Sartorius Service Connect App Privacy Notice

Status: March 2021

Preamble

Protecting the security and privacy of your personal data is important to Sartorius Lab Instruments GmbH & Co. KG, Otto-Brenner-Strasse 20, 37079 Goettingen, Germany ("Sartorius"). Therefore, Sartorius operates the Service Connect App ("App") in compliance with applicable laws on data protection and data security.

In the following, we inform you about the processing of personal data when using our App. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.

The data controller in the meaning of the General Data Protection Regulation (GDPR) for the processing activities described in this Privacy Notice is:

Sartorius Lab Instruments GmbH & Co. KG, Otto-Brenner-Strasse 20, 37079 Goettingen, Germany, e-mail: info@sartorius.com

Before you can install this App, you may need to enter into a usage agreement with an App Store operator (e.g. Google, Apple) to access its portal (e.g. Google Play, Apple App Store - "App Stores"). The App Store operator collects and processes data in connection with the use of the App Store, such as user name, email address and individual device identification number as the responsible party. We process the data only to the extent necessary to download the App to your device. We are not party to the usage agreement with the App Store operator and have no influence on its data processing. In this respect, the privacy policy of the respective App store operator applies.

When visiting and using the App, Sartorius processes the following personal data:

  1. 3.1 Information that is ­collected automatically

As part of your use of the App, we ­automatically collect certain data that is ­required for the ­use of the App. ­This includes: internal device ID, version of your ­operating system, time of access.

This data is ­automatically transmitted to us but is not ­stored in order to

  • ­Provide you with the Service and ­related features;
  • ­Improve the functions and performance features of ­the App and
  • ­Prevent and ­eliminate misuse and malfunctions.

This data processing ­is justified on the grounds that (1) the ­processing is ­necessary ­for the performance of the contract between you as the data subject ­and us pursuant to Art. 6 (­1) ­(b) GDPR for the use of the App, ­or (2) we ­have ­a ­legitimate interest in ensuring the ­functionality ­and error-free ­operation of the App and in being ­able to offer ­a ­service that is in line with the ­market and ­interests­, which here ­outweighs ­your rights and ­interests in the protection of your ­personal ­data within the meaning of Art. 6 (­1­) (f) GDPR.

  1. 3.2 Use of the App

Within the scope of the App, you can ­enter, manage, and edit various ­information, tasks (e.g. Service Request), ­and activities (e.g. Instrument Manager). This ­information includes­, in particular, Contact Data (First Name, Last Name, E-mail Address, Phone Number) as well as Company Data (Company Name, Customer Number, Business Address) and Instrument Data (Instrument Name, Model No., Serial No. etc.)

The data you enter is initially only stored locally on your device. Only when you send us a request will this also be transmitted to us and used to

  • Enforce the ­terms of use of the App and all ­rights and obligations associated­ therewith­; and
  • Contact you to ­send you technical or ­legal notices, updates, ­security messages­, ­or other messages ­regarding, ­for example, the administration of the user account.

This data processing ­is justified on the grounds that (1) the ­processing is ­necessary ­for the performance of the contract between you as a data subject ­and us pursuant to Art. 6 (­1) ­(b) GDPR for the use of the App, ­or (2) we ­have ­a ­legitimate interest in ensuring the ­functionality ­and error-free ­operation of the App, ­which here ­outweighs­ your rights and ­interests in the protection of your ­personal ­data within the meaning of Art. 6 (­1­) (f) GDPR.

Certain functions of this App can only be used if the corresponding permissions are granted. Permissions are interfaces to the operating system of your end device, through which the App can access data stored on your end device.

The App works with the following permissions:

  • ­Internet access: to store your entries on our servers;
  • Access to device's file manager and image gallery: to upload images use some functions of the App;
  • Location: To record the geographical position of your device as part of your request;
  • Access to device's camera: To capture images for problem messages

You can manage and disable permissions within the settings of your operating system. Please note that after deactivating a permission, you may no longer be able to use all of the App's features.

­In ­addition to the ­cases ­explicitly ­mentioned in ­this ­Data Protection Notice, your ­personal data will ­only be transferred or disclosed ­without your express ­prior consent ­if this is permitted or ­required by ­law. ­This may be the case, for example, if the ­processing ­is necessary to ­protect the ­vital ­interests of the user or another ­natural person.

Where the below list states that we rely on our legitimate interest for a given purpose, we are of the opinion that our legitimate interest is not overridden by your interests and rights or freedoms, given (i) the regular reviews and related documentation of the processing activities described herein, (ii) the protection of your personal data by our data privacy processes, (iii) the transparency we provide on the processing activity, and (iv) the rights you have in relation to the processing activity.

    1. Internal ­administrative purposes including customer service

The data ­provided by you during ­registration will be ­shared ­within our affiliated Sartorius companies for internal ­administrative purposes, ­including ­joint customer support, ­to the extent necessary.

Any disclosure of ­personal ­data is justified on the grounds that we ­have ­a ­legitimate interest in ­disclosing­ the data for ­administrative purposes within our ­group of companies ­and that your rights and ­interests in the protection of your ­personal ­data ­within the ­meaning of Art. 6 (1) (f) GDPR are not overridden.

