Privacy policy - Ello by Voss healthcare

Information notice on the Processing of Your Personal Data

Controller Responsible for Data Processing: The controller responsible for data processing on this website, its associated social media presences, and other specified processing activities is:

VOSS healthcare GmbH
Jülicher Str. 306
52070 Aachen

Phone: +49 241 510 056 22
E-Mail: info@voss-healthcare.net

We are not legally obliged to appoint a data protection officer.

On What Legal Basis Is Your Data Processed?

In principle, the processing of personal data is prohibited by law unless permitted under one of the following legal bases:

Art. 6(1)(a) GDPR ("Consent"): When the data subject has voluntarily, informedly, and unambiguously indicated their consent to the processing of their personal data for one or more specific purposes.
Art. 6(1)(b) GDPR: When processing is necessary to perform a contract to which the data subject is a party, or for the implementation of pre-contractual measures at the request of the data subject.
Art. 6(1)(c) GDPR: When processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., statutory retention obligations).
Art. 6(1)(d) GDPR: When processing is necessary to protect the vital interests of the data subject or another natural person.
Art. 6(1)(e) GDPR: When processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Art. 6(1)(f) GDPR ("Legitimate Interests"): When processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject (especially if the data subject is a minor).

The storage of information on or access to information already stored on the user's device is

permissible only if justified by one of the following legal grounds:

§ 25(1) TTDSG: When the end user has consented on the basis of clear and comprehensive information. Consent must be obtained in accordance with Art. 6(1)(a) GDPR.
§ 25(2)(1) TTDSG: When the sole purpose is to transmit a message over a public telecommunications network.
§ 25(2)(2) TTDSG: When storage or access is strictly necessary to provide a telemedia service explicitly requested by the user.

For the processing activities we undertake, we specify the applicable legal basis in each case. Processing may also rely on multiple legal bases.

To Whom Is Your Data Disclosed?

Your personal data is disclosed to third parties only if: 1 It is necessary to perform a contract with you, 2 The disclosure is permitted based on a legitimate interest under Art. 6(1)(f) GDPR, or 3 We are legally required to do so. If you express interest in our products and consent to the disclosure of your data, we may share your contact information with a local specialist retailer.

What Are Your Rights as a Data Subject?

You may assert the following rights regarding your personal data at any time by contacting us using the details provided under "Controller Responsible for Data Processing":

1 Right to Access (Art. 15 GDPR): Request access to your personal data and information about its processing purposes, data categories, recipients, storage duration, and more.
2 Right to Rectification (Art. 16 GDPR): Request the correction of inaccurate or incomplete personal data stored by us.
3 Right to Erasure (Art. 17 GDPR): Request the deletion of your data, provided that its processing is not required to exercise the right to freedom of expression, comply with legal obligations, serve the public interest, or establish, exercise, or defend legal claims.

4 Right to Restriction of Processing (Art. 18 GDPR): Request the restriction of data processing, for instance, if you dispute its accuracy or the processing is unlawful.
5 Right to Data Portability (Art. 20 GDPR): Request your data in a structured, commonly used, and machine-readable format, or its transfer to another controller.
6 Right to Object (Art. 21 GDPR): Object to the processing of your data based on Art. 6(1)(e) or (f) GDPR, particularly if not required for contract fulfillment. For objections unrelated to direct marketing, please explain your reasons for objecting.
7 Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw previously given consent at any time, which will prevent further data processing based on that consent.
8 Right to Lodge a Complaint (Art. 77 GDPR): File a complaint with a data protection authority about our processing of your personal data.

Data Deletion and Storage Duration

We specify the storage duration for each processing activity. If no explicit duration is stated, your data will be deleted or the data processing is restricted once the purpose or legal basis for processing ceases to apply.

Storage beyond this period may occur if: Legal retention periods apply (e.g., § 257 HGB, § 147 AO), or Storage is necessary for the establishment, exercise or defence of legal claims.

