Privacy Policy

With this privacy policy we inform you about the scope of the processing of your personal data (hereinafter "data"). The German version of this privacy policy is authoritative. The English version is for information purposes only. Refer to German version oft the privacy policy.

1. Data processing responsibility

Responsible for data processing in accordance with the provisions of the General Data Protection Regulation (GDPR) is:

Ondal Medical Systems GmbH
Wellastrasse 6
36088 Hünfeld
Phone: +49 6652-81-0
E-mail: info@ondal.de

2. Data protection officer contact details

Sarah Tavcer
RMPrivacy GmbH
Große Langgasse 1A
55116 Mainz
Tel.: 06131 28770 85             
E-Mail: datenschutz@ondal.com            

3. Joint processing

We process personal data jointly within the Ondal group of companies for effective internal management of personal data and group systems. For this purpose, we transfer your data to companies affiliated with us pursuant to Section 18 of the German Stock Corporation Act (AktG) et seq. by analogy, or process the data in systems operated jointly with the companies affiliated with us.

You can view the parties involved in our group of companies :

  • Ondal Holding GmbH
  • Ondal Medical Systems GmbH
  • Ondal Medical Systems of America, Inc.
  • Ondal Medical Systems (Suzhou) Co. Ltd.

No personal data is exchanged with Ondal Real Estate GmbH or Ondal Medtech TopCo GmbH, which are also affiliated companies.

The legal basis for joint data processing is our legitimate interest in effective administration and IT infrastructure pursuant to Article 6 (1) f) GDPR.

For the processes subject to joint data processing, we are jointly responsible with our affiliated companies pursuant to Article 26 GDPR. Accordingly, we have defined the internal responsibilities and accountabilities in a contract.

The information obligations of the GDPR will be fulfilled by the respective company with which you are first in contact.

We have assigned the fulfillment of data subject rights internally to Ondal Medical Systems GmbH. You can contact us at any time with inquiries or to assert your data subject rights using the contact details in Section 1.

The specific processes that fall under joint processing are marked as follows.

4. General information on data processing

In the course of our business and website operations, we process data.

This includes disclosure by transmission to third parties and, where applicable, to countries outside the European Union ("EU") and the European Economic Area ("EEA"). Insofar as we transfer data outside the EU or the EEA, we have detailed this accordingly below.

5. Data processing

The data gathered for processing purposes, legal bases, recipients and, where applicable, transfers to third countries are listed below:

a) Log file during website visit

We log your website visit. In doing so, we process:

  • name(s) of our accessed website(s);
  • date and time of access;
  • amount of data transferred;
  • browser type and version;
  • operating system used by you;
  • referrer URL (the previously visited website);
  • your IP address;
  • requesting provider.

The legal basis for data processing is our legitimate interest in the ongoing provision and security of our website in accordance with  6 (1) f) GDPR.

The log file is deleted after seven days, unless it is needed to prove or clarify specific legal violations that have become known within the retention period.

b) Hosting

Our online provider is René Münnich, ALL-INKL.COM - Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, which processes all data in connection with the operation of this website (log file when visiting the website) on our behalf.

The legal basis for the data processing is our legitimate interest in the provision of our website in accordance with Article 6 para. 1 f) GDPR.

c) Contacting us

When you contact us, we collect the following data for the purpose of processing and handling your request: Name, contact details if provided by you and your message.

The legal basis for the data processing is our obligation to fulfill the contract and/or to fulfill our pre-contractual obligations pursuant to Article 6 (1) b) GDPR and/or our interest in processing your request pursuant to Article 6 (1) f) GDPR.

d) Contacting us for applications

When you contact us to submit your application as an employee, by e-mail or via a contact form, the data you provide (e.g. name, e-mail address, desired location), your message and the application documents submitted will be processed exclusively for the purpose of processing and handling your application request.

The legal basis for data processing is primarily Section 26 of the German Data Protection Act (BDSG). Accordingly, the processing of data that is required in connection with the decision on the establishment of an employment relationship is permissible.

