Sartorius eShop Privacy Notice

Sartorius AG, Otto-Brenner-Straße 20, 37079 Göttingen, Germany, e-mail: info@sartorius.com and/or other members of the Sartorius group of companies ("Sartorius", "we", "our" or "us") is the controller of the processing of your personal data in connection with your use of the Sartorius eShop.

The Sartorius Data Protection Officer and the Sartorius Group Data Protection Organization are available to you as a contact for all data protection-related matters and for exercising your rights. They may be contacted at dataprotection@sartorius.com.

2.1  Accessing the eShop

If you visit the Sartorius eShop without registering or logging in, we process the following log data concerning you:

• IP address,
• The operating system and web browser you use and your screen resolution setting, language and country,
• The date and time of your visit.

We process this data on the basis of Art. 6 (1) (f) GDPR due to our legitimate interest in being able to properly display the website to you, as well as in the context of updates, security and troubleshooting measures, and to improve and further develop our online offerings. The log data is stored for a period of 90 days and deleted thereafter. 

2.2 Registration

If you register with the Sartorius eShop, we collect the personal data required for the establishment and performance of the contract, e.g.:

• Identification data (e.g. name, salutation and title, telephone numbers, e-mail, address, IP address),
• Company Data (e.g. address, Sales Tax ID).

You must provide the personal data required in order to establish and implement a business relationship and for the fulfilment of the associated contractual obligations, or which we are legally obliged to process. Please note that unless you provide such personal data we will not be able to enter into or implement a contract with you.

This data is processed for the performance of the contract, Art. 6 (1) (b) GDPR or on the basis of legal obligations, Art. 6 (1) (c) GDPR.

2.3 Activation of Sartorius ID

The Sartorius ID provides our customers with the option to log in at various online services provided by the Sartorius Group or third parties. The Sartorius ID acts as a central user account where customers can manage their personal data. The data processing necessary for this is carried out as part of the performance of a contract (Art. 6 (1) (b) GDPR).

To be able to place orders in the Sartorius eShop, the Sartorius ID must be connected to the Sartorius eShop ("activation"). Therefore, it is necessary to create a Sartorius ID or to log in with an existing Sartorius ID. The activation is based on our legitimate interest in the contractual provision of the service (Art. 6 (1) (f) GDPR).

Further information on the processing of your data in relation to the Sartorius ID is available in the Sartorius ID Privacy Notice under https://my.sartorius.com/data-privacy.

2.4 Use of the eShop

If you visit the Sartorius eShop and log in, we process the following categories of data for the purpose of ordering the relevant service or products:

• Order data (e.g. name, telephone, e-mail, address, IP address),
• Contract master data (contractual relationship, interest in a product or contract),
• Customer history,
• Contract billing, payment and disbursement information, including data related to repayments,
• Communication data.

This data is processed for the performance of the contract, Art. 6 (1) (b) GDPR.

2.5 Payments

The Sartorius eShop uses external payment service providers. We collect your personal data for payment and, if applicable, disbursement processing to fulfil a contract.

Your personal data will also be processed for the purposes of investigating and preventing fraud, abuse, security incidents and other harmful activities, e.g. anti-money laundering measures and law enforcement. The basis for this is compliance with applicable laws (e.g. prevention of money laundering) as well as our legitimate interest in limiting the risk of payment defaults. Likewise, security investigations and risk assessments may take place because of our legitimate interest in preventing fraud and other harmful activities. We may also process your personal data to calculate the fees we owe to your card-issuing bank based on our legitimate interest in maintaining our business operations. Depending on which payment method you choose as part of the ordering process, we will pass on the data collected for the processing of payments (e.g. bank details or credit card data) to the credit institution commissioned to make the payment or to payment service providers commissioned by us. In some cases, payment service providers also collect and process this data as data controllers. In this respect, the data protection information of the respective payment service provider shall apply.

If you pay with credit card and provide the bank, card and/or authorization details we will use external service providers, known as "third parties", to process your credit card-based payment. Gateway payment providers act as processors and ensure the technical processing of card-based payments via a technical infrastructure.

