Information on data protection
Data protection information for customers and business partners, their authorised representatives and agents, as well as other persons associated with our customers or business partners and interested parties.
This information is intended to inform you about how we process your personal data and your rights under data protection regulations. The following explanations provide details on which data is processed and how it is used.
As changes in legislation or changes to our internal company processes may require this privacy policy to be amended, we ask you to review this privacy policy regularly. The privacy policy can be accessed, saved and printed at any time at Privacy Policy.
1. Who is responsible for data processing and who can I contact?
The responsible body is:
Medical Strategy GmbH
Bahnhofstraße 7
82166 Gräfelfing
Tel.: +49 (0)89-27 27 24-16
Fax: +49 (0)89-27 27 24-24
Email: office@medicalstrategy.de
Website: www.medicalstrategy.de
External data protection officer:
Mr. Karsten Kinast, LL.M., attorney at law
KINAST Rechtsanwaltsgesellschaft mbH
Nordstraße 17a, 50733 Cologne
Tel.: + 49 221 222183-0
Email: apo-dsb@kinast.eu
Website: www.kinast.eu
2. What sources and personal data do we use?
We process personal data that we receive from our customers and business partners, their authorised representatives, agents and other persons associated with the customer or business partner, as well as from interested parties, within the scope of our business relationship or in the course of establishing business relations. In addition, we process personal data that we obtain from publicly accessible sources (e.g. commercial and association registers, press, Internet) in a permissible manner or that is transmitted to us by other third parties in a legitimate manner, insofar as this is necessary for the provision of our services.
Relevant personal data includes personal details (name, address and other contact details, department, position, date and place of birth and nationality), identification data (e.g. ID card details) and authentication data (e.g. signature sample).
Every time you visit our website, our system automatically collects data and information from the computer system of the requesting computer. The following data is collected:
3. Why do we process your data (processing purpose) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
a. To fulfil contractual obligations (Art. 6 para. 1 b GDPR)
The processing of personal data (Art. 4 No. 2 GDPR) is carried out for the purpose of providing our services as a securities institution or for the implementation of pre-contractual measures.
b. Within the scope of balancing interests (Art. 6 para. 1 f GDPR)
Where necessary, we process your data to protect our legitimate interests or those of third parties. Examples:
c. Based on your consent (Art. 6 para. 1 a GDPR)
If you have given us your consent to process personal data for specific purposes (e.g. advertising by email or telephone), the lawfulness of this processing is based on your consent. Consent that has been given can be revoked at any time without giving reasons. This also applies to the revocation of declarations of consent that were given to us before the GDPR came into force, i.e. before 25 May 2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.
d. Based on legal requirements (Art. 6 para. 1 c GDPR)
As a financial services institution, we are also subject to various legal obligations, i.e. legal requirements (e.g. Money Laundering Act, Capital Investment Act, tax laws) and regulatory requirements (e.g. the Federal Financial Supervisory Authority). The purposes of processing include identity verification and fraud and money laundering prevention.
4. Who receives my data?
Within Medical Strategy GmbH, those departments that need your data to fulfil our contractual and legal obligations will have access to it. Processors employed by us (Article 28 GDPR) may also receive data for these purposes. These are companies in the categories of IT services, logistics, printing services, telecommunications, debt collection, consulting and sales and marketing.
We may only disclose information about you to recipients outside Medical Strategy GmbH who are not service providers or vicarious agents if this is required by law or if you have given your consent. Under these conditions, recipients of personal data may include, for example:
Other data recipients may be those entities to whom you have given your consent for data transfer.
5. How long will my data be stored?
As soon as data is no longer required to display the website, it will be deleted. The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no possibility for the user to object. Further storage may take place in individual cases if this is required by law.
Where necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract. It should be noted that our business relationship is a continuing obligation that is intended to last for years.
In addition, we are subject to various storage and documentation obligations, which arise, among other things, from the German Commercial Code (HGB), the German Fiscal Code (AO), the Securities Trading Act (WpIG), the Money Laundering Act (GwG) and the Securities Trading Act (WpHG). The retention and documentation periods specified therein range from two to ten years. Finally, the storage period is also determined by the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.
