Categories

Privacy Policy

Thank you for your interest in our company. We attach great importance to data privacy. You can, in principle, use our website without having to enter any personal data. However, where a data subject wishes to avail themselves of specific services provided by our company via our website, it may be necessary for personal data to be processed. Where the processing of personal data is necessary and that processing has no legal basis, we will as a rule first obtain the data subject’s consent.

The processing of personal data, for instance the data subject’s name, address, email address and telephone number, is based on the European Union’s General Data Protection Regulation (GDPR) and in line with the country-specific data protection regulations applicable to BANO Healthcare GmbH. This Privacy Policy serves to inform the public about the nature, extent and purpose of personal data collected, used and processed by our company. Further, it serves to inform data subjects about their rights. BANO Healthcare GmbH, in its capacity as controller, has implemented numerous technical and organisational measures to guarantee the most comprehensive protection possible to any personal data which are processed via this website. Despite these efforts, internet-based data transmission may, in certain instances, have security gaps. It is, therefore, not possible to guarantee absolute privacy. For that reason, data subjects are free to transmit personal data to us in another way, for example by telephone.

1. Definitions

BANO Healthcare GmbH’s Privacy Policy uses the same terminology as is used in the EU’s GDPR. We aim to make our Privacy Policy easy to read and understand for both the public, our customers and business partners. To ensure this is the case, please find below definitions of the terminology used in our Privacy Policy.

a) Personal data

“Personal data” means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data subject

“Data subject” means any identified or identifiable natural person whose personal data are processed by the controller.

c) Processing

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of processing

“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.

e) Profiling

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

f) Pseudonymisation

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

g) Controller

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

h) Processor

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) Recipient

“Recipient” means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients.

j) Third party

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

k) Consent

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.

2. Controller’s name and address

The controller within the meaning of the GDPR, of other data protection legislation applicable in the EU Member States and other data protection regulations is

BANO Healthcare GmbH
Im Gries 22
6580 St. Anton / Arlberg, Austria
Tel.: +43 (0)2252/82 369-0
Email: bano@bano.at
Website: www.bano.at

3. Cookies

BANO Healthcare GmbH’s website uses cookies. Cookies are text files which are set and stored on a computer system by an internet browser. Numerous websites and servers use cookies. Many cookies contain a “cookie ID”. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which websites and servers can be assigned to the specific internet browser on which the cookie was stored. This enables websites visited and servers to distinguish the data subject’s individual browser from other browsers which contain other cookies. A specific browser can be recognised and identified via the unique cookie ID.

By using cookies, BANO Healthcare GmbH can provide the users of its website with more user-friendly services than would be possible if no cookies were set. Using cookies means that the information and offers on our website can be optimised for users’ benefit. As already mentioned in the above, cookies enable us to recognise visitors to our website. The purpose of this is to make it easier for visitors to use our website. For example, visitors to websites which use cookies do not have to re-enter their access data each time they visit a particular website because this is done for them by the website and the cookie stored on the user’s computer system. Cookies set for shopping baskets in our online shop are another example. The online shop remembers the items which a customer has placed in the virtual shopping basket by setting a cookie.

Data subjects can prevent our website using cookies at any time by making the appropriate setting in their browser and thus permanently objecting to the setting of cookies. Further, cookies which have already been set can be deleted at any time in their browser or using a software program. This can be done in all standard browsers. Where a data subject deactivates the setting of cookies in their browser they will, however, not be able to make full use of all the functions available on our website.

4. Recording general data and information

Each time a data subject visits BANO Healthcare GmbH’s website, some general data and information relating to the data subject or automated system are recorded. These general data and information are stored in the server’s log files. The following may be recorded: (1) the type of browser used and the browser version; (2) the operating system used by the system accessing the website; (3) the website from which a system accessing our website was directed to our website (referrer); (4) sub-websites which are used by an accessing system on our website; (5) the data and time of access to our website; (6) an Internet Protocol address (IP address); (7) the accessing system’s internet service provider; and (8) other similar data and information which serve to avert threats in the case of an attack on our information technology (IT) systems.

