Data protection guidelines for clients and other parties concerned
We wish with the following information to give you an overview of the processing of your personal data and your rights under data protection law.
Who is in charge of data processing and whom can I contact?
opseo Holding B.V.
legally represented by managing directors Holger Eden and Simon Faiss
Tel.: +49 6142 94 290-0
Fax: +49 6142 94 290-28
What sources and data do we use?
We process personal data that we receive from our clients and business partners in the framework of our business relationships. We also process personal data (as far as is necessary to provide our service) that we permissibly collect from publicly accessible sources (e.g., lists of debtors, land registers, commercial register, list of associations, the press, the Internet) or that are legally forwarded to us by other companies and/or third parties (e. g., a credit agency).
Relevant personal data include data on the person (name, address and other contact details, date/place of birth and nationality), legitimation data (e.g., ID data, tax ID number, pension insurance number, etc.) and order data (e.g., payment order). This data can also stem from our discharging our contractual duties, information on your financial status (e.g., on creditworthiness, scoring or rating data), credit-relevant data (e.g., income and expenditure), documentation data (e.g., minutes of advisory sessions) and other comparable data from the above categories. Moreover, data is gathered from health and care insurers, doctors providing treatment, and hospitals.
Why do we process your data (purpose of processing) and on what legal basis?
We process personal data in line with the stipulations of the EU General Data Protection Regulation (GDPR) and the Federal German Data Protection Act (BDSG)
- to fulfill contractual duties (Article 6[b] GDPR).
Data is processed in order to fulfill and/or provide the contractual duties between the care service (...) GmbH and our business partners and clients. Thus, also with logistics companies, mail-order companies, information agencies, lawyers and other business partners required to fulfill and assert such contracts. This includes forwarding personal information such as name, address, date of birth, invoices, and other invoicing and financial data such as tax ID no., commercial registry entry no., etc. In the context of our services, we also exchange/obtain data from/with health and care insurers, and health data from/with doctors and hospitals.
- In the framework of a balance of interests (Article 6[f] GDPR).
To the extent necessary, we process your data over and above fulfilling the contract proper to preserve the justified interests of ourselves or third parties. For example, when consulting or exchanging data with information agencies, to bring legal claims, and to defend in litigation, to prevent or clarify criminal acts or for corporate management measures or to advance products and services.
- On the basis of your consent (Article 6[a] GDPR).
Should you have given us your consent to process personal data for certain purposes, (e.g., to send you information, submit offers to you, etc.) this agreement is due and proper on the basis of your consent. A consent granted can be revoked at any point. This also applies to revoking declarations of consent that were granted us before GDPR applied, i.e., before May 25, 2018. Revocation of the consent will only apply for the future and does not affect the legality of the data processed prior to revocation.
Who gets my data?
Inside the opseo Holding B.V. care service, those sections and/or persons receive access to your data that need them to fulfill their contractual duties and issue invoice and bring claims as arise from the business relationship.
Moreover, personal data for the purposes of fulfilling the contract and providing our service may be obtained from other business partners necessary for the service provision. For example, health and care insurers, doctors and hospitals, pharmacies, suppliers, logistics companies, information agencies, debt registers, and the like. Other data recipients are those agencies for which you gave us consent to transfer data and/or for which we in order to balance interests are authorized to send personal data.
Are data sent to a third-party country or an international organization?
On principle, no personal data is transferred to countries outside the European Union (so-called third-party countries) to the extent that this is not prescribed by law (e.g., fiscal registration duties) or you have consented to this.
For how long will my data be stored?
We process and store your personal data as long as this is necessary to fulfill our contractual and statutory duties. If data are no longer required to fulfill these duties they are regularly deleted, unless their further processing, limited in time, is necessary for the following purposes:
- Fulfillment of retention obligations under trade or fiscal laws that can arise from: German Commercial Code (HGB), Tax Code (AO). The retention and/or documentation periods stated there tend as a rule to be 2-10 years.
- Retention of evidence as part of regulations on the statute of limitations. According to sections 195 ff. of the German Civil Code (BGB) the period of limitation can be up to 30 years whereby the regular limitation period is three years.
- Fulfillment of retention duties under social welfare laws, as a rule 10 years.
What data privacy rights do I have?
Every person concerned has the right to information as per Article 15 GDPR, the right to rectification as per Article 16 GDPR, the right to deletion as per Article 17 GDPR, the right to restricted processing as per Article 18 GDPR, the right to objection as per Article 21 GDPR, and the right to data transferability as per Article 20 GDPR. In the case of rights of information and deletion, the limitations as per sections 34 and 35 of BDSG apply. Furthermore, there is a right to file complaints with a competent data protection supervision authority (Article 77 GDPR together with section 19 BDSG).
You can at any time revoke consent granted us to process personal data. This is also applies to revoking declarations of consent issued to us prior to GDPR coming into force, meaning before May 25, 2018. Please note that the revocation only applies to the future and does not affect the legality of the data processed prior to revocation.
Am I obliged to provide data?
As part of our business relationships you must provide those personal data that are necessary to initiate, carry out and terminate a business relationship and to fulfill the associated contractual duties or which we are obliged by law to gather. In the absence of these data, we will as a rule not conclude a contract with you, execute it or terminate it.
To what extent is automated decision-making involved?
To lay the foundations for and execute business relationships, we on principle do not use fully automated decision-making tools as per Article 22 GDPR. We inform you should we make use of such methods in individual cases, and we will inform you separately of your rights in this regard to the extent this is stipulated by law.