6. Is data transferred to a third country or to an international organisation?
Data is transferred to entities in countries outside the European Union and outside the European Economic Area (so-called third countries) if
If service providers in third countries are used, they are obliged to comply with the EU standard contractual clauses in addition to written instructions in order to maintain the level of data protection in Europe.
7. What data protection rights do I have?
Every data subject has the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to data portability under Article 20 GDPR and the right to object under Article 21 GDPR. The restrictions under Sections 34 and 35 of the German Federal Data Protection Act (BDSG) apply to the right to information and the right to erasure. In addition, you have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).
8. Am I obliged to provide data?
Within the scope of our business relationship with our customers and business partners, they must provide us with the personal data that is necessary for the establishment, implementation and termination of a business relationship or that we are legally obliged to collect.
In particular, we are obliged under money laundering regulations to identify you before establishing a business relationship, for example by means of your identity card, and to collect your name, place of birth, date of birth, nationality and residential address. In order for us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes that occur during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be able to establish or continue the business relationship you have requested.
9. To what extent is there automated decision-making?
We do not use fully automated decision-making in accordance with Article 22 of the GDPR.
10. To what extent is my data used for ‘profiling’?
We do not create personal user profiles.
11. Use of cookies
We use cookies on our website. These are small files that your browser automatically creates and stores on your device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your device and do not contain viruses, Trojans or other malware.
Information is stored in the cookie that is related to the specific device used. However, this does not mean that we are immediately aware of your identity.
The use of cookies serves to make our website more user-friendly for you. We use so-called session cookies to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our website.
In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your device for a specific period of time. If you visit our site again to use our services, the system will automatically recognise that you have already been there and what entries and settings you have made so that you do not have to enter them again.
On the other hand, we use cookies to statistically analyse the use of our website and to evaluate it for the purpose of optimising our offer for you. These cookies enable us to automatically recognise that you have already visited our site when you return. These cookies are automatically deleted after a defined period of time.
The data processed by cookies is necessary for the purposes mentioned above to protect our legitimate interests and those of third parties in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.
Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears before new cookies are created. However, completely deactivating cookies may mean that you cannot use all the functions of our website.
12. Use of Matamo
If you have given your consent, Matomo, an open-source software tool for web analysis, is used on this website. The responsible service provider is InnoCraft Ltd., 150 Willis St, 6011 Wellington. For data transfers to New Zealand, there is an adequacy decision by the EU Commission pursuant to Art. 45 para. 3 GDPR.
The software is operated on our server, and the log files that are sensitive in terms of data protection are stored exclusively on this server.
The purpose of the Matomo component is to analyse visitor traffic on our website. We use the data and information obtained to evaluate the use of this website and to compile online reports showing the activities on our website.
Matomo places a cookie on your information technology system. What cookies are has already been explained above. The setting of the cookie enables us to analyse the use of our website. Each time one of the individual pages of this website is accessed, the Matomo component automatically prompts the Internet browser on your information technology system to transmit data to our server for the purpose of online analysis. As part of this technical process, we obtain personal data such as your IP address, which we use, among other things, to track the origin of visitors and clicks.
The cookie stores personal information such as the time of access, the location from which access originated and the frequency of visits to our website. Each time you visit our website, this personal data, including the IP address of the Internet connection you are using, is transmitted to our server. This personal data is stored by us. We do not pass this personal data on to third parties.
You can prevent our website from setting cookies at any time, as described above, by adjusting the settings of your internet browser and thus permanently objecting to the setting of cookies. Such a setting of the internet browser used would also prevent Matomo from setting a cookie on the information technology system of the data subject. In addition, a cookie already set by Matomo can be deleted at any time via an internet browser or other software programmes.
The legal basis for this data processing is your consent, Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by accessing the cookie settings (see footer/footer of the website below) and changing your selection there.
However, setting the opt-out cookie may mean that our website is no longer fully usable.