Payment service providers act as independent data controllers for the acceptance and settlement of payment transactions, including the secure routing and settlement of credit card transactions with international credit card companies. Payment service providers process your personal data and also transmit this data to other data controllers in order to implement the payment or to comply with legal requirements. If you wish to use your credit card for payment, the card payment must first be authorized. This authorization takes place automatically using your data. In particular, the following considerations may play a role: Payment amount, place of payment, previous payment history, merchant, purpose of payment. Card payment is not possible without authorization. This does not affect other payment methods (e.g. other cards).

This data is processed for the performance of the contract, Art. 6 (1) (b) GDPR. 

2.6 Contact

The Sartorius eShop offers you a variety of contact options (e.g. contact form, e-mail communication). When we receive inquiries regarding products and services from Sartorius, we process your personal data to answer inquiries, if necessary, to solve problems and to maintain and secure your satisfaction as a customer and that of your customers. The personal data provided to us in this way will be used solely for the purpose specified when you contacted us. Should you contact us outside of a specific contractual relationship or registration, the legal basis for data processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. The legal basis in the case of a contractual relationship or registration is Art. 6 (1) (b) GDPR.

2.7 Product or customer surveys by e-mail and/or telephone

The Sartorius eShop offers you the opportunity to participate in product or customer surveys aimed at optimizing and developing our products and services. If you wish to take the opportunity to participate in an online (e.g. e-mail) or telephone product or customer survey, we will only use your personal data to contact you with your express consent. The legal basis for processing this data is Art. 6 (1) (a) GDPR.

2.8 Competitions

If you take part in one of our competitions, your personal data will be stored and used by us for the purpose of running the competition and the associated follow-up in accordance with the relevant competition conditions. The legal basis for processing this data is Art. 6 (1) (b) GDPR.

2.9 Newsletters

You can subscribe to the Sartorius Newsletter on our website. We will process your personal data collected in this context on the basis of your consent in accordance with Art. 6 (1) (a) GDPR.

We analyze the behavior of our newsletter readers on the basis of their consent in order to design our newsletter in line with their needs and to optimize our content. When you read the newsletter, we record which links you click on in the newsletter and use this information to deduce your personal interests. We link this data to technical information about your device (e.g. time of access, browser type and operating system).

2.10 Cookies

In the context of Sartorius eShop, cookies and tracking mechanisms (“Cookies”) may be used.

On accessing Sartorius eShop the user is notified of the use of cookies and has the opportunity to select or deselect individual cookies in the banner, except for the session cookies which are required for operation. This setting obtains your consent to process the personal data used in this connection before the processing starts. For reasons based on your particular situation, you have the right to object to the processing of your personal data at any time. Furthermore, you can revoke your given consent at any time with effect for the future by changing your preferences in our Privacy Preference Center

You can find further information about the use of cookies by Sartorius in our Sartorius Cookie Notice.

2.11 Investigation of faults and preservation and defense of our rights for security reasons

In order to eliminate faults or to preserve evidence in the event of security incidents, we will process your personal data in order to fulfil our legal obligations in the area of data security, Art. 6 (1) (c) GDPR. In addition, we have a legitimate interest in eliminating faults and ensuring the security of the Sartorius eShop, Art. 6 (1) (f) GDPR. When we have a legitimate interest in asserting and defending our rights, we will process the necessary personal data in accordance with Art. 6 (1) (f) GDPR.

2.12 Compliance with statutory and regulatory requirements

In the case of direct sales and the provision of digital services, we process your personal data (first name, last name, address, country) for the purposes of preventing fraud and money laundering, of preventing, combating and resolving terrorist financing and property crimes, as well as for comparison with European and international anti-terror lists. Sartorius is required to do so in particular under statutory obligations (such as the Anti-Money Laundering Act or the European embargo and terrorism regulations). Under certain circumstances, Sartorius has a legitimate interest in observing and complying with obligations imposed by public and other competent government authorities - within or outside your country of residence - in order not to expose Sartorius and its representatives to criminal or civil sanctions.

