1. Data controller
The Data Controller as defined in the GDPR is:
Leica Eyecare GmbH, Auf dem langen Furt 27, 35452 Heuchelheim, Germany Telephone: +49 (0)6441 565 40 41-00 Email: email@example.com
Managing Director: Jörg Bauer
You can reach our data protection officer at the above postal address and at the following email address: firstname.lastname@example.org
2. Automated data processing
When you access our website, your personal device automatically provides the data necessary for technical reasons to establish a connection and retrieve the embedded content requested (e.g. text, images, videos, product information and files available for download). This data includes:
• The IP address or device ID assigned to the personal device,
• The type of personal device,
• The browser type/version,
• The operating system used,
• The page accessed,
• The page previously visited (referrer URL); the date and time of the server query
• The HTTP status code.
The purpose of collecting and processing information is to provide you with our website content and to provide you with the features and services associated with our website.
We store this data for the following purposes:
• To safeguard the security of our IT systems, for example to defend against specific attacks on our systems and to identify attack patterns;
• To guarantee the proper operation of our IT systems, for example, when errors occur that we can only correct by recording the IP address;
• Where there is concrete evidence of criminal activity, for law enforcement, risk prevention or legal action.
Data processing is performed on the basis of our aforementioned legitimate interests, Art. 6 (1) lit. (f) GDPR.
We retain this data for a period of 14 days. After that, we delete or anonymise the data, including the IP addresses.
The data will only be stored for longer if there is a reasonable suspicion of unlawful use based on concrete evidence, and further examination and processing of the data is necessary for this reason.
For the hosting and operation of our website we use the services of Hetzner Online GmbH, Industriestrasse 25, 91710 Gunzenhausen, with registered office in Germany (“Hetzner”). Hetzner processes your personal data for us on our behalf, i.e. exclusively in accordance with our instructions (cf. Art. 4 (8), 28 GDPR).
4. Scope, purpose and legal basis for further data processing
You can contact us using our contact form on our website. We will process your details as provided in the contact form (name, email address and free text) for the purpose of processing and responding to your contact requests. The legal basis for data processing is Art. 6 Para. 1 Sentence 1 (b) GDPR.
We also offer a B2B section on our website, which opticians can access after registering. We process your data (name, address, email address and telephone number) for the purpose of providing the B2B section and granting access. To register, you will be given a customer number and have to choose a password. The legal basis for data processing is Art. 6 Para. 1 Sentence 1 (b) GDPR.
We process your data as submitted on the order form or, in the case of a telephone order, your data as submitted over the telephone, (name and address of the customer, other contact information such as an email address, order details, payment details) for the purpose of establishing, fulfilling and completing orders. Names and addresses are provided to the transport services provider for delivery purposes. The legal basis for data processing is Art. 6 Para. 1 Sentence 1 (b) GDPR. By retaining your order details, we also fulfil our legal obligations as a medical device manufacturer to ensure the traceability of lenses for any product information and recalls, Art. 6 (1) (c) GDPR in conjunction with Art. 25 EU Medical Devices Directive.
In certain cases, we carry out credit checks to protect against non-payment and misuse. For this purpose, we send the names and addresses of customers to Euler Hermes Deutschland, a branch of Euler Hermes SA, Gasstrasse 29, 22761 Hamburg, and receive from the credit agency information about their credit ratings based on statistical methods. We store this report from the credit bureau and use the credit ratings for the automated process that makes a decision about the requested order and payment options. Automated decision-making therefore takes place per Art. 22
(2) (a) GDPR, as required for entering into or fulfilling the contract with you. You have the right to have this automated decision checked manually (such as a decision to refuse your requested payment method), to explain your own point of view and to contest the decision. To exercise your rights, please contact Leica Eyecare GmbH at the address given above or by email at email@example.com. The legal basis for data processing is Art. 6 Para. (1) (f) GDPR Our legitimate interest lies in reclaiming what we are owed if we supply products in advance of payment. You have the right to object to data processing. You will find further details on your right to object below in the section on data subject rights. If you object to a credit check, it may mean we can only offer you limited payment options or decline to conclude an agreement.
Payments may be processed through group purchasing organisations, depending on the payment method selected and the arrangements made with you. In such cases, we provide certain order data (customer names and addresses, invoice amounts, bank details) to the relevant Group purchasing organisation for the purpose of processing the payment. The legal basis for the data transfer is Art. 6 (1) (b) GDPR.
Subject to your consent, we will process your name and contact details for the purpose of sending you promotional information. Details can be found in the declaration of consent. The legal basis for the data processing is Art. 6 (1) (a) GDPR. Your order will be processed by LensWare International GmbH, Robert-Bosch-Str. 32, 63225 Langen, Germany. Your customer data is managed by ISC it & software consultants GmbH, Wörnitzstrasse 115a, 90449 Nuremberg, Germany in the SugarCRM customer relationship management system. You may withdraw your consent at any time with future effect without giving reasons, for example by sending an email to firstname.lastname@example.org. We may contact you with promotional content even after you have withdrawn your consent during an implementation period of up to four weeks.
You are not obliged to provide us with your personal data. But if you wish to receive goods, you must provide us with the data marked as mandatory on the order form so that we can process your order and, if necessary, conclude and fulfil an agreement.
6. Data recipient
In addition to the recipients specifically mentioned in the previous sections, we may also send data to other parties who work for us under a third-party data processing agreement or to whom you have expressly consented. These are mainly companies in the categories of IT services, logistics, printing services, telecommunications, consultancy and advisory services, and sales and marketing.
Recipients of personal data may also be public authorities and other public bodies and institutions in the event of a legal or official obligation.