When using these general data and information, BANO Healthcare GmbH draws no conclusions in relation to the data subject. Instead, this information is needed (1) to correctly deliver our website content; (2) to optimise our website content and advertising; (3) to ensure the proper functioning of our IT systems and our website technology in the long term; and (4) to provide the prosecuting authorities with the information needed for a criminal prosecution in the event of a cyberattack. That is why BANO Healthcare GmbH conducts statistical analyses of these data and this information for the purpose of increasing the level of data protection and data security in our company to, ultimately, provide an optimal level of protection to the personal data we process. The server log file data are stored separately from all the personal data which data subjects have entered and for a period of three months, after which they are anonymised.

5. Registering on our website

Data subjects may register on the controller’s website, which involves entering their personal data. Which personal data will be transmitted to the controller is dependent on which input mask the data subject uses to register. Personal data entered by data subjects are only ever collected and stored for internal use by the controller and for its own purposes. The controller may arrange for personal data to be passed on to one or more processors, for example a parcel delivery service, which will likewise only ever use the personal data for internal purposes attributable to the controller. Further, when registering on the controller’s website the IP address issued by the data subject’s internet service provider, the date and time of registration are also stored. These data are stored in order to be able to prevent the misuse of our services. Also, they enable the full investigation of any offences committed. Storage of these data is thus necessary to protect the controller. These data are never passed on to third parties, unless there is a statutory obligation to pass them on or passing them on serves the prosecution of criminal offences.

When data subjects register and voluntarily enter their personal data, this enables the controller to offer data subjects content or services which can, by their very nature, only be offered to registered users.

Registered data subjects are free to change the personal data used to register on the website or to have them deleted entirely from the controller’s database. The controller provides each data subject, at any time upon their request, with information about which of the data subject’s personal data have been stored. Further, the controller rectifies or erases personal data upon the data subject’s request or notice, unless this is precluded by a statutory obligation to retain the data. Data subjects may contact any of the controller’s employees in this regard.

6. Subscribing to our newsletter

BANO Healthcare GmbH’s website allows users to subscribe to our company’s newsletter. Which personal data will be transmitted to the controller after subscribing to the newsletter is dependent on the input mask used for this purpose. BANO Healthcare GmbH uses its newsletter to regularly inform its customers and business partners about its offers and promotions. In principle, data subjects can only receive our company’s newsletter if (1) they have a valid email address and (2) they have subscribed to the newsletter. For legal reasons, a confirmation email is sent to the email address first entered by a data subject using the double opt-in procedure. This confirmation email serves to verify whether the owner of the email address, that is the data subject, has authorised receipt of the newsletter.

When data subjects subscribe to our newsletter, we also store the IP address of the computer system used by them when they registered on our website, as assigned by the internet service provider, and the date and time of registration. It is necessary to collect these data in order to be able to trace back (possible) abusive uses of an email address by a data subject at a later date, and it therefore serves the controller’s legal protection.

The personal data collected when subscribing to our newsletter are only ever used for the purpose of sending out our newsletter. Further, newsletter subscribers may be informed by email if this is necessary to provide the newsletter service or subscribing to it is necessary. This may be the case when, for instance, changes are made to the newsletter or in the case of any necessary technical changes. Personal data collected in order to deliver the newsletter are never passed on to third parties.

Data subjects may cancel their subscription to our newsletter at any time. Consent to the storage of personal data which data subjects provide in order to receive our newsletter may be revoked at any time. A link is provided in each newsletter for the purpose of revoking this consent. Further, data subjects may unsubscribe from the newsletter at any time on the controller’s website, or they may notify the controller of that wish in another manner.

7. Newsletter tracking

BANO Healthcare GmbH’s newsletters contain tracking pixels. A tracking pixel is a mini-graphic which is embedded in an email sent in HTML format so as to enable log files to be recorded and a log file analysis to be conducted. This enables statistical analyses to be done to assess the success or failure of online marketing campaigns. By using these tracking pixels BANO Healthcare GmbH can recognise whether and when a data subject opened an email and which of the links in the email they clicked on. The personal data collected via the tracking pixels in newsletters are stored and analysed by the controller for the purpose of optimising newsletter mailshots and to even better adapt future newsletter content to data subjects’ interests. These personal data are not passed on to third parties. Data subjects are entitled to withdraw the consent they gave separately in this regard using the double opt-in procedure. Following revocation of consent, the controller will erase these personal data. When a data subject unsubscribes from our newsletter, BANO Healthcare GmbH automatically interprets this as revocation of consent.