The legal basis for the processing of your personal data for the stated purposes is Art. 6 (1) (c) GDPR in the case of statutory obligations or Art. 6 (1) (f) GDPR in the case of a legitimate interest.

For reasons of our fiscal and legal commercial retention obligations we store your personal data provided usually for seven years after contract fulfilment, but – if legally required – we may store your data up to a maximum of 30 years after collecting the data in order to comply with our legal obligations.

For the purposes mentioned above Sartorius may transfer or disclose your personal data to:

• Other companies of the Sartorius Group or third parties in the context of your usage of the Sartorius eShop or our business relationship with you;
• Third parties which provide IT services to Sartorius, and which process such data only for the purpose of such services (e.g., hosting or IT maintenance and support services); and/or
• Third parties in connection with complying with legal obligations or establishing, exercising or defending rights or claims (e.g., for court and arbitration proceedings, to law enforcement authorities and regulators, to attorneys and consultants).

If we decide to sell, buy, merge, or otherwise reorganize businesses in some countries, such a transaction may involve disclosing some personal information to prospective or actual business purchasers, or the collection of personal information from those selling such businesses.

In the event that we transfer your personal data outside the European Union (”EU”) or the European Economic Area (“EEA”), we ensure that your data is protected in a manner which is consistent with the GDPR. Therefore, and if required by applicable law, Sartorius transfers personal data to external recipients outside the EU or EEA only if the special requirements of Art. 44 ff. GDPR are fulfilled.

You can view the EU standard contractual clauses used at this link or request a copy from us.

1. In general, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
2. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
3. Specific information about data retention in connection with the single purposes of data processing can be found in the corresponding Sections above.

You must provide the personal data required in order to establish and implement a business relationship and for the fulfilment of the associated contractual obligations, or which we are legally obliged to process. We mark such personal data in the respective forms or functions accordingly. Please note that unless you provide such personal data we will not be able to enter into or implement a contract with you. In this case, the online offers or other services (see 2. Processing ") cannot be used.

The Sartorius eShop can contain links to the websites of third parties − to providers who are not affiliated with us. After you click the link, we no longer have any influence on the collection, processing and utilization of any personal data that is transferred to third parties (for example, the IP address or the URL of the website on which the link is located), as our control of the conduct of third parties is then naturally withdrawn. We accept no responsibility for the processing of such personal data by third parties.

The Sartorius eShop is not intended for children under the age of 16.

Under applicable data protection law, you may have specific rights in relation to your personal data. These rights will differ in each jurisdiction. In particular, and subject to the statutory requirements, you may have the following data protection rights:

• Right of access: You have the right to obtain information on the processing of your personal data and to receive a copy of these data.
• Right to rectification: You have the right to request that we correct or complete your inadequate, incomplete or inaccurate personal data.
• Right to erasure: Under certain circumstances, you have the right to request that we delete your personal data.
• Right to restriction of processing: Under certain requirements, you may request us to restrict the processing of your personal data.
• Right to data portability: You have the right to receive your personal data in a structured, common, and machine-readable format and request that these data are transferred to another data controller, if applicable under the specific circumstances.
• Right to object: You might have the right to object to the processing of your personal data by us, in particular, if the processing of your personal data is based on (i) the necessity of the performance of a task in the public interest, or (ii) legitimate interests. We will then stop the processing of your personal data unless we remain legally authorized to do so.
• Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority or other applicable privacy regulator about our processing of your data. This can be for example the data protection authority in your country of residence. A list of all data protection authorities in the European Union can be found here.
• Right to withdrawal: If data processing is based on your consent, you have the right to withdraw your consent at any time and free of charge, with effect for the future via  eShop@sartorius.com, via the contact details given in the imprint or other methods as we may inform you from time to time, i.e., your withdrawal does not affect the lawfulness of the processing based on consent before its withdrawal. If the consent is withdrawn, Sartorius may only further process the personal data where there is another legal basis for the processing. The withdrawal of consent may mean that Sartorius cannot provide you with the services you would like.

To exercise your rights, please contact eShop@sartorius.com.

