Sartorius eShop Privacy Notice

The Sartorius AG, Otto-Brenner-Straße 20, 37079 Göttingen, Germany, e-mail: info@sartorius.com ("Sartorius", "we", "our" or "us") is the controller of the processing of your personal data in connection with your use of the Sartorius eShop.

The Sartorius Data Protection Officer and the Sartorius Group Data Protection Organization are available to you as a contact for all data protection-related matters and for exercising your rights. They may be contacted at dataprotection@sartorius.com.

2.1 Accessing the eShop

If you visit the Sartorius eShop without registering or logging in, we process the following log data concerning you:

• IP address,
• The operating system and web browser you use and your screen resolution setting, language  and country
• The date and time of your visit.

We process this data on the basis of Art. 6 (1) (f) GDPR due to our legitimate interest in being able to properly display the website to you, as well as in the context of updates, security and troubleshooting measures, and to improve and further develop our online offerings. The log data is stored for a period of 90 days and deleted thereafter. 

2.2 Registration

If you register with the Sartorius eShop, we collect the personal data required for the establishment and performance of the contract, e.g.:

• Identification data (e.g. name, salutation and title, telephone numbers, e-mail, address, IP address),
• Company Data (e.g. address, Sales Tax ID)           .

You must provide the personal data required in order to establish and implement a business relationship and for the fulfilment of the associated contractual obligations, or which we are legally obliged to process. Please note that unless you provide such personal data we will not be able to enter into or implement a contract with you.

This data is processed for the performance of the contract, Art. 6 (1) (b) GDPR or on the basis of legal obligations, Art. 6 (1) (c) GDPR.

2.3 Activation of Sartorius ID

The Sartorius ID provides our customers with the option to log in at various online services provided by the Sartorius Group or third parties. The Sartorius ID acts as a central user account where customers can manage their personal data. The data processing necessary for this is carried out as part of the performance of a contract (Art. 6 (1) (b) GDPR).

To be able to place orders in the Sartorius eShop, the Sartorius ID must be connected to the Sartorius eShop ("activation"). Therefore, it is necessary to create a Sartorius ID or to log in with an existing Sartorius ID. The activation is based on our legitimate interest in the contractual provision of the service (Art. 6 (1) (f) GDPR).

Further information on the processing of your data in relation to the Sartorius ID is available in the Sartorius ID Privacy Notice.

2.4 Use of the eShop

If you visit the Sartorius eShop and log in, we process the following categories of data for the purpose of ordering the relevant service or products:

• Order data (e.g. name, telephone, e-mail, address, IP address),
• Contract master data (contractual relationship, interest in a product or contract),
• Customer history,
• Contract billing, payment and disbursement information, including data related to repayments,
• Communication data.

This data is processed for the performance of the contract, Art. 6 (1) (b) GDPR.

2.5 Payments

The Sartorius eShop uses external payment service providers. We collect your personal data for payment and, if applicable, disbursement processing to fulfil a contract.

Your personal data will also be processed for the purposes of investigating and preventing fraud, abuse, security incidents and other harmful activities, e.g. anti-money laundering measures and law enforcement. The basis for this is compliance with applicable laws (e.g. prevention of money laundering) as well as our legitimate interest in limiting the risk of payment defaults. Likewise, security investigations and risk assessments may take place because of our legitimate interest in preventing fraud and other harmful activities. We may also process your personal data to calculate the fees we owe to your card-issuing bank based on our legitimate interest in maintaining our business operations. Depending on which payment method you choose as part of the ordering process, we will pass on the data collected for the processing of payments (e.g. bank details or credit card data) to the credit institution commissioned to make the payment or to payment service providers commissioned by us. In some cases, payment service providers also collect and process this data as data controllers. In this respect, the data protection information of the respective payment service provider shall apply.

If you pay with credit card and provide the bank, card and/or authorization details we will use external service providers, known as "third parties", to process your credit card-based payment. Gateway payment providers act as processors and ensure the technical processing of card-based payments via a technical infrastructure.