8. Contact via website

Owing to statutory regulations, BANO Healthcare GmbH’s website includes information which enables users to quickly contact the company by electronic means and to communicate directly with us. This also encompasses the use of an email address. Where a data subject contacts the controller by email or using the contact form, the personal data transmitted by the data subject are automatically stored. Such personal data which data subjects transmit voluntarily to the controller are stored for processing purposes or to contact the data subject. These personal data are not passed on to third parties.

9. Routine erasure and blocking of personal data

The controller processes and stores data subjects’ personal data only for the period necessary to achieve the purpose of the storage or where this is provided for in legislation or regulations issued by EU regulators or other legislatures to which the controller is subject. Where the purpose of the storage ceases to apply or if a storage period prescribed by EU regulators or another competent legislature expires, personal data will be routinely blocked or erased in accordance with statutory provisions.

10. Rights of the data subject

a) Right to obtain confirmation

Data subjects have the right, as provided for by EU regulators, to obtain confirmation from the controller as to whether or not personal data concerning them are being processed. Where a data subject wishes to assert this right, they may contact any of the controller’s employees at any time in this regard.

b) Right to information

Anyone whose personal data are processed has the right, as provided for by EU regulators, to obtain information at any time from the controller, free of charge, relating to which of their personal data are being stored and to receive a copy of this information. Further, EU regulators have accorded data subjects the right to the following information:

  • the purposes of the processing;
  • the categories of personal data which are processed;
  • the recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or in international organisations;
  • where possible, the planned period for which the personal data are to be stored or, if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing by the controller, or the right to object to such processing;
  • the right to lodge a complaint with the supervisory authority;
  • where the personal data have not been obtained from the data subject: All the available information about the origin of the data or the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance of and the envisaged consequences of such processing for the data subject. Further, data subjects have the right to information regarding whether personal data have been transferred to a third country or an international organisation. Where this is the case, data subjects also have the right to obtain information regarding appropriate or suitable safeguards which are in place in relation to such transmission.

Where a data subject wishes to avail themselves of this right to information, they may contact any of the controller’s employees at any time in this regard. 

c) Right to rectification

Anyone whose personal data are processed has the right, as provided for by EU regulators, to obtain without undue delay the rectification of inaccurate personal data concerning them. Further, data subjects have the right, taking into account the purposes of the processing, to have incomplete personal data completed, including by means of providing a supplementary statement.

Where a data subject wishes to avail themselves of this right to rectification, they may contact any of the controller’s employees at any time in this regard.

d) Right to erasure (right to be forgotten)

Anyone whose personal data are processed has the right, as provided for by EU regulators, to obtain from the controller the erasure of personal data concerning themselves without undue delay where one of the following grounds applies and the processing is not necessary:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws the consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Where one of the above-mentioned grounds applies and the data subject wishes to obtain erasure of personal data which BANO Healthcare GmbH has stored, they may contact any of the controller’s employees at any time in this regard. BANO Healthcare GmbH’s employee will then arrange for the personal data to be erased without undue delay. Where BANO Healthcare GmbH has published the personal data and our company, in its capacity as controller, is obliged, under Article 17(1) of the GDPR, to erase the personal data, then taking account of available technology and the costs of implementation, BANO Healthcare GmbH will take reasonable steps, including technical measures, to inform other controllers processing the published personal data that the data subject has requested the erasure by such controllers of any links to, or copies or replications of, those personal data, unless the processing is necessary. BANO Healthcare GmbH’s employee will ensure that the necessary steps are taken.

e) Right to restriction of processing

Anyone whose personal data are processed has the right, as provided for by EU regulators, to obtain from the controller restriction of processing where one of the following conditions applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.