Should the data be necessary for legal prosecution after completion of the application process, if applicable, data processing may be carried out to safeguard our legitimate interests pursuant to Article 6 (1) f) GDPR, namely to assert and/or defend claims.

e) Applicant pool

If you give us your consent to store your application documents after the application process has been completed, we will store them in our applicant pool for the purpose of contacting you for future vacancies that fit your profile. The legal basis for processing within the scope of our applicant pool is your prior consent pursuant to Article 6 (1) a) GDPR.

f) Contract processing

We collect your personal customer and contract data for the purpose of processing the contractual relationship between you and us.

The legal basis for the data processing is the fulfillment of our contractual obligations pursuant to Article 6 (1) b) GDPR and, in individual cases, the fulfillment of our legal obligations pursuant to Article 6 (1) c) GDPR.

We transmit your address data to the company commissioned with the delivery. If necessary, we additionally transmit your e-mail address or your telephone number to the company commissioned with the delivery in order to coordinate a delivery date (notification).

Your transaction data (name, date of order, payment method, date of dispatch and/or receipt, amount and payee, bank details or credit card data, if applicable) are transmitted to the payment service provider responsible for processing the payment.

g) Customer account: MyOndal

In connection with the opening and use of a customer account, we process your inventory data (name, address, e-mail address) and your usage data (user name, password). This allows you to manage your orders and we can identify you as a customer. The legal basis for this data processing is your consent in accordance with Article 6 (1) a) GDPR.

h) Microsoft Teams

We use the video conferencing function of Microsoft Teams from the Office 365 product line of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park Leopardstown, Dublin 18, D18 P521, Ireland for communication. Through this, we can offer you participation via video and audio in our meetings and online events.

We do not record Microsoft Teams online events and meetings unless we have obtained consent in advance.

The people who can see your audio and video input are dependent on the Teams mode we use:

Live Events, Webinars: For live events, we do not allow audio or video input from participants to maintain anonymity.

Team meetings: In team meetings, all participants can set their own audio and video inputs. We cannot definitively exclude or prevent unauthorized processing by other participants, for example by recording the meeting.

Data processing with Office 365 is carried out on our behalf on servers in data centers in the European Union in Ireland and the Netherlands.

For the purpose of remote maintenance, Microsoft may request remote access. This access will be reviewed and approved by us on a case-by-case basis if it is necessary for Microsoft to perform support services (e.g. for troubleshooting). In this case, such access may also be provided by Microsoft affiliates from outside the European Union. This may include countries for which there is no EU Commission adequacy decision. We have entered into standard contractual clauses with Microsoft exclusively for this case of access from outside the European Union in individual cases approved by us. We will provide a copy of the contractual clauses upon request. To do so, please contact info@ondal.de.

When using MS Teams, data may also be transferred to Microsoft in the USA. Microsoft is certified under the EU-US Data Privacy Framework and to this extent falls under the EU adequacy decision for the US.

Microsoft reserves the right under its Privacy Policy to process Customer Data for its own legitimate business purposes. We have no control over these data processing activities by Microsoft. To the extent that Microsoft Teams processes personal data in connection with its legitimate business purposes, Microsoft is the independent data controller for those data processing activities and, as such, is responsible for compliance with all applicable data protection laws. If you require information about Microsoft's processing, please refer to the relevant Microsoft statement: privacy.microsoft.com/de-de/privacystatement.

We carry out data processing activities on the basis of a legitimate interest pursuant to Article 6 (1) f) GDPR. The purpose and legitimate interest of this data processing are: provision of communication options with our customers, business partners and interested parties via the Internet as well as for internal coordination and, if applicable, implementation of webinars and similar live events.

Your personal data will be deleted after 180 days at the latest.

i) Newsletter

In order to provide you with regular information about our company and offers, we distribute an e-mail newsletter. With your newsletter registration, we process the data you entered during registration (e-mail address and other voluntary information). In order to prevent misuse, we will send you an e-mail after your registration in which we ask you to confirm your registration (double opt-in procedure). In order to be able to prove the registration process in a legally compliant manner, your registration is logged. This includes the time of registration and confirmation as well as your IP address.

