser is closed. They serve to save the login, the range measurement and for marketing purposes. These are automatically deleted after a specified period, which may differ depending on the cookie. You can delete the cookies at any time in the security settings of your browser.
   • Cookies from third-party providers (third-party cookies, in particular from advertisers): You can configure your browser settings according to your wishes and e.g. refuse to accept third-party cookies or all cookies. However, we would like to point out that you may not be able to use all functions of this website. Read more about these cookies in the respective data protection declarations of the third-party providers.

2. Data categories: user data, cookie, user ID (especially the pages visited, device information, access times and IP addresses).

3. Purposes of processing: The information obtained in this way serves the purpose of technically and economically optimizing our web offers and to provide you with easier and more secure access to our website.

4. Legal basis: If we process your personal data with the help of cookies based on your consent (“opt-in”), then Art. 6 Para. 1 S. 1 lit. a) GDPR is the legal basis. Otherwise, we have a legitimate interest in the effective functionality, improvement and economic operation of the website, in the case of Art. 6 para. 1 sentence 1 lit. f) GDPR is the legal basis. The legal basis is also Art. 6 para. 1 sentence 1 lit. b) GDPR, if cookies are used for contract initiation e.g. placement of orders.

5. Storage period / deletion: The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

6. Cookies are otherwise stored on your computer and transmitted from there to our site. As a user, you therefore have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of the website to their full extent.Below you can find information on deleting cookies by browser:
   • Chrome: https://support.google.com/chrome/answer/95647
   • Safari: https://support.apple.com/de-at/guide/safari/sfri11471/mac
   • Firefox: https://support.mozilla.org/de/kb/cookies-und-website-daten-in-firefox-loschen
   • Internet Explorer: https://support.microsoft.com/de-at/help/17442/windows-internet-explorer-delete-manage-cookies
   • Microsoft Edge: https://support.microsoft.com/de-at/help/4027947/windows-delete-cookies

7. Objection and “opt-out”: You can generally prevent the storage of cookies on your hard drive, regardless of your consent or legal permission, by selecting “do not accept cookies” in your browser settings. However, this can result in a functional restriction of our offers. You can object the use of third-party cookies for advertising purposes by opting out via this American website (https://optout.aboutads.info) or this European website (http://www.youronlinechoices.com/de / preference management /).

Contact via contact form / e-mail / fax / post

1. When contacting us via contact form, fax, post or e-mail, your data will be processed for the purpose of processing the contact request.

2. The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. a) GDPR if you have given your consent. The legal basis for the processing of data transmitted in the course of a contact request or e-mail, letter or fax is Art. 6 para. 1 sentence 1 lit. f) GDPR. The controller has a legitimate interest in the processing and storage of the data in order to be able to answer user inquiries, to preserve evidence for liability reasons and, if necessary, to comply with its statutory retention obligations for business letters. If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b) GDPR.

3. We may store your details and contact request in our customer relationship management system (“CRM system”) or a comparable system.

4. The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with you has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. We store inquiries from users who have an account or contract with us for a period of two years after termination of the contract. In the case of statutory archiving obligations, the deletion takes place after their expiry: end of commercial law (6 years) and tax law (10 years) retention obligation.

5. You have the possibility to revoke your consent to the processing of personal data at any time in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. If you contact us by e-mail, you can object to the storage of your personal data at any time.

Contacting us by telephone

1. When contacting us by telephone, your telephone number will be processed to process the contact request and its handling and temporarily stored or displayed in the RAM / cache of the telephone device / display. The storage takes place for liability and security reasons in order to be able to provide proof of the call and for economic reasons in order to enable a callback. In the event of unauthorized advertising calls, we block the telephone numbers.
2. The legal basis for the processing of the telephone number is Art. 6 para. 1 sentence 1 lit. f) GDPR. If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b) GDPR.

3. The device cache stores the calls per day and successively overwrites or deletes old data; when the device is disposed of, all data is deleted and the memory may be destroyed. Blocked telephone numbers are checked annually to see whether they need to be blocked.

4. You can prevent the telephone number from being displayed by calling with the telephone number suppressed.

Presence in social media

1. We maintain profiles or fan pages in social media. When you use and access our profile in the respective network, the respective data protection notices and terms of use of the respective network apply.

2. Data categories and description of data processing: usage data, contact data, content data, inventory data. Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are generally stored on the user’s computer, in which the user’s usage behavior and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them). For a detailed description of the respective forms of processing and the opt-out options, please refer to the data protection declarations and information provided by the operators of the respective networks. In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users’ data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

3. Purpose of processing: communication with the users connected and registered on the social networks; information and advertising for our products, offers and services; external presentation and image cultivation; evaluation and analysis of the users and content of our presence in the social media.

4. Legal basis: The legal basis for the processing of personal data is our legitimate interest in the above purposes in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If you have given us or the controller of the social network consent to the processing of your personal data, the legal basis is Art. 6 para. 1 sentence 1 lit. in conjunction with Art. 7 GDPR. Art. 7 GDPR.