Where one of the above-mentioned conditions is met and the data subject wishes to obtain restriction of personal data which BANO Healthcare GmbH has stored, they may contact any of the controller’s employees at any time in this regard. BANO Healthcare GmbH’s employee will ensure that the necessary steps are taken.

f) Right to data portability

Any data subject whose personal data are processed has the right, as provided for by EU regulators, to receive the personal data concerning them which they have provided to a controller, in a structured, commonly used and machine-readable format. The data subject also has the right to transmit these data to another controller without hindrance from the controller to which the personal data have been provided, that is if the processing was based on consent pursuant to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Further, in the exercise of their right to data portability in accordance with Article 20(1) of the GDPR, data subjects have the right to have their personal data transmitted directly from one controller to another, where technically feasible and where this does not affect the rights and freedoms of other persons.

Data subjects may contact any of BANO Healthcare GmbH’s employees at any time to assert the right to data portability.

g) Right to object

Data subjects whose personal data are processed have the right, as provided for by EU regulators, to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on these provisions. Where such an objection is raised, BANO Healthcare GmbH will no longer process these personal data, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where BANO Healthcare GmbH processes personal data for direct marketing purposes, data subjects have the right to object at any time to the processing of personal data concerning them for the purpose of such marketing, including profiling, to the extent that it is related to such direct marketing. Where a data subject objects to processing for direct marketing purposes, BANO Healthcare GmbH will no longer process these personal data for such purposes.

In addition, data subjects have the right to object, on grounds relating to their particular situation, at any time to the processing by BANO Healthcare GmbH of personal data concerning them for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Data subjects may directly contact any of BANO Healthcare GmbH’s employees or another employee in order to exercise the right to object. Data subjects are also free, notwithstanding Directive 2002/58/EC, to exercise their right to object to automated means using technical specifications.

h) Automated individual decision-making, including profiling

Data subjects whose personal data are processed have the right, as provided for by EU regulators, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision (1) is necessary to enter into, or for the performance of, a contract between the data subject and a controller; (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (3) is based on the data subject’s explicit consent.

Where the decision (1) is necessary to enter into or for the performance of a contract between the data subject and the controller or (2) is taken with the data subject’s explicit consent, BANO Healthcare GmbH will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

Data subjects wishing to assert rights relating to automated decision-making may contact any of the controller’s employees at any time in this regard.

i) Right to revoke consent

Data subjects whose personal data are processed have the right, as provided for by EU regulators, at any time to revoke their consent to the processing of their personal data. Data subjects wishing to assert rights relating to automated decision-making may contact any of the controller’s employees at any time in this regard.

11. Use of Facebook

The controller has included Facebook integration components on this website. Facebook is a social network. A social network is a social meeting place operated on the internet, an online community which, generally speaking, enables its users to communicate with each other and to interact in cyberspace. A social network can serve as a platform for users to share opinions and experience or to enable the internet community to share personal or business information. Facebook enables the users of its social network to create private profiles, to upload photos and to create networks through friend requests, for example.

Facebook is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. In the case of data subjects based outside the United States of America or Canada, the controller responsible for processing personal data is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Each time a user calls up a webpage on a website operated by the controller into which a Facebook component has been integrated (Facebook plugin), the browser on the data subject’s IT system is automatically prompted by the relevant Facebook component to download a representation of the relevant Facebook component from Facebook. For an overview of all Facebook plugins, go to: https://developers.facebook.com/docs/plugins/?locale=de_EN. During this technical procedure, Facebook will be informed about which concrete subpages on our website each data subject visits. If data subjects are logged into their Facebook account while viewing this website, Facebook recognises each time they call up our website and, throughout the entire time they are calling up our website, which specific subpages they visit. This information is collected by the Facebook integration component and then assigned to the data subject’s Facebook account. When a data subject clicks on one of Facebook’s icons which are integrated into our website – for instance the “Like” icon – or if a data subject adds a comment, Facebook assigns this information to the data subject’s personal Facebook account and stores these personal data. Via its integration components, Facebook is always informed about the fact that a data subject has visited our website and if they are logged into their Facebook account when doing so; this is done irrespective of whether the data subject has clicked on the Facebook component itself or not.