When such legal retention periods expire, your data will be deleted or or the data processing is restricted unless further storage is necessary and legally justified.

Purpose of Data Processing

Contact and Customer Data Processing When you contact us via email, phone, or contact form,your personal data (e.g., name, inquiry) is stored and processed to handle your request. This data will not be shared without your consent.

Processing is based on: Art. 6(1)(b) GDPR: For inquiries related toiInitiation, establishment, substantive arrangement, or modification of a legal relationship.

Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR: For consent-based promotional contact (e.g., postal, phone, or electronic communications) involving special categories of personal data.

Art. 6(1)(f) GDPR: For our legitimate interest in efficiently handling your inquiries.

Your data remains with us until you request its deletion, withdraw consent, or the purpose for storage ceases. Legal retention obligations remain unaffected.

Application Process

We provide you with the opportunity to apply to us (e.g., via email or by post). Below, we inform you about the scope, purpose, and use of the personal data collected during the application process. We assure you that the collection, processing, and use of your data comply with applicable data protection laws and all other legal provisions, and that your data will be treated with strict confidentiality.

If you submit an application to us, we process your associated personal data (e.g., contact and communication details, application documents, notes from interviews, etc.) insofar as this is necessary to make a decision regarding the establishment of an employment relationship. The legal basis for this is Section 26 BDSG under German law (initiation of an employment relationship), Article 6(1)(b) GDPR (general contract initiation), and – if you have given your consent – Article 6(1)(a) GDPR. Consent can be withdrawn at any time with future effect. Your personal data will only be shared within our organization with individuals involved in processing your application.

If your application is successful, the data you have submitted will be stored in our data processing systems for the purpose of implementing the employment relationship on the basis of Section 26 BDSG and Article 6(1)(b) GDPR.

If we cannot offer you a position, if you reject a job offer, or if you withdraw your application, we reserve the right to retain the data you have submitted for up to six months from the end of the application process (rejection or withdrawal of the application) based on our legitimate interests (Article 6(1)(f) GDPR). After this period, the data will be deleted, and physical application documents will be destroyed. Retention serves as evidence in the event of a legal dispute.

If it becomes apparent that the data will be required beyond the six-month period (e.g., due to a pending or anticipated legal dispute), deletion will only take place once the purpose for extended retention no longer applies.

Longer retention may also occur if you have given your consent (Article 6(1)(a) GDPR) or if statutory retention obligations prevent deletion.

Images and Recordings

How do we process and publish your images?

The data controller processes the recordings and intends to use them in any form, scope, and frequency for advertising purposes and publications.

The recordings may be published in the intranet, printed media (e.g., press articles, promotional brochures), on the controller's own websites, and on third-party platforms.

Information published on the internet is globally accessible. The recordings may be copied, stored, reproduced, combined, or modified by third parties, indexed by search engines, and linked to other information. They may also be retrieved via archival services, even after we have removed or altered the content.

Which third-party providers do we use for publication?

Recordings may be published on third-party platforms, so-called social media profiles. Planned publication or transfer of recordings includes the following providers, whose privacy policies can be found at the respective links:

Google Ireland Ltd., 4 Barrow Street, Dublin, Irland
https://policies.google.com/privacy?hl=de
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin, Irland
https://help.instagram.com/519522125107875
https://de-de.facebook.com/policy
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin, Irland
https://www.linkedin.com/legal/privacy-policy

What legal basis do we apply?

Legal basis for processing The legal basis for publishing your personal data, as well as image and/or audio recordings, is your consent pursuant to Article 6(1)(a) GDPR.

How long are the data stored?

Personal image and audio recordings are deleted as soon as they are no longer required for the purposes stated above, or if you revoke your consent. However, personal data may be retained for the duration of the statutory limitation period (three years) if legal claims against our company could arise. Documentation obligations may also arise under the German Copyright Act.