The legal basis for sending the newsletter is your consent in accordance with Article 6 (1) a) GDPR. The data processing in connection with the sending of the confirmation email for your registration and the associated data logging is carried out in accordance with Article 6 (1) f) GDPR due to our legitimate interest in proving your proper registration.

If you give us consent, we survey whether you have opened the newsletter as well as scrolling and clicking behavior within the newsletter. This is done for the purpose of optimally tailoring our newsletter to your interests and improving the content of our newsletter. The legal basis for the analysis of the newsletter is your consent in accordance with Article 6 (1) a) GDPR.

For the distribution of the newsletter, we use a service provider located within the EU, to whom we transmit the named data.

j) Direct e-mail advertising for existing customers

Unless you have objected, we will send you direct advertising in connection with the goods and services you have purchased in order to offer you similar goods and services. For this purpose, we use the e-mail address you used when completing the contract.

You can object to this use at any time without incurring any costs other than the transmission costs according to the basic rates.

The legal basis for sending this direct advertising is Section 7 (3) of the German Law Against Unfair Competition (UWG) in conjunction with. Article 95 GDPR. For the distribution of the newsletter, we use service providers to whom we transmit the aforementioned data.

k) Use of cookies

We use cookies on our website. Cookies are small text files that are stored on your respective end device (PC, smartphone, tablet, etc.) and saved by your browser.

We use functional cookies that technically facilitate the use of our website or serve to optimize it (e.g. as part of the login to My Ondal). The legal basis is our legitimate interest in the technically optimized provision of our website pursuant to Article 6 (1) f) GDPR.

Insofar as we have integrated cookies for advertising purposes, the use takes place on the legal basis of your consent pursuant to Article 6 (1) a) GDPR. You can find information about the specific cookies we use, their providers and purposes in our Consent banner. There you can give your consent to the respective services, can revoke it, or adjust your settings subsequently.

l) Our consent banner

In order to document your choices regarding certain data processing procedures and to fulfill our obligations under data protection law, we use a consent banner. When you access our website, your cookie preferences are requested via a banner. We then set a cookie in which data on consent given or revoked is stored. The data processing is carried out to fulfill our legal obligations according to Article 6 (1) c) GDPR.

m) Web analysis with Matomo

We use the web analysis software Matomo on our website. When you visit our site, this saves information about your use of the website (including IP address). We use the information to evaluate your use of our website, to compile reports on website activity for us and to provide other services related to website activity and internet usage.

The legal basis for data processing is your consent in accordance with Article 6 (1) a) GDPR.

Please note that this website uses Matomo with the extension "anonymizeIp()". This shortens IP addresses before transmission. A direct personal reference in connection with the stored data is thus fundamentally excluded. We may transfer the stored information to third parties if required by law.

n) Facebook

1. Joint Responsibility for Data Processing

We operate our Facebook fan page on the online platform of the social network of Meta Platforms Limited (hereinafter "Meta"). In accordance with the GDPR, we are jointly responsible with Meta for data processing in connection with this fan page. This includes in particular the data processing of page insights, see 2) 2b) Use of Insights and Cookies. When you visit this Fanpage, personal data is processed by Meta and us as the responsible parties.

Meta assumes primary responsibility under the GDPR for the processing of Insights Data. Meta therefore also assumes all obligations under the GDPR with respect to the processing of Insights Data (including but not limited to Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR). Meta remains solely responsible for the processing of such personal data in connection with Page Insights that are not covered by the existing Page Insights Supplement.

Due to the existing agreements with Meta, also regarding the joint responsibility of the data agreement, it is expedient to assert requests for information as well as the assertion of further data subject rights directly with Meta. As the operator of the social network and its ability to integrate Facebook fan pages there, Meta alone is able to access the necessary information through its direct access options and to take any necessary measures and provide information directly. However, you can also send requests to us.

The underlying terms of use of Meta (including the other terms and policies set forth therein) are available at: https://www.facebook.com/legal/terms.