If data subjects do not wish such information to be passed on to Facebook, they can prevent the data transmission by first logging out of their Facebook account before calling up our website. For Facebook’s Privacy Policy, go to: https://de-de.facebook.com/about/privacy/. It contains information about which personal data Facebook collects, processes and uses. It also explains which privacy settings are available on Facebook. Besides, it contains various apps which allow data subjects to prevent data being transmitted to Facebook.

12. Use of Google Analytics (incl. anonymisation function)

The controller has included the Google Analytics integration component (incl. anonymisation function) on this website. Google Analytics is a web analytics service. Web analytics encompasses the recording, collection and analysis of data relating to users’ website activities. A web analytics service collects, among other things, data on which websites data subjects were redirected from (referrer), which subpages they access and how often, and how long they stay on a subpage. Web analytics is primarily used to optimise a website and for the purposes of conducting a cost-benefit analysis.

The Google Analytics component is operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. The controller uses Google Analytic’s web analytics via the "_gat._anonymizeIp" addition. This allows Google to abbreviate and anonymise a data subject’s IP address if they are accessing our website from one of the EU Member States or from a Contracting Party to the Agreement on the European Economic Area.

The Google Analytics component analyses visitor streams to our website. Google uses the data and information collected in this way to, among other things, analyse the use of our website so as to provide us with online reports on website activities and to provide other services linked to the use of our website. Google Analytics sets a cookie on the data subject’s IT system. A definition of cookies has already been provided in the above. By setting cookies, Google is able to analyse website activity on our webpages. Each time a data subject calls up an individual webpage on the website operated by the controller into which a Google Analytics component has been integrated, the browser on the data subject’s IT system automatically prompts the relevant Google Analytics component to transmit data to Google for online analysis purposes. This technical procedure provides Google with personal data, such as the data subject’s IP address, which Google uses to, among other things, find out the visitor’s origin and to enable commission invoicing. The cookie is used to store personal information, for instance time and place of access and how often a data subject visits our website. Each time a data subject visits our website, these personal data, including the IP address of the internet connection used by the data subject, are transmitted to Google in the United States of America. Google stores these personal data in the United States. Google may pass the personal data collected via this technical procedure on to third parties.

Data subjects may at any time prevent the setting of cookies by our website, as described in the above, by making the relevant setting in their browser and can thus permanently object to the setting of cookies. Making this setting in their browser also prevents Google setting a cookie on their IT system. In addition, a cookie which has been set by Google Analytics can be deleted at any time via the data subject’s browser or using another software program.

Further, data subjects can also object to the recording of personal data generated by Google Analytics relating to the use of this website and to the processing of these data by Google and to prevent such recording and processing. To do so, data subjects must download and install a browser add-on via the following link: https://tools.google.com/dlpage/gaoptout. The browser add-on notifies Google Analytics, via JavaScript, that no data and information relating to visits to websites may be transmitted to Google Analytics. Google interprets the installation of the browser add-on as an objection. If the data subject’s IT system is deleted, formatted or re-installed at a later date, the data subject must re-install the browser add-on in order to deactivate Google Analytics. If the data subject or another person who can be assigned to their sphere of influence deinstalls or deactivates the browser add-on, it is possible to re-install or re-activate it.

Further information and Google’s Privacy Policy are available at: https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html. More detailed information about Google Analytics is available at: https://www.google.com/intl/de_de/analytics/.

13. Payment methods: Klarna’s Privacy Policy

The controller has included Klarna integration components on this website. Klarna is an online payment services provider which enables goods to be either bought on account or using a flexible instalment plan. Klarna also provides other services, such as buyer protection and identity and creditworthiness checks. Klarna is operated by Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden.