    1. Safeguarding of rights

If it is necessary to investigate illegal or improper use of the app or for legal prosecution, personal data will be disclosed to law enforcement agencies or other authorities and, if necessary, to injured third parties or legal advisors. However, this only happens if there ­are ­indications of ­unlawful ­or abusive behavior. A transfer may also ­take place if this ­serves ­the enforcement of ­terms of use or other legal claims. ­We are also legally obligated to ­provide information to ­certain ­public authorities ­upon request. ­These are law enforcement agencies­, authorities that ­prosecute ­administrative offenses ­subject to fines­, and the tax authorities­.

Any disclosure of the ­personal ­data is justified on the grounds that (1) the ­processing is ­necessary for compliance with a ­legal obligation to ­which we are subject pursuant to Art. 6 (1) (f) GDPR in conjunction with. ­national ­legal requirements to disclose data to law enforcement authorities­, or (2) we ­have ­a legitimate interest in disclosing the data to ­the aforementioned third parties ­if there are indications of ­abusive ­behavior or to enforce ­our ­terms of use, other ­conditions or legal claims ­and your rights and ­interests in the protection of your ­personal ­data within the meaning of Art. 6 (1) (f) GDPR do not override.

    1. Service providers

To provide our service, we also use contractually affiliated ­companies of the Sartorius ­Group as ­well as third-party companies ­and external service providers as service providers, so-called data processors, e.g. for hosting or IT maintenance and support services. These process the data on behalf of and according to the instructions of Sartorius and have been contractually obligated to comply with applicable data protection law.

Any disclosure of ­personal ­data is justified on the grounds that (1) we ­have ­a ­legitimate interest in disclosing­ the data for ­administrative purposes within our ­group of companies ­and your rights and interests in the protection of your ­personal ­data within ­the ­meaning of Art. 6 (­1) (f) GDPR do not override and (2) we have ­carefully ­selected ­our third-party companies ­and external service providers ­as processors within the framework of Art. 28 (­1) ­GDPR­, ­regularly reviewed them and contractually obliged them to ­process ­all ­personal ­data exclusively ­in accordance with our instructions.

    1. Corporate transactions

As our ­business evolves, we may change the structure of our business by ­changing its legal form, establishing, buying or selling ­subsidiaries, ­divisions ­or ­components. In such ­transactions, customer information ­may be transferred along with the ­part of the ­company ­being transferred­. In any transfer of ­personal ­information to third parties to the ­extent ­described above, ­we will ensure that it is ­done in accordance with this ­Privacy Notice and applicable data ­protection law.

Any disclosure of ­personal ­data is justified on the grounds that we ­have ­a ­legitimate interest in ­adapting ­our ­corporate form to the ­economic and ­legal circumstances ­as ­necessary and that your rights and ­interests in the protection of your ­personal ­data within the meaning of Art. 6 (1) (f) GDPR are not overridden.

If you are located within European Economic Area, please be aware that sometimes the recipients to whom Sartorius transfers or discloses your personal data are located in countries in which applicable laws do not offer the same level of data protection as the laws of your home country.

In such cases and if required by applicable law, Sartorius takes measures to implement appropriate and suitable safeguards for the protection of your personal data. Personal data will only be transferred to recipients in such countries if these recipients have:

  1. implemented Binding Corporate Rules ("BCR") for the protection of personal data;
  2. entered into EU Standard Contractual Clauses with Sartorius.

Unless indicated otherwise at the time of the collection of your personal data (e.g. within a form completed by you), we erase your personal data if the retention of that personal data is no longer necessary (i) for the purposes for which they were collected or otherwise processed, or (ii) to comply with legal obligations.

Under European Union or European Economic Area law, you may have the right:

  • Obtain from Sartorius confirmation as to whether or not personal data concerning you are being processed, and where that is the case, access to the personal data;
  • Obtain from Sartorius the rectification of inaccurate personal data concerning you;
  • Obtain from Sartorius the erasure of your personal data;
  • Obtain from Sartorius restriction of processing regarding your personal data;
  • Data portability concerning personal data, which you actively provided; and
  • Object, on grounds relating to your particular situation, to processing of personal data concerning you.
  • revoke your consent to the processing of your personal data with effect for the future at any time, i.e. the revocation does not affect the lawfulness of the processing carried out on the basis of the consent before the revocation; and
  • file a complaint with a state supervisory authority (e.g. the State Commissioner for Data Protection of Lower Saxony) about the processing of your data.

You have the right to object at ­any time, on grounds ­relating to your ­particular situation, to the processing of ­personal ­data ­concerning­ you which ­is carried out, inter alia, on the basis of Art. 6 (1) (f) GDPR, in ­accordance with Art. 21 GDPR­. We will ­stop ­processing your ­personal ­data unless we can demonstrate ­compelling legitimate ­grounds for the ­processing which ­override ­your ­interests, rights and freedoms, or if the ­processing ­serves the purpose of ­asserting­, exercising or ­defending legal claims.

If you have any questions or comments about our processing of your personal data, or if you wish to exercise the above rights as a data subject, please contact the Sartorius Data Protection Officer and the Sartorius Data Protection Organization at dataprotection@sartorius.com.

You also have the right to ­contact the competent data protection authority with your request or complaint. ­The competent data protection authority ­is:

State Commissioner for Data Protection of Lower Saxony (LfD), Prinzenstrasse 5, 30159 Hannover, Germany, +49 511 120 4500, poststelle@lfd.niedersachsen.de.

To use this App, you must be at least 16 years old.

This Privacy Notice is reviewed at regular intervals and updated as necessary. The date of the last update is indicated at the top of this Privacy Notice.