Supplemented by the page insights supplement regarding the responsible party, available at: https://www.facebook.com/legal/terms/page_controller_addendum

2. What Data do we process and for what Purpose?

2.a. Operation of our Fan Page

The purpose of operating our Facebook fan page is to get in touch with users and visitors of the Meta social network and to engage in an exchange. Sometimes we provide information about our company and related offers, such as events held by us or current events, special promotions and offers, etc.

With the help of our Facebook fan page, we can also obtain statistics on visits and visitors. This is created by Meta. Thus, we can better and more targeted control the marketing of our activity. In the process, we can also gain knowledge of Facebook profiles of individual users who like our fan page and/or use the applications on the page. This enables us to provide the users in question with improved content and functions via our Facebook fan page.

In order to further improve our content, we may also use demographic and geographic analyses based on the information collected during visits. This allows us to target interest-based advertisements without directly knowing your identity as a visitor.

If you use multiple devices when visiting Meta, data may also be collected and analyzed across devices if you visit our fan page as a registered user who is logged in with your Facebook profile.

Generated visitor statistics are forwarded to us in anonymized form only. Access to the underlying data is not possible for us.

2.b. Use of Insights and Cookies

As part of our fan page, we use the "Insights" service from Meta to obtain anonymized statistical data on visitors to our fan page.

When you visit our fan page, Meta stores a corresponding data package, a so-called "cookie", on your end device, each of which contains an assignable user code. If you are registered as a Facebook user, this user code can be linked to your data. The information stored in the process is processed by Facebook. It is also possible that third parties can use this information from Facebook's cookies to provide services to companies advertising on Facebook.

Unless previously deleted, the cookie is active for two years.

For more information on Page Insights, please see the Page Insights Supplement between Meta and us on data processing accountability: https://www.facebook.com/legal/terms/page_controller_addendum

For more information on the use of cookies by Meta, see Facebook's Cookie Policy: https://www.facebook.com/policies/cookies/

3. Legal Basis

The processing of personal data by us is based on our legitimate interests in an effective exchange with the users of our social media presences, the visitors to our profiles and in connection with the communication with users on our social media profiles, including our corporate presentation pursuant to Art. 6 (1) f) GDPR.

4. Data Sharing and Data Transfer to the USA

It is possible that the data collected when visiting our Fanpage will be forwarded to Meta Platforms Inc. based in the USA and processed there. Meta is certified within the framework of the EU-US Data Privacy Framework and to this extent falls under the EU adequacy decision for the USA.

We do not pass on data within the framework of the operation of our fan page.

5. Possibility to object via your Facebook Account

As a Facebook user, you have the option of using the settings for advertising preferences in your Facebook account to set the extent to which their user behavior may be recorded when visiting our fan page. In addition, Facebook provides an objection form:

https://www.facebook.com/help/contact/1994830130782319

o) Xing

1. What Data do we process and for what Purpose?

1.a. Exchange and Communication

We operate a company profile on the online platform of the social network XING, New Work SE
Dammtorstraße 30, 20354 Hamburg, Germany (hereinafter "Xing"), where personal data is processed. The purpose of operating our company profile on Xing is to get in touch with users and visitors of the social network. In doing so, we provide direct information about our company and the associated offers.

As a user of a Xing company profile, we may process the data you provide as a Xing member on Xing. This includes all information you have stored in your profile, messages they send us, as well as interactions with our content. This happens when you share or recommend our content, comment on it, or when you refer to our presence within Xing.

For information on what data is processed by Xing and for what purposes it is used, please see Xing's privacy policy: https://privacy.xing.com/de/datenschutzerklaerung

The processing of personal data by us is based on our legitimate interests in an effective exchange with users of Xing, visitors to our profile, to be able to receive applications from users directly via Xing, and in connection with communication with users on our social media profiles, including our corporate presentation pursuant to Art. 6 (1) f) GDPR.

1.b. Applications

If you submit your application to us via Xing or if you indicate interest in a job offer that we make to you, the data you provide (e.g. name, e-mail address, desired job location, data of your Xing profile, etc.), your message, and the application documents submitted will be processed exclusively for the purpose of processing and handling your application request.