Further information and the applicable data protection provisions of Matomo can be found at matomo.org/privacy/.
13. YouTube
We have integrated components from YouTube into our website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge and other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete films and television programmes, as well as music videos, trailers or videos created by users themselves, can be accessed via the Internet portal.
YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.
Each time you visit one of the individual pages of our website on which a YouTube component (YouTube video) has been integrated, your Internet browser is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information about YouTube can be found at www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google are informed about which specific subpage of our website you have visited.
The legal basis for this data processing is your consent, Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with future effect by accessing the cookie settings (see footer at the bottom of the website) and changing your selection there.
If you are logged in to YouTube at the same time, YouTube recognises which specific subpage of our website you are visiting when you call up a subpage containing a YouTube video. This information is collected by YouTube and Google and assigned to your YouTube account.
YouTube and Google will always receive information via the YouTube component that you have visited our website if you are logged into YouTube at the same time as visiting our website; this occurs regardless of whether you click on a YouTube video or not. If you do not want this information to be transferred to YouTube and Google, you can prevent this by logging out of your YouTube account before visiting our website.
The privacy policy published by YouTube, which can be found at www.google.de/intl/de/policies/privacy/, provides information about the collection, processing and use of personal data by YouTube and Google.
14. Google reCAPTCHA
We use the reCAPTCHA service provided by Google Ireland Limited, registered and operated under Irish law (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’) on our website. The query serves the purpose of distinguishing between input by a human being and automated, machine processing. For this purpose, your input is transmitted to Google and used there. In addition, the IP address and any other data required by Google for the reCAPTCHA service are transmitted to Google. This data is processed by Google within the European Union and, if necessary, also in the USA.
The processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR from the legitimate interest of protecting our website from automated spying, misuse and SPAM.
Further information on Google reCAPTCHA and the associated privacy policy can be found at:
https://www.google.com/recaptcha/intro/android.html and https://www.google.com/privacy.
15. SalesViewer
On this website, data is collected and stored for marketing, market research and optimisation purposes using SalesViewer® technology from SalesViewer® GmbH on the basis of the legitimate interests of the website operator (Art. 6 para. 1 lit. f GDPR).
For this purpose, a JavaScript-based code is used to collect company-related data and the corresponding usage. The data collected using this technology is encrypted using a non-reversible one-way function (known as hashing). The data is immediately pseudonymised and is not used to personally identify visitors to this website.
The data stored within Salesviewer® is deleted as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it.
You can object to the collection and storage of data at any time with future effect by clicking on this link https://www.salesviewer.com/opt-out to prevent SalesViewer® from collecting data on this website in future. An opt-out cookie will be stored on your device for this website. If you delete your cookies in this browser, you will need to click on this link again.
16. Newsletter
Our website offers you the opportunity to subscribe to the Medical Strategy newsletter. To do so, you must provide a valid email address and your surname so that we can send you a personalised newsletter. Further information is optional. After registering, you will receive a confirmation email to verify that you are the owner of the email address provided.
When you register for the newsletter, we store the IP address assigned by your Internet service provider (ISP) to the computer system you used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to be able to trace any misuse of a data subject's email address at a later date and therefore serves to provide legal protection for the controller.
The personal data collected when you register for the newsletter will be used exclusively for sending our newsletter and stored on the basis of your consent (Art. 6 para. 1 sentence 1 lit. a GDPR). You can revoke your consent at any time. To do so, simply send us an informal email or click on the unsubscribe link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.
17. Hyperlinks to external websites
Our website contains so-called hyperlinks to websites of other providers. When you activate these hyperlinks, you will be redirected from our website directly to the website of the other provider. You can recognise this, among other things, by the change in the URL. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on these companies' compliance with data protection regulations. Please refer to these websites directly for information on how these companies handle your personal data.
18. Information about your right to object under Article 21 GDPR
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection can be made informally and should be addressed to:
Medical Strategy GmbH
‘Objection pursuant to GDPR’
Bahnhofstraße 7
82166 Gräfelfing
Email: relations@medicalstrategy.de
As of: 30 April 2025