Dear Sir or Madam,
Data protection is important to us and we take it very seriously. We attach great importance to working with you on the basis of mutual trust and pay particular attention to responsible treatment of your personal data.
In accordance with the requirements of the General Data Protection Regulation (GDPR), this data protection notice is to inform you about how your personal data is processed by the Sartorius Group and your rights.
Sartorius AG, Parent Company of
Essen Bioscience and IntelliCyt
Responsible entity ("Controller"):
Otto Brenner Strasse 20
Phone: +49 551 308 0
Email: [email protected]
You can reach our Data Protection Officer at:
We process personal data which we receive from you in the course of our business relationship with you. We receive the data directly from you, e.g. in the context of enquiries, orders, periodical or newsletter subscriptions, or through personal contact with our employees. To the extent necessary to provide our service, we also process your personal data which we permissibly obtain from publicly accessible sources (e.g. commercial registers, association directories, press, internet) or which are transferred to us legitimately by other companies in the Sartorius Group (see Annex 1).
Specifically, we process the following data (among other data):
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz – BDSG). The following section explains the legal basis for processing your data.
3.1 To perform a contract (Art. 6(1)b GDPR)
We process data to perform a contract with you or to take steps at your request prior to entering into a contract. In detail, the purposes of data processing depend on the specific business relationship with you or the specific commission.
3.2 In connection with our legitimate interests, after consideration of your interests (Art. 6(1)f GDPR)
If necessary we process your data beyond actual performance of the contract to protect legitimate interests of ourselves or a third party. This is done for the following purposes, among others:
Our interest in processing arises out of the specific purposes and is otherwise commercial in nature (efficient performance of tasks, sales, avoiding legal risks). Where the specific purpose permits, we process your data in pseudonymised or anonymised form.
3.3 Based on your consent (Art. 6(1)a GDPR)
If you have given your consent to the processing of personal data for specific purposes, this consent is the legal basis for the processing as described.
This applies specifically to
You can withdraw consent at any time. This also applies to withdrawal of consent given before entry into force of the GDPR, i.e. before 25 May 2018. Withdrawal of consent is only effective for future processing.
3.4 Based on legal requirements (Art. 6(1)c GDPR)
We are subject to various legal obligations, e.g. the Medical Devices Act, Industrial Code, Commercial Code. Purposes for processing include
Your data is transferred within the Sartorius Group if necessary to perform our contractual and statutory obligations or if the internal organisation makes this necessary (e.g. central financing accounting, sales and marketing, logistics). Within the Sartorius Group, appropriate measures in accordance with statutory requirements have been taken to protect your personal data.
We do not forward your personal data to third parties (entities the Sartorius Group) without your prior consent or a legal basis for doing so. A legal obligation is particularly relevant for the following recipients:
We further use various service providers (processors within the meaning of Art. 28 GDPR), which we bind contractually in accordance with the requirements of the GDPR and whose compliance we monitor. These include companies in the fields of IT services, printing services, telecommunications, debt collection, consulting and sales and marketing. Processors may only use personal data in accordance with our instructions and for the specific purpose.
An exception to this is onward transfer to service providers such as a package delivery service or forwarding agent, if the transfer is necessary for processing orders or delivering goods. Logistics service providers receive the data necessary for delivery for their own processing. We restrict ourselves to transferring only the data necessary for delivery.
We only transfer your data to states outside the European Economic Area (third countries) to the extent
If we transfer your data to a third country or an international organisation, this is done in accordance with the requirements of the GDPR. In addition, in accordance with the principle of data minimisation we only transfer data which is restricted to the necessary minimum.
In some cases we use service providers whose registered office, parent company or sub-provider are domiciled in a third country. Your data is only transferred then if the European Commission has decided that there is an adequate level of protection in a third country (Art. 45 GDPR), suitable guarantees have been given (e.g. by standard clauses published by the European Commission) and you as a data subject have enforceable rights and effective legal support. We have contractually settled compliance with the EU General Data Protection Regulation and its requirements with the service provider.
So far as necessary, we only process your personal data for the duration of the business relationship, including initiating and completing this together with compliance with statutory retention periods.
If the data are no longer required to perform contractual or statutory obligations, they are erased, unless there are legal obligations of the responsible entity which count against erasure. This can be the case for the following purposes, among others:
Within the framework of our business relationship you must provide the personal data required for initiation and completion of the business relationship and compliance with the associated contractual obligations, or which we are legally obliged to collect. Without these data we will generally not be able to enter into a business relationship with you and comply with the resulting obligations.
There is no automated individual decision-making, including profiling.
You are welcome to request information from us on our processing of your personal data, in accordance with Art. 15 GDPR. If your information is not (is no longer) accurate, you can require rectification (Art. 16 GDPR), and if your data are incomplete you can require completion. If we have transferred your information to third parties, we inform these third parties of your rectification – if required by law.
In accordance with Art. 17 GDPR you can require erasure of your personal data if
Please note that legal obligations on the controller may mean that your data cannot be erased until expiration of a required period or at all.
You also have the right to restrict processing under Art. 18 GDPR, the right to object under Art. 21 GDPR and the right to data portability under Art. 20 GDPR. The right to information and the right to erasure are subject to restrictions under Arts 34, 35 GDPR. In addition there is a right to complain to a responsible data protection supervisory authority (Art. 77 GDPR in combination with section 19 BDSG).
Individual right of objection
On grounds relating to your particular situation, you have the right to object to processing of personal data relating to you which is done on the basis of Art. 6(1)f GDPR (processing for reasons of overriding interest) at any time; this also applies to profiling based on this provision within the meaning of Art. 4(4) GDPR. If you object, we will no longer process your personal data, unless we can show legitimate grounds for processing which override your interests, rights and freedoms or the processing is for the purpose of asserting, exercising or defending legal claims.
Right to object to processing of data for purposes of direct marketing
We can also use your data for direct marketing within the framework of legal provisions. You have the right to object at any time to the processing of your personal data for purposes of direct marketing; this also applies to profiling, if this is in connection with such direct marketing. If you object to processing for purposes of direct marketing we will no longer process your personal data for these purposes. No special form is required for the objection. You can find our contact data under (1) above.