If the data is transferred to a third country (outside the European Union or European Economic Area), we undertake to ensure that the data is properly processed by taking precautions in accordance with the Art. 44 et seq. GDPR Either we contractually require the data recipient to comply with the level of data protection applicable within the European Union and/or the EU Commission has issued an adequacy decision confirming that the country in which the data recipient is based has a level of data protection equivalent to that in the European Union.
8. Duration of data storage
If and where necessary, we process and store your personal data for the duration of our business relationship, which includes initiating and fulfilling an agreement. In addition, we are subject to various retention and documentation requirements, including those set out in the German Commercial Code (HGB) and German Fiscal Code (AO). The storage and documentation periods under these laws are between six and ten years. Art. 25 of the EU Medical Devices Directive imposes a duty to retain data for a period of ten years so that medical devices remain traceable. Storage periods are also dictated by statutory limitation periods. Sections 195 et seqq of the German Civil Code (BGB), for instance, generally stipulate three years.
If data has to be retained for legal reasons, its processing will be restricted. The data is then no longer available for other use.
If you have consented to receive promotional material, we will retain your information for this purpose until you withdraw your consent.
9. Cookies and similar technologies
Cookies are text files that contain information. They are stored on your personal device (computer or mobile device) when you visit or use our website. There are two basic types of cookies (called “session” and “persistent” cookies):
Session cookies are small items of information that store a randomly generated identification number called a session ID. By using session cookies, we can provide login details or shopping basket contents, etc. as a personalised default setting on your next visit, allowing you to maintain a login session, for example. A session cookie also stores information about its origin and its retention period. These cookies cannot store any other data. The cookies used are deleted when you log out of a customer account.
Persistent cookies store information that can contain personal data obtained from your browser. These data can include the following, for example: Your IP address, device type, domain, browser type and language, operating system, country and time zone, previously visited web pages, or information about how you interact with our site, such as your clickstream patterns.
According to the laws of the EU member states implementing the EU Directive 2002/58/EC on privacy and electronic communications, as amended by EU Directive 2009/136/EC, no consent is required to set or read essential cookies (e.g. see Sec. 25 (2) (1) German Teleservices Data Protection Act (TTDSG). The legal basis for processing your personal data, which is also governed by this law, is our legitimate interest (Art. 6 (1) (f) GDPR). We have an interest in ensuring that our website remains technically accessible, secure and easy to use.
You can also visit our website also without cookies. Most Internet browsers accept cookies automatically. You can prevent cookies from being stored on your computer by selecting “Do not accept cookies” in your browser settings. To find out exactly how this works, please consult your browser’s Help section. . On your personal device, you can delete cookies that have already been set at any time. However, if you choose not to accept cookies, it may result in some limits in the features of our content.
10. Your rights
You are entitled to the rights set out below in relation to the processing of your personal data. In addition to the aforementioned options you can exercise your rights by sending a request by post or email to the address indicated in subparagraph 1 above.
Right of access
You have the right to request from us at any time information about your personal data that we process within the scope of Art. 15 GDPR and Sec. 34 Federal Data Protection Act (BDSG).
Right to rectification
According to Art. 16 GDPR, you have the right to ask us to rectify personal data that relates to you if it is inaccurate. In addition, you are entitled to ask us to complete any incomplete personal data.
Right to erasure
Subject to the conditions described in Art. 17 GDPR and Sec. 35 Federal Data Protection Act (BDSG), you have the right to ask us to delete your personal data.
Right to the restriction of processing
You have the right to demand that we restrict processing in accordance with Art. 18 GDPR.
Right to data portability
In accordance with Art. 20 GDPR, you have the right to obtain from us the personal data you have provided us with in a structured, standard and machine-readable format.
Right to object
In accordance with Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data on the basis of Art. 6 (1) (f) GDPR. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or that the processing is necessary for the establishment, exercise or defence of legal claims.
If we process your personal data for direct marketing purposes, you have the right at any time to object to your personal data being processed for these purposes, including profiling. We will no longer process your personal data in response to your objection.
Right to withdraw consent
You have the right to withdraw your consent at any time in accordance with Art. 7 (3) (1) GDPR. Withdrawal of your consent shall not affect the lawfulness of any processing carried out on the basis of your consent prior to its withdrawal.
Right to lodge a complaint
You have the right to appeal to a supervisory authority of your choice if you believe that the processing of your personal data is in breach of applicable data protection legislation.
Data processing when exercising your rights
Finally, we would like to point out that we process the personal data you provide in order to exercise your rights under Art. 7 Abs. (3) (1) GDPR and Art. 15 to 22 GDPR for the purpose of implementing these rights and to be able to provide proof thereof as well as for the defence of legal positions, if necessary.
In this relation, we retain your data for three years after your rights as a data subject have been fully exercised. We will only retain this data for a longer period if we need to retain it for legal defence purposes. In such a case, it will be deleted after the proceedings have been concluded, subject to the statutory limitation periods.
This processing for the purpose of implementation and proof of legally compliant implementation relies on the legal basis formed by Art. 6 (1) (c) GDPR in conjunction with Art. 7 (3) (1) GDPR and Art. 15 to 22 GDPR as well as Section 34 (2) Federal Data Protection Act (BDSG). If we process personal data for legal defence purposes, our legitimate interest lies therein as well, Art. 6 (1) GDPR.
You are under no contractual or legal obligation to provide us with your personal data, but we may refuse to comply with your request in order to respect your rights as a data subject under Art. 12 (2) (2) GDPR if you do not provide us with the data necessary to unambiguously identify you upon request.
Links to other websites and online services
Last revised: 04/05/2023