Data subjects who select “Purchase on account” or “Instalment purchase” when placing an order in our online shop will automatically have their personal data transmitted to Klarna. By selecting one of these payment options data subjects consent to such data transmission, which is necessary to process the purchase on account or payment in instalments or to conduct an identity or creditworthiness check. Personal data which are generally transmitted to Klarna include the data subject’s given name, family name, address, date of birth, gender, email address, IP address, telephone number, mobile number and other data necessary to process a purchase on account or payment in instalments. Such personal data which are linked to each order are also necessary to process the purchase contract. In particular, there may be a reciprocal exchange of payment information, such as bank account details, card number, validity and CVC code, number of articles, item numbers, data relating to goods and services, prices and taxes, information relating to previous purchases and other information relating to the data subject’s financial status. The purpose of the data transmission is, in particular, to carry out an identity check, administer the payment and prevent fraud.

The controller will in particular transmit personal data to Klarna where there is a legitimate interest in such transmission. The personal data which Klarna and the controller share are transmitted by Klarna to credit agencies. This serves the purpose of identity and creditworthiness checks. Klarna also passes personal data on to affiliated companies (Klarna Group) and service providers or subcontractors where this is necessary to fulfil contractual obligations or the data are to be processed on its behalf. Klarna collects and uses data and information about a data subject’s payment history and probabilities regarding their future behaviour (scoring) to take decisions relating to the establishment, performance or termination of a contractual relationship. These scores are calculated on the basis of scientifically recognised mathematical/statistical procedures. Data subjects can withdraw their consent to Klarna’s use of their personal data at any time. Such withdrawal of consent is without prejudice to personal data which of necessity must be processed, used or transmitted for (contractual) payment processing purposes. Klarna’s Privacy Policy is available at: https://cdn.klarna.com/1.0/shared/content/policy/data/de_de/data_protection.pdf.

14. Payment methods: PayPal’s Privacy Policy

The controller has included PayPal integration components on this website. PayPal is an online payment services provider. Payments are handled via PayPal accounts, that is virtual private or business accounts. Users who have no credit card can also make payments using PayPal. Only an email address is required to open a PayPal account; users have no account number. PayPal enables online payments to be made to third parties or users to receive payments onto their account. PayPal also acts in a fiduciary capacity and offers buyer protection services.

PayPal’s operator in Europe is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. When data subjects select “PayPal” as a payment option when placing an order in our online shop, their data are automatically transmitted to PayPal. By selecting this payment method data subjects consent to the transmission of personal data necessary to process the payment.

Personal data transmitted to PayPal generally include the data subject’s given name, family name, address, email address, IP address, telephone number, mobile number or other data necessary to process the payment. Those personal data which are related to the order are also necessary to conclude the purchase contract. The purpose of the data transmission is to process the payment and prevent fraud. The controller will in particular transmit personal data to PayPal where there is a legitimate interest in such transmission. The personal data which PayPal and the controller share may be passed on by PayPal to credit agencies. The purpose of such transmission is to conduct an identity and creditworthiness check. PayPal may pass the personal data on to affiliated companies and service providers or to subcontractors if this is necessary to fulfil its contractual obligations or if the data are to be processed on its behalf. Data subjects may at any time revoke their consent to the handling of their personal data. Such revocation of consent is without prejudice to personal data which of necessity must be processed, used or transmitted for (contractual) payment processing purposes. PayPal’s Privacy Policy is available at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

15. Payment methods: SOFORT’s Privacy Policy

The controller has included integration components relating to SOFORT Bank Transfer on this website. SOFORT Bank Transfer is a payment service which enables non-cash payments to be made online for products and services. SOFORT Bank Transfer is a technical procedure through which an online trader receives immediate confirmation of payment. This enables the trader to deliver goods, services or downloads immediately after a customer has placed an order.

The operator of SOFORT Bank Transfer is SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany. When data subjects select “SOFORT Bank Transfer” as a payment option when placing an order in our online shop, their data are automatically transmitted to SOFORT Bank Transfer. By selecting this payment method data subjects consent to the transmission of personal data necessary to process the payment. When completing their purchase using SOFORT Bank Transfer, buyers’ PIN and TAN are transferred to SOFORT GmbH. After conducting a technical check of a buyer’s account balance and calling up other data to check whether the account is covered, SOFORT Bank Transfer then makes the bank transfer to the online trader. The online trader is then automatically notified that the financial transaction has been carried out. Personal data shared with SOFORT Bank Transfer include the data subject’s given name, family name, address, email address, IP address, telephone number, mobile number and other data necessary to processing a purchase. The purpose of the data transmission is to process the payment and prevent fraud. The controller will also transfer other personal data where there is a legitimate interest in such transmission. Personal data shared between SOFORT Bank Transfer and the controller may be passed on by SOFORT Bank Transfer to credit agencies. The purpose of such transmission is to conduct an identity and creditworthiness check. SOFORT Bank Transfer may pass the personal data on to affiliated companies and service providers or to subcontractors if this is necessary to fulfil its contractual obligations or the data are to be processed on its behalf.