Server Log Files

Each request, i.e., each page visit, automatically generates information stored in server log files. These include:

Your IP address
Date and time of the request
Address of the requested page or file
Data volume transferred (in bytes)
Success or error code of the request ("status code")
Identification of your web browser (e.g., browser type, version, and operating system; "User-Agent" header)
Referring page that led you to our site (if applicable)

The information for the last two points is automatically sent by your web browser. You may disable this in your browser settings. These server log file data are not associated with specific individuals. They are not combined with other data sources. Evaluation occurs solely to ensure the proper functioning of our website and to identify potential issues. We reserve the right to review these data retroactively if concrete indications of unlawful use become known. Processing is based on our legitimate interests (Article 6(1)(f) GDPR). Server log files are automatically deleted after an appropriate period.

Consent with Complianz

Our website uses the consent management tool provided by Complianz to obtain and document your consent for the storage of certain cookies or the use of specific technologies. The provider of this technology is Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen, Netherlands.

Complianz is hosted on our servers, so no connection to the provider's servers is established. Complianz stores a cookie in your browser to associate your consents or their withdrawal with you. These data are stored until you request deletion, delete the Complianz cookie yourself, or the purpose for storage no longer applies. Statutory retention obligations remain unaffected.

The use of Complianz serves to obtain legally required consents for the use of cookies. The legal basis is Article 6(1)(c) GDPR.

Google Tag Manager

We use Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or analytics tools and other technologies into our website. Google Tag Manager itself does not create user profiles, store cookies, or perform independent analytics. It serves solely to manage and deploy the tools integrated through it. However, Google Tag Manager does process your IP address, which may also be transmitted to Google’s parent company in the United States.

The use of Google Tag Manager is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in the quick and easy integration and management of various tools on the website. If consent has been requested, processing is carried out exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TTDSG, insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) under TTDSG. Consent can be withdrawn at any time.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States designed to ensure compliance with European data protection standards for data processing in the United States. Companies certified under the DPF are obligated to adhere to these data protection standards. Further information can be found at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active. https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

Google Analytics

This website uses features of the web analytics service Google Analytics, provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Anbieter ist die Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Irland.

Google Analytics allows the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, time spent on the site, operating systems used, and user origins. These data are associated with the user’s device. No association with a user ID occurs.

Additionally, Google Analytics can record mouse and scroll movements, as well as clicks. Google Analytics also employs modeling approaches to supplement collected data and uses machine learning technologies for data analysis.

Google Analytics uses technologies that enable the recognition of users for the purpose of analyzing their behavior (e.g., cookies or device fingerprinting). Information collected by Google about the use of this website is generally transmitted to and stored on a Google server in the United States.

The use of this service is based on your consent under Article 6(1)(a) GDPR and Section 25(1) TTDSG. Consent can be withdrawn at any time with future effect.

Data transfers to the United States are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. https://privacy.google.com/businesses/controllerterms/mccs/.

More information on the handling of user data by Google Analytics can be found in Google’s Privacy Policy: https://support.google.com/analytics/answer/6004245?hl=en. https://support.google.com/analytics/answer/6004245?hl=de.

Google Analytics E-Commerce Measurement

This website uses the “E-Commerce Measurement” feature of Google Analytics. This feature allows the website operator to analyze the purchasing behavior of website visitors to improve online marketing campaigns. Data such as completed orders, average order values, shipping costs, and the time between viewing and purchasing a product are collected. These data may be aggregated by Google under a transaction ID, which is associated with the respective user or their device.

Newsletter

If you would like to subscribe to the newsletter offered on our website, we require an email address and information that allows us to verify that you are the owner of the specified email address and consent to receiving the newsletter. No additional data will be collected, or only on a voluntary basis. We use this data exclusively for sending the requested information and do not disclose it to third parties.

The processing of the data entered into the newsletter registration form is based solely on your consent (Article 6(1)(a) GDPR). You may revoke your consent to the storage of your data, email address, and its use for sending the newsletter at any time, for example, via the "Unsubscribe" link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

The data you provide for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and deleted after you cancel your subscription. Data that we have stored for other purposes remain unaffected.