Sartorius reserves the right to update this Privacy Notice, for example, due to changes in the cookies used by Sartorius or for other operational, legal or regulatory reasons, and any changes will take effect upon publication. We encourage you to check from time to time for any changes.

Supplementary Privacy Notice - New Zealand

1.1 Applicable Law 

In New Zealand, the Privacy Act 2020 and the Privacy Regulations 2020 (“NZ Privacy Law”) provides the main guidance for the collection, use, disclosure, storage, and destruction of your Personal Data.

The definition of “Personal Data” used in this Privacy Notice includes the local definition of Personal Information contained in the NZ Privacy Law, which is defined as information about an identifiable natural person. Where possible, we only collect personal information directly from you.

1.2 Data Protection Officer 

For the purpose of compliance with the NZ Privacy Law, the  Sartorius Data Protection Officer is the “Privacy Officer”, and can be contacted by email at dataprotection@sartorius.com.

1.3 Your rights

If you are a resident of New Zealand, you have the right to:

• Find out if we use your Personal Data and, subject to some exceptions and conditions as permitted in the NZ Privacy Law, access your Personal Data, receive copies of your Personal Data and have your Personal Data corrected or amended if it is inaccurate or incomplete.  If there is a legal reason why we can’t let you see it, or if we don’t agree with your requested correction, then we’ll tell you. We may charge you our reasonable costs of providing you with copies of your Personal Data and for any correction;
• Withdraw any express consent that you have provided to the processing of your Personal Data at any time without penalty. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.

To make these requests, please contact us via email at dataprotection@sartorius.com..

1.4 International Transfers 

We may disclose your Personal Data to third parties located outside New Zealand (including our affiliates, subsidiaries, business partners and third-party service providers), including to assist us in providing our services to you, and you consent to that disclosure and transfer. We take reasonable steps to ensure that any third party provider is required to protect your personal information in a way that provides comparable safeguards to those required under the NZ Privacy Law.

1.5 Complaints 

For customers in New Zealand, if you believe that your Personal Data has been processed in a way that does not comply with NZ Privacy Law, please contact the Sartorius Data Protection Officer by email at dataprotection@sartorius.com.  Your complaint will be handled in accordance with the requirements of the NZ Privacy Law. 

You also have the right to lodge a complaint with the NZ Privacy Commissioner at https://www.privacy.org.nz/your-rights/making-a-complaint/complaint-form/.

2.1 Applicable Law

In Australia, the Australian Privacy Principles (“APP”) as set out in the Privacy Act 1988 (Cth) (“AU Privacy Act”) provide the main guidance for the collection, use, disclosure, storage and destruction of your Personal Data.

The definition of “Personal Data” used in this Privacy Notice is intended to include the local Australian definitions for “personal information” and “sensitive information”, being:

• Personal Information - information or an opinion about an identified individual or a reasonably identifiable individual (i.e. name, address, email address, phone number and date of birth).
• Sensitive Information - information or an opinion about an individual’s racial or ethnic origin, political opinions, political association membership, religious beliefs or affiliations, philosophical beliefs, professional or trade association membership, trade union membership, sexual orientation or practices, criminal record, health information, genetic information and biometric templates.

2.2 Data Protection Officer 

The Sartorius Data Protection Officer can be contacted by email at [dataprotection@sartorius.com].

2.3 Legal basis of the processing

We collect, hold, use, store and disclose your Personal Data for the purposes set out in this Privacy Notice.  Your Personal Data may be collected and used as it is permitted by law, including under APP 3.1, where the collected Personal Data is reasonably necessary for the delivery of our business functions and activities.  We will take all reasonable steps to ensure that any Personal Data we collect, use or disclose is accurate, complete and up to date.

2.4 Your rights 

If you are a resident of Australia, you have the right to:

• Request access to, correction of and (in some cases) deletion of your Personal Data held by us, as permitted in the AU Privacy Act. We will comply with your request, unless we have a legal reason to refuse.  We will not charge you for making a request to access or correct your Personal Data, although we may charge you our reasonable costs of providing you with copies of your Personal Data;
• Withdraw any express consent that you have provided to the processing of your Personal Data at any time without penalty. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent;
• Opt out of our marketing communications where you have provided consent; and
• Communicate with us on an anonymous or pseudonymous basis, unless there is a legal requirement to disclose your true identity (eg, processing payments).