Payment service providers act as independent data controllers for the acceptance and settlement of payment transactions, including the secure routing and settlement of credit card transactions with international credit card companies. Payment service providers process your personal data and also transmit this data to other data controllers in order to implement the payment or to comply with legal requirements. If you wish to use your credit card for payment, the card payment must first be authorized. This authorization takes place automatically using your data. In particular, the following considerations may play a role: Payment amount, place of payment, previous payment history, merchant, purpose of payment. Card payment is not possible without authorization. This does not affect other payment methods (e.g. other cards).

This data is processed for the performance of the contract, Art. 6 (1) (b) GDPR. 

2.6 Contact

The Sartorius eShop offers you a variety of contact options (e.g. contact form, e-mail communication). When we receive inquiries regarding products and services from Sartorius, we process your personal data to answer inquiries, if necessary, to solve problems and to maintain and secure your satisfaction as a customer and that of your customers. The personal data provided to us in this way will be used solely for the purpose specified when you contacted us. Should you contact us outside of a specific contractual relationship or registration, the legal basis for data processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. The legal basis in the case of a contractual relationship or registration is Art. 6 (1) (b) GDPR.

2.7 Product or customer surveys by e-mail and/or telephone

The Sartorius eShop offers you the opportunity to participate in product or customer surveys aimed at optimizing and developing our products and services. If you wish to take the opportunity to participate in an online (e.g. e-mail) or telephone product or customer survey, we will only use your personal data to contact you with your express consent. The legal basis for processing this data is Art. 6 (1) (a) GDPR.

2.8 Competitions

If you take part in one of our competitions, your personal data will be stored and used by us for the purpose of running the competition and the associated follow-up in accordance with the relevant competition conditions. The legal basis for processing this data is Art. 6 (1) (b) GDPR.

2.9 Newsletters

You can subscribe to the Sartorius Newsletter on our website. We will process your personal data collected in this context on the basis of your consent in accordance with Art. 6 (1) (a) GDPR.

We analyze the behavior of our newsletter readers on the basis of their consent in order to design our newsletter in line with their needs and to optimize our content. When you read the newsletter, we record which links you click on in the newsletter and use this information to deduce your personal interests. We link this data to technical information about your device (e.g. time of access, browser type and operating system).

2.10 Cookies

In the context of Sartorius eShop, cookies and tracking mechanisms (“Cookies”) may be used.

On accessing Sartorius eShop the user is notified of the use of cookies and has the opportunity to select or deselect individual cookies in the banner, except for the session cookies which are required for operation. This setting obtains your consent to process the personal data used in this connection before the processing starts. For reasons based on your particular situation, you have the right to object to the processing of your personal data at any time. Furthermore, you can revoke your given consent at any time with effect for the future by changing your preferences in our Privacy Preference Center

You can find further information about the use of cookies by Sartorius in our Sartorius Cookie Notice.

2.11 Investigation of faults and preservation and defense of our rights for security reasons

In order to eliminate faults or to preserve evidence in the event of security incidents, we will process your personal data in order to fulfil our legal obligations in the area of data security, Art. 6 (1) (c) GDPR. In addition, we have a legitimate interest in eliminating faults and ensuring the security of the Sartorius eShop, Art. 6 (1) (f) GDPR. When we have a legitimate interest in asserting and defending our rights, we will process the necessary personal data in accordance with Art. 6 (1) (f) GDPR.

2.12 Compliance with statutory and regulatory requirements

In the case of direct sales and the provision of digital services, we process your personal data (first name, last name, address, country) for the purposes of preventing fraud and money laundering, of preventing, combating and resolving terrorist financing and property crimes, as well as for comparison with European and international anti-terror lists. Sartorius is required to do so in particular under statutory obligations (such as the Anti-Money Laundering Act or the European embargo and terrorism regulations). Under certain circumstances, Sartorius has a legitimate interest in observing and complying with obligations imposed by public and other competent government authorities - within or outside your country of residence - in order not to expose Sartorius and its representatives to criminal or civil sanctions.