We Maintain Publicly Accessible Profiles on Social Networks

This privacy policy applies to our social media presences on Facebook, LinkedIn, Instagram, and YouTube. Facebook, LinkedIn, Instagram und YouTube.

Social networks can usually analyze your user behavior extensively when you visit their websites or a website with integrated social media content (e.g., Like buttons or ad banners). Visiting our social media profiles triggers numerous data processing operations relevant to data protection.

Specifically: If you are logged into your social media account and visit our profile, the operator of the social media platform can associate this visit with your user account. Your personal data may also be collected in certain circumstances even if you are not logged in or do not have an account with the respective social media platform. This data collection occurs, for example, through cookies stored on your device or by recording your IP address.

The data collected in this manner allows social media platform operators to create user profiles that include your preferences and interests. This enables interest-based advertising to be displayed both within and outside the social media platform. If you have an account with the respective social network, interest-based advertising may be displayed on all devices where you are logged in or have been logged in.

Please note that we cannot track all processing activities on the social media platforms. Depending on the provider, additional processing activities may therefore be carried out by the operators of the social media platforms. For details, please refer to the terms of use and privacy policies of the respective social media platforms.

Our social media appearances aim to ensure the broadest possible presence on the internet. This constitutes a legitimate interest pursuant to Article 6(1)(f) GDPR. The analysis processes initiated by social networks may rely on differing legal bases, which the operators of the social networks must specify (e.g., consent under Article 6(1)(a) GDPR).

When you visit one of our social media profiles, we are jointly responsible with the social media platform operator for the data processing triggered during your visit. You can assert your rights (e.g., access, rectification, deletion, restriction of processing, data portability, and complaints) both against us and the operator of the respective social media platform (e.g., Facebook).

Please note that despite joint responsibility with social media platform operators, we do not have full influence over their data processing activities. Our options are primarily determined by the corporate policies of the respective provider.

Data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to its storage, or the purpose for its storage no longer applies. Cookies stored on your device remain there until you delete them. Mandatory statutory provisions—especially retention periods—remain unaffected.

We have no influence on the storage duration of your data that is stored by social network operators for their purposes. For details, please consult the privacy policies of the respective social networks (see links below).

Instagram: We maintain a profile on Instagram. This service is provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Data transfers to the United States are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. https://www.facebook.com/legal/EU_data_transfer_addendum, https://privacycenter.instagram.com/policy/ und https://de-de.facebook.com/help/566994660333381.

Details about their handling of your personal data can be found in Instagram’s privacy policy: https://privacycenter.instagram.com/policy/. https://privacycenter.instagram.com/policy/.

LinkedIn: We maintain a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you wish to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfers to the United States are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. https://www.linkedin.com/legal/l/dpa und https://www.linkedin.com/legal/l/eu-sccs.

For information on how LinkedIn handles your personal data, please refer to their privacy policy: https://www.linkedin.com/legal/privacy-policy. https://www.linkedin.com/legal/privacy-policy.

Facebook

We maintain a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter "Meta"). According to Meta, the data collected is also transferred to the United States and other third countries.

We have entered into a joint processing agreement (Controller Addendum) with Meta. This agreement determines which data processing operations we or Meta are responsible for when you visit our Facebook Page.

You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your ad settings independently within your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads. https://www.facebook.com/settings?tab=ads.

Data transfers to the United States are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381. https://de-de.facebook.com/help/566994660333381.

Details entnehmen Sie der Datenschutzerklärung von Facebook: For further details, please refer to Facebook’s privacy policy: https://www.facebook.com/about/privacy/..

YouTube

We maintain a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how YouTube handles your personal data, please refer to their privacy policy: https://policies.google.com/privacy?hl=en. https://policies.google.com/privacy?hl=de.