To make these requests, please [contact us via email at eShop@sartorius.com].

2.5 International Transfers 

We may collect your Personal Data directly from our business locations outside of Australia, and hold and store it in locations outside of Australia.  We may also disclose your Personal Data to third parties located outside Australia (including our affiliates, subsidiaries, business partners and third-party service providers), including to assist us in providing our services to you, and you consent to that disclosure and transfer. We take reasonable steps to ensure that any third party provider is required to protect your personal information in a way that provides comparable safeguards to those required under the AU Privacy Act.  Our overseas affiliates are located globally, but Sartorius’ head office is located in Göttingen, Germany and our main service provision related to the operation of our e-shop is located in Germany.

2.6 Complaints 

For customers in Australia, if you believe that your Personal Data has been processed in a way that does not comply with local laws, please contact [the Sartorius Data Protection Officer by email at dataprotection@sartorius.com].  Your complaint will be handled in accordance with the requirements of the AU Privacy Act. 

You have the right to lodge a complaint with the regulator, the Office of the Australian Information Commissioner at https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us. 

3.1 Applicable Law

In Singapore, the Personal Data Protection Act 2012 (as amended) (the “PDPA”) governs the collection, use, disclosure, storage, transfer, and protection of personal data by organisations.

For the purposes of this Supplementary Data Protection Notice, references to “Personal Data” include “personal data” as defined under the PDPA, being data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.

Where there is any inconsistency between this Singapore Supplementary Notice and the main body of this Privacy Notice, this Singapore Supplementary Notice shall apply to individuals in Singapore to the extent of such inconsistency.

3.2 Accountability and Contact Details

For the purposes of compliance with the PDPA, Sartorius has appointed a Data Protection Officer (or equivalent function).

Queries, requests, or complaints relating to the handling of personal data under Singapore law may be directed to:

Email: dataprotection@sartorius.com

3.3 Purposes and Legal Bases for Processing

Under the PDPA, organisations may collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances, and where applicable consent requirements or statutory exceptions are met.

In particular, personal data may be collected, used, or disclosed:

with the individual’s consent;

where consent may be deemed under the PDPA; or

where an exception under the PDPA applies (including for contractual necessity, legitimate interests, or compliance with legal obligations).

The purposes for which personal data is processed are described in the main body of this Privacy Notice.

3.4 Consent and Withdrawal of Consent

Where consent is required under the PDPA, individuals may withdraw their consent at any time by contacting Sartorius using the contact details above.

Please note that withdrawing consent may affect Sartorius’ ability to continue providing products or services where the processing of personal data is necessary for such purposes.

3.5 Access and Correction Rights

Under the PDPA, individuals in Singapore have the right to:

request access to their personal data in the possession or control of Sartorius; and

request correction of their personal data where it is inaccurate or incomplete,

subject to applicable exceptions under the PDPA.

Requests for access or correction may be submitted using the contact details above. Sartorius may charge a reasonable fee for access requests, where permitted by law.

3.6 Cross-Border Transfers

Sartorius may transfer personal data outside Singapore, including to other members of the Sartorius Group and third-party service providers located outside Singapore.

Where personal data is transferred outside Singapore, Sartorius takes reasonable steps to ensure that the transferred personal data is afforded a standard of protection that is comparable to that required under the PDPA.

3.7 Data Breach Management

In the event of a data breach involving personal data that meets the notification thresholds under the PDPA, Sartorius will take steps to assess the incident and notify affected individuals and/or the Singapore Personal Data Protection Commission (“PDPC”), where required.

3.8 Complaints

If you believe that your personal data has been handled in a manner that is inconsistent with the PDPA, you may contact Sartorius using the contact details above.

You may also lodge a complaint with the Singapore Personal Data Protection Commission at:
https://www.pdpc.gov.sg