The legal basis for the processing of your personal data for the stated purposes is Art. 6 (1) (c) GDPR in the case of statutory obligations or Art. 6 (1) (f) GDPR in the case of a legitimate interest.

For reasons of our fiscal and legal commercial retention obligations we store your personal data provided usually for seven years after contract fulfilment, but – if legally required – we may store your data up to a maximum of 30 years after collecting the data in order to comply with our legal obligations.

For the purposes mentioned above Sartorius may transfer or disclose your personal data to:

• Other companies of the Sartorius Group or third parties in the context of your usage of the Sartorius eShop or our business relationship with you;
• Third parties which provide IT services to Sartorius, and which process such data only for the purpose of such services (e.g., hosting or IT maintenance and support services); and/or
• Third parties in connection with complying with legal obligations or establishing, exercising or defending rights or claims (e.g., for court and arbitration proceedings, to law enforcement authorities and regulators, to attorneys and consultants).

If we decide to sell, buy, merge, or otherwise reorganize businesses in some countries, such a transaction may involve disclosing some personal information to prospective or actual business purchasers, or the collection of personal information from those selling such businesses.

In the event that we transfer your personal data outside the European Union (”EU”) or the European Economic Area (“EEA”), we ensure that your data is protected in a manner which is consistent with the GDPR.  Therefore, and if required by applicable law, Sartorius transfers personal data to external recipients outside the EU or EEA only if the special requirements of Art. 44 ff. GDPR are fulfilled.

You can view the EU standard contractual clauses used at this link or request a copy from us.

4.1  In general, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

4.2 To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

4.3 Specific information about data retention in connection with the single purposes of data processing can be found in the corresponding Sections above.

You must provide the personal data required in order to establish and implement a business relationship and for the fulfilment of the associated contractual obligations, or which we are legally obliged to process. We mark such personal data in the respective forms or functions accordingly. Please note that unless you provide such personal data we will not be able to enter into or implement a contract with you. In this case, the online offers or other services (see 2. Processing ") cannot be used.

The Sartorius eShop can contain links to the websites of third parties − to providers who are not affiliated with us. After you click the link, we no longer have any influence on the collection, processing and utilization of any personal data that is transferred to third parties (for example, the IP address or the URL of the website on which the link is located), as our control of the conduct of third parties is then naturally withdrawn. We accept no responsibility for the processing of such personal data by third parties.

The Sartorius eShop is not intended for children under the age of 16.

Under applicable data protection law, you may have specific rights in relation to your personal data. In particular, and subject to the statutory requirements, you may have the following data protection rights:

• Right of access: You have the right to obtain information on the processing of your personal data and to receive a copy of these data.
• Right to rectification: You have the right to request that we correct or complete your inadequate, incomplete or inaccurate personal data.
• Right to erasure: Under certain circumstances, you have the right to request that we delete your personal data.
• Right to restriction of processing: Under certain requirements, you may request us to restrict the processing of your personal data.
• Right to data portability: You have the right to receive your personal data in a structured, common, and machine-readable format and request that these data are transferred to another data controller, if applicable under the specific circumstances.
• Right to object: You might have the right to object to the processing of your personal data by us, in particular, if the processing of your personal data is based on (i) the necessity of the performance of a task in the public interest, or (ii) legitimate interests. We will then stop the processing of your personal data unless we remain legally authorized to do so.
• Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority or other applicable privacy regulator about our processing of your data. This can be for example the data protection authority in your country of residence. A list of all data protection authorities in the European Union can be found here.
• Right to withdrawal: If data processing is based on your consent, you have the right to withdraw your consent at any time and free of charge, with effect for the future via  eShop@sartorius.com, via the contact details given in the imprint or other methods as we may inform you from time to time, i.e., your withdrawal does not affect the lawfulness of the processing based on consent before its withdrawal. If the consent is withdrawn, Sartorius may only further process the personal data where there is another legal basis for the processing.

To exercise your rights, please contact eShop@sartorius.com.

Sartorius reserves the right to update this Privacy Notice, for example, due to changes in the cookies used by Sartorius or for other operational, legal or regulatory reasons.