5. Data transfer/recipient category: social network. Insofar as the US providers are certified under the Privacy Shield Agreement (https://www.privacyshield.gov/EU-US-Framework), it is ensured that European data protection law is complied with.

6. The data protection notices, information options and opt-out options of the respective networks / service providers can be found here:

• LinkedIn – Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) – Privacy Policy: https://www.linkedin.com/legal/privacy-policy, Cookie Policy and Opt-Out: https://www.linkedin.com/legal/cookie-policy, Privacy Shield of the US company LinkedIn Inc.

Social media plug-ins

1. We use social media plug-ins from social networks on our website. We use the so-called “two-click solution” Shariff from c’t or heise.de: https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html; Service provider: Heise Medien GmbH & Co. KG, Karl-Wiechert-Allee 10, 30625 Hannover, Germany; Privacy Policy: https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html.

2. Data category and description of data processing: usage data, content data, inventory data. When our website is accessed, no personal data is transmitted to the third-party providers of the social plug-ins by “Shariff”. Next to the logo or brand of the social network you will find a slider with which you can activate the plug-in by clicking on it. This activation constitutes your consent in the form that the respective provider of the social network receives the information that you have accessed our website and your personal data is transmitted to the provider of the plug-in and stored there. These are so-called third party cookies. Some providers, such as Facebook and XING, state that your IP is anonymized immediately after collection. The plug-in provider stores the data collected about the user as usage profiles. You can revoke your consent at any time by deactivating the slider.

3. Purpose of data processing: improvement and optimization of our website; increasing our visibility via social networks; possibility of interaction with you and users among each other via social networks; advertising, analysis and/or demand-oriented design of the website.

4. Legal basis: The legal basis for the processing of personal data is our legitimate interest in the above purposes pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR. If you have given us or the controller of the social network consent to the processing of your personal data, the legal basis is Art. 6 para. 1 sentence 1 lit. in conjunction with Art. 7 GDPR. Art. 7 GDPR. In the case of pre-contractual inquiries or when using your personal data to fulfill a contract, Art. 6 para. 1 sentence 1 lit. b) GDPR is the legal basis.

Data protection for applications and in the application process

1. Applications sent electronically or by post to the person responsible will be processed electronically or manually for the purpose of handling the application procedure.

2. We expressly point out that application documents with “special categories of personal data” according to Art. 9 GDPR (e.g. a photo that gives conclusions about your ethnic origin, religion or marital status), with the exception of a possible severe disability, which you wish to disclose of your own free will, are undesirable. You should submit your application without this data. This will have no effect on your chances of applying.

3. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b) GDPR and § 26 BDSG n.F.

4. If an employment relationship is entered into with the applicant after completion of the application procedure, the applicant data will be stored in compliance with the relevant data protection regulations. If you are not offered a position after completion of the application procedure, your submitted letter of application including documents will be deleted 6 months after the rejection has been sent in order to be able to meet any claims and obligations to provide evidence under the AGG.

Rights of the data subject

1. Objection or revocation against the processing of your data
   If the processing is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a), Art. 7 GDPR, you have the right to withdraw your consent at any time. This does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.Insofar as we base the processing of your personal data on the balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR, you can object to the processing. This is the case if, in particular, the processing is not necessary for the performance of a contract with you, which is described by us in the following description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either discontinue or adapt the data processing or show you our compelling reasons worthy of protection on the basis of which we will continue the processing.You can object to the processing of your personal data for advertising and data analysis purposes at any time. You can exercise your right to object free of charge. You can inform us of your objection to advertising using the following contact details:
   
   Strategy for Health GmbH
   Address: Ritter-Hilprand-Str. 9, 82024 Taufkirchen DE
   Phone: +49 (0)89 21526886
   Email: info@strategy4h.com

2. Right to information
   You have a right to information about your personal data stored by us in accordance with Art. 15 GDPR. This includes, in particular, information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the origin of your data if it was not collected directly from you.

3. Right to rectification
   You have a right to rectification of inaccurate data or to completion of correct data in accordance with Art. 16 GDPR.

4. Right to erasure
   You have the right to erasure of your data stored by us in accordance with Art. 17 GDPR, unless statutory or contractual retention periods or other statutory obligations or rights to further storage prevent this.

5. Right to restriction
   You have the right to request the restriction of the processing of your personal data if one of the conditions in Art. 18 para. 1 lit. a) to d) GDPR is met:
   • If you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
   • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
   • the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or
   • if you have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

6. Right to data portability
   You have a right to data portability in accordance with Art. 20 GDPR, which means that you can receive the personal data we have stored about you in a structured, commonly used and machine-readable format or request that it be transferred to another controller.

7. Right to lodge a complaint
   You have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority, in particular in the Member State of your place of residence, your place of work or the place of the alleged infringement.