In this privacy notice, we wish to inform you about the nature, scope and purpose of the personal data we process.
The controller within the meaning of Art. 4(7) GDPR is Melisana AG, Grüngasse 19, 8004 Zurich (hereinafter: "we" or "us").
I. PURPOSES AND LEGAL BASES OF THE PROCESSING
1. Processing of your contact data
We process your contact data (e.g. last name, first name, address, email address, date of birth). We collect some of this data from you ourselves, or through a third party.
We process your data in order to fulfil and perform our contractual obligations. We may also use service providers for this purpose. In this case, personal information such as name, address, date of birth, etc. may be forwarded to them.
The legal basis for this is Art. 6(1)(1)(b) GDPR
If required, we process your data beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties. This is necessary, for example, in order to establish and defend legal claims in legal disputes, to prevent or investigate criminal offences, for consultation and data exchange with credit agencies, or for business management activities and further development of our products and services.
The legal basis for this is Art. 6(1)(1)(f) GDPR
If you have given us your consent to process personal data for specific purposes, the lawfulness of this – purpose-related – processing is based on your consent. Consent that has been given can be withdrawn at any time. The withdrawal of consent is with effect for the future; it does not affect the lawfulness of the data processed before the withdrawal.
The legal basis for this is Art. 6(1)(1)(a) GDPR.
In addition, we process your contact data to comply with relevant legal obligations (see I.4. below).
The legal basis for this is Art. 6(1)(1)(c) GDPR.
2. Processing in the context of our loyalty scheme
We process the personal data you provide (e.g. name, address data, email address) as part of our loyalty scheme (loyalty cards). The purpose of the processing is to reward your loyalty.
The legal basis for this is Art. 6(1)(1)(b) GDPR.
You are not obliged to provide us with your personal data as part of the loyalty scheme. However, you cannot join the scheme without providing your information.
If you have given us your consent to do so, we also process your personal data in order to contact you by email and to send you information, newsletters and offers from Melisana that are tailored to your specific interests.
The subject matter of the information and offers includes, in particular, information and news about the company, product information, reports on new study results, and invitations to take part in short surveys/market research surveys.
Your data will be stored until you cancel your newsletter subscription.
Users who do not want their data to be processed in this way should unsubscribe from the newsletter. You will find an unsubscribe link in every newsletter email. You can also contact us at the address given below.
The legal basis for this is Art. 6(1)(1)(a) GDPR.
II. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF YOUR DATA
At our company, only those employees who need your personal data to fulfil our contractual and legal obligations will have access to it. Your data will only be passed on to external parties if this is permitted or required by law or if you have given your consent.
The categories of external recipients of your data are listed below:
III. TRANSFER TO THIRD COUNTRIES
Data are only transferred to countries outside the EU or the European Economic Area EEA ("third countries") if this is necessary in order to manage our contractual relationships, or is permitted or required by law (e.g. reporting obligations under tax law), or if you have given us your consent, or as part of order processing. When we use service providers in third countries, they are required to comply with the level of data protection in Europe by agreeing to the EU Standard Contractual Clauses. Alternatively, we transfer the data based on an adequacy decision by the European Commission. Further information can be obtained from our data protection officer.
IV. HOW LONG WE STORE YOUR PERSONAL DATA
We only process your personal data for as long necessary to fulfil the purposes listed in section I. We then delete it unless we are required to store it for a longer period.
Special statutory provisions may require a longer retention period, e.g. the preservation of evidence under statutory limitation periods.
V. NO AUTOMATED INDIVIDUAL DECISION-MAKING (INCLUDING PROFILING)
We do not use any procedures for purely automated decision-making in individual cases (including profiling) as provided for in Art. 22 GDPR. If we do use such a procedure in individual cases in the future, we will inform you of this separately.
VI. YOUR DATA PROTECTION RIGHTS
Under certain conditions, you can exercise your data protection rights with us
- Right of access
You have the right to request confirmation from us at any time as to whether we are processing personal data concerning you. If this is the case, you have the right to access information about this personal data and certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, your rights, the source of the data, the use of automated decision-making and, in the case of transfer to a third country, the appropriate guarantees).
- Right to rectification
You have the right to demand that we rectify the personal data stored about you if it is inaccurate or incorrect.
- Right to erasure
Under certain conditions, you have the right to demand that we erase personal data concerning you without undue delay. In certain cases, the right to erasure does not apply: for example, if the processing of personal data is necessary (i) to exercise the right of freedom of expression and information, (ii) to comply with a legal obligation to which we are subject (e.g. statutory retention obligations) or (iii) to establish, exercise or defend legal claims.
- Right to restriction of processing
You have the right to demand that we restrict the processing of your personal data.
- Right to data portability
Under certain conditions, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.
- Right of withdrawal
You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.
Information about your right to object under Art. 21 GDPR
1. You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6(1)(1)(f) GDPR (data processing based on a balancing of interests). This also applies to profiling based on this provision within the meaning of Art. 4(4) GDPR.
If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
2. We also process your personal data in individual cases for direct marketing purposes. If you do not wish to receive any marketing, you have the right to object to this at any time; this also applies to profiling, where it is related to such direct marketing. We will honour this objection for the future.
We will no longer process your data for direct marketing purposes if you object to processing for these purposes.
You can address enquiries regarding the exercise of your aforementioned data protection rights to us either using the contact details of the controller as provided above, or by email to firstname.lastname@example.org, or by contacting our external data protection officer using the following contact details:
Mr Alexander Bugl, Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbH, Eifelstraße 55, 93057 Regensburg, Germany, Tel. +49 941-630 49 789, email: Datenschutz.email@example.com.
You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
Last updated: September 2023