Data subjects may at any time revoke consent given to SOFORT Bank Transfer regarding the handling of their personal data. Such revocation of consent is without prejudice to personal data which of necessity must be processed, used or transmitted for (contractual) payment processing purposes. SOFORT Bank Transfer’s Privacy Policy is available at: https://www.sofort.com/ger-DE/datenschutzerklaerung-sofort-gmbh/.

16. Legal basis for the processing of personal data

Point (a) of Article 6(1) of the GDPR provides our company with the legal basis for processing operations for which we first obtain consent for a specific processing purpose. Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, such as is the case in regard to processing operations necessary to deliver goods or to provide other services or counter-performance, this processing is based on point (b) of Article 6(1) of the GDPR. The same applies to processing operations necessary for the performance of precontractual measures, for instance in the case of enquiries relating to our products or services. If our company is required to comply with a legal obligation based on which the processing of personal data becomes necessary, such as in the fulfilment of tax obligations, such processing is based on point (c) of Article 6(1) of the GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would, for instance, be the case where a person visiting our business was injured and their name, age, health insurance details or other vital information needed to be passed on to a doctor, hospital or other third parties. In such cases the processing would be based on point (d) of Article 6(1) of the GDPR. Finally, processing operations may be based on point (f) of Article 6(1) of the GDPR, which provides the basis for processing operations which are not covered by any of the aforementioned legal grounds and if the processing is necessary for the purposes of the legitimate interests pursued by the company or a third party, unless the interests and fundamental rights and freedoms of the data subject prevail. We are, therefore, permitted to carry out such processing operations in particular because they were specifically mentioned by the European legislature, which was of the opinion that a legitimate interest could be assumed where the data subject is a customer of the controller (Recital 47, sentence 2 GDPR).

17. Legitimate interests in processing pursued by the controller or a third party

If the processing of personal data is based on point (f) of Article 6(1) of the GDPR, our legitimate interest is the carrying out of our business activities for the benefit of all our employees and shareholders.

18. Personal data storage period

The criterion relevant to the duration for which personal data are to be stored is the relevant statutory storage period. Following expiry of this period, the relevant data are routinely erased, unless they are needed for the performance of a contract or initiation of a contract.

19. Statutory or contractual provisions regarding the provision of personal data; need to conclude a contract; data subject’s obligation to provide personal data; possible consequences of not providing personal data

We hereby inform you that you may, in some cases, be required by law to provide personal data (e.g. under tax law) or that such obligation may result from contractual regulations (e.g. information about contracting party). Sometimes it may be necessary in order to conclude a contract for a data subject to provide their personal data to us and for us to subsequently process these personal data. Data subjects are, for instance, required to provide us with their personal data when our company concludes a contract with them. The consequence of not providing these personal data to us would be that the contract could not be concluded with the data subject.

Before data subjects provide their personal data to us, they must contact one of our employees. BANO Healthcare GmbH’s employee will inform the data subject, on a case-by-case basis, whether the provision of personal data is required by law or contract or whether it is necessary to conclude the contract, whether the data subject is required to provide the personal data and what the consequences would be of not providing the personal data.

20. Automated decision-making

BANO Healthcare GmbH is a responsible company and therefore does not use automated decision-making or profiling.

We use cookies and other technologies in our webshop. Some of them are essential, while others help us to improve this webshop and your experience. Personal data may be processed (e.g. IP addresses), e.g. for ad and content measurement. For more information about how we use your data, please see our privacy policy. More information...