We process personal applicant data on the basis of Section 26 (1) FDPA. Accordingly, the processing of data that is required in connection with the decision on the establishment of an employment relationship is permissible.

Should the data be necessary for legal prosecution after completion of the application process, data processing may be carried out to safeguard our legitimate interests pursuant to Art. 6 (1) f) GDPR, namely for the assertion and/or defense of claims.

2. Data Sharing and Data Transfer to the USA

It is possible that the data collected when visiting our company profile will be forwarded to the companies based in the USA and processed there. Xing ensures an adequate level of data protection via the EU standard contractual clauses. A copy of the relevant EU standard contractual clauses will be provided upon request. For this purpose, please contact datenschutz@ondal.com.

We do not pass on data within the framework of the operation of our profile.

p) YouTube

1. What Data do we process and for what Purpose?

YouTube is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "YouTube"). Within the scope of our YouTube channel, no personal data is directly processed by us.  

However, if you have entered data on YouTube itself as a registered user, such as your username as well as the content published under your own account, this data will be processed by us when we respond to a request from you, reply to your comments or write a post that refers to your profile.  

For all further data processing within the scope of the use of the YouTube service and its functionalities, Google Ireland Limited is the responsible party within the meaning of Art. 4 No. 7 GDPR. We have no influence on the type and scope of the data processed by YouTube as part of the service, the type of processing, the use of the data or the transfer of this data to third parties.

Information about which data is processed by YouTube and for which purposes can be found in YouTube's privacy policy: policies.google.com/privacy.

2. Legal Basis

The processing of personal data by us is based on our legitimate interests in an effective exchange with YouTube users, visitors to our profile and in connection with communication with users on our social media profiles, including our corporate presentation pursuant to Art. 6 (1) f) GDPR.

3. Data Sharing and Data Transfer to the USA

It is possible that data collected when visiting our YouTube channel will be forwarded to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and processed there. Google is certified within the framework of the EU-US Data Privacy Framework and to this extent falls under the EU adequacy decision for the USA.

Incidentally, we do not pass on data to third parties within the framework of the operation of our company profile.

6. Duration of data storage

We store personal data only as long as it is necessary for the purposes for which it is processed or until any consent you have given us has been revoked by you. Insofar as statutory retention obligations must be observed, the storage period for certain data can be up to 10 years, regardless of the processing purposes.

7. Your data subject rights

a) Information

Upon request, you will receive information about all personal data we have stored about you at any time and free of charge.

b) Correction, deletion, restriction of processing (blocking), objection

If you no longer agree with the storage of your personal data or if this data has become incorrect, we will arrange for the deletion or blocking of your data or make the necessary corrections (to the extent possible according to the applicable law) on the basis of a corresponding instruction. The same applies if we are only to process data in a restrictive manner in the future. You have a right of objection in particular in cases where your data is required due to the performance of a task that is in the public interest or the data processing is based on our legitimate interest, as well as profiling based on this. Likewise, in the case of data processing for the purpose of direct advertising, you have such a right of objection.

c) Right of revocation for consents

You may revoke any consents you have given at any time in order to affect future processing. Your revocation will not affect the lawfulness of the processing until the time of revocation.

d) Data portability

If data processing takes place on the basis of a contract, pre-contractual negotiations, consent or with the help of automated processes, you have the right to data portability. Upon request, we will provide you with your data in a common, structured and machine-readable format so that you can transfer the data to another responsible party upon request.

e) Restriction of processing

Data for which we are not able to identify the data subject (e.g. data which has been anonymized), is not covered by the above rights. Information, deletion, blocking, correction or transfer to another company may be possible in relation to this data if you provide us with additional information that allows us to identify you.

f) Exercise of your data subject rights and right of appeal

If you have any questions regarding the processing of your personal data, wish to obtain information, correct, block, object to or delete data, or wish to have your data transferred to another company, please contact info@ondal.de.

You have the option of filing a complaint with a supervisory authority about your data protection rights.