Privacy Policy

Protection of personal data is an important concern for IMD GmbH (hereinafter referred to as “us”, “our” or “we”). Your personal data as a user of the website (hereinafter referred to as “you”, “your”) is processed in compliance with applicable data protection regulations, in particular the EU General Data Protection Regulation (DSGVO).

According to Art. 4 No. 1 DSGVO, personal data includes all information relating to an identified or identifiable natural person (hereinafter referred to as “data”) that you provide to us.

Below, we inform you which data we collect from you when you visit our website, for what purposes we use it, and what rights you have in connection with your data.

Controller and Data Protection Officer

Controller for data processing:

MVZ IMD GmbH
Coagulation Center Mannheim
Belchenstrasse 1–5
68163 Mannheim
Germany

We have appointed a data protection officer:

c/o TÜV SÜD Akademie GmbH
Westendstraße 160
80339 Munich

You can contact our data protection officer at:

– our business address listed above with the note “Data Protection” or

– by email at: datenschutz@immungenetik-kl.de.

External Hosting

This website is hosted by an external service provider, ALL-INKL.COM – Neue Medien Münnich (hereinafter referred to as “ALL-INKL” or “host”). The data collected on this website is stored on the servers of the host. This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access, and other data generated via a website. Furthermore, the host stores cookies or other recognition technologies that are necessary for the presentation of the website, for the provision of certain website functions, and to ensure its security (necessary cookies).

The use of the host is carried out for the purpose of fulfilling contracts with our potential and existing website visitors (Art. 6 para. 1 lit. b DSGVO) and in the interest of a secure, fast, and efficient provision of our website by a professional provider (Art. 6 para. 1 lit. f DSGVO). Where consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 of the Telecommunications-Telemedia Data Protection Act (TDDDG), insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) as defined by the TDDDG. This consent can be withdrawn at any time.

Our host only processes your data to the extent necessary to fulfill its performance obligations and follows our instructions regarding this data processing.

To ensure data protection-compliant processing, we have concluded a data processing agreement with our host.

For further details, please refer to the host’s privacy policy:

https://all-inkl.com/datenschutzinformationen/

Collection and Storage of Your Data and Type and Purpose of Its Use

Visiting the Website

Each time you access our website, your browser automatically transmits data that is stored in the server’s log files. This data (“log file data”) includes:

  • Browser type and version
  • Name and URL of the accessed file
  • Date and time of the server request
  • Report on successful access (HTTPS response code)
  • Operating system used
  • Referrer URL
  • Websites accessed via our system
  • User’s internet service provider
  • IP address (anonymized) and requesting provider

We analyze log file data to continuously improve the website, to tailor it to the interests of our users, and to identify and resolve errors quickly. This constitutes our legitimate interest in processing the data according to Art. 6 para. 1 lit. f DSGVO.

Log file data is stored for 7 days to identify faults and ensure system security, including the detection and tracking of unauthorized access attempts and fraud or misuse. After that, it is deleted. Log file data that must be retained for evidentiary purposes is excluded from deletion until the respective incident is fully clarified and may be forwarded to investigative authorities in individual cases.

Inquiries via Email, Telephone, or Fax

If you contact us by email, phone, or fax, your inquiry, including all resulting personal data, will be stored and processed for the purpose of handling your request. We do not pass this data on without your consent.

The processing of this data is based on Art. 6 para. 1 lit. b DSGVO, provided that your inquiry is related to the fulfillment of a contract or is necessary for carrying out pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries directed to us (Art. 6 para. 1 lit. f DSGVO) or on your consent (Art. 6 para. 1 lit. a DSGVO), if requested. You can revoke your consent at any time.

The data you send to us via contact requests remains with us until you request its deletion, revoke your consent, or the purpose for data storage no longer applies (e.g., once your request has been processed). Mandatory legal provisions—especially retention periods—remain unaffected.

Data Processing from Our Business Partners

Where Do Your Data Come From and What Data Is Processed?

We only process your data in accordance with data protection principles to the extent necessary, legally permitted, or required.

Unless otherwise stated below, the terms “processing” and “process” particularly include the collection, use, storage, disclosure, and transmission of data (Art. 4 No. 2 DSGVO).

In general, providing your data is voluntary. However, to establish and carry out a business relationship, we must process certain data about you.

We process the data that we receive from you in the context of our business relationship—either due to a contractual relationship with you or your company (e.g., purchase and sale of products, services, work performance, usage rights, etc.), a pre-contractual inquiry, or another request from you (e.g., via the internet, email, phone, at trade fairs, or product events).

Furthermore, we process your data—if necessary to fulfill our contractual or legal obligations—that we obtain from publicly accessible sources (e.g., commercial and association registers, press, internet) or are lawfully provided by third parties (e.g., a credit agency).

Relevant data in particular includes:

  • Contact details of the contact person(s) at the business partner and business address
  • Communication data such as phone number and email address
  • Bank and billing information
  • Tax number / VAT ID
  • Contract data such as revenue figures or business partner history
  • Name and business address of managing directors, shareholders, and company representatives, if publicly accessible via the commercial register

We typically use and store the following categories of business and/or private data:

  • Salutation
  • First and last name
  • Mailing address
  • Email address
  • Landline, mobile, and fax numbers
  • Profession, position, title, and academic degree

 

Purpose and Legal Basis of Data Processing

To Fulfill Contractual Obligations

We primarily process your data to fulfill contracts with you or your company or to carry out pre-contractual measures at your request (Art. 6 para. 1 lit. b and f DSGVO). Within the scope of our business relationship, you must provide the data necessary for starting, carrying out, and terminating the relationship and to meet legal obligations. Without this data, we are generally unable to enter into, execute, or end a contract with you or take pre-contractual steps at your request. If you do not provide the required information and documentation, we may not be able to enter into or continue the business relationship.

Processing Based on Legal Requirements

We also process your data if required to meet legal obligations (Art. 6 para. 1 lit. c DSGVO).

Processing Based on Legitimate Interest

We process your data if necessary to safeguard our legitimate interests or those of third parties (Art. 6 para. 1 lit. f DSGVO). Examples include:

  • Providing information or invitations to events and initiatives to showcase our capabilities and products
  • Exercising or defending legal claims
  • Measures to optimize our business processes, such as managing a supplier or CRM database
  • Ensuring operational safety and business management
  • Screening against European and international sanctions lists
  • Credit checks
  • Debt collection, including via collection agencies

 

Recipients of Your Data and Location of Processing

Within the scope of our business relationships, those departments and employees who require access to your data to fulfill contractual and legal obligations or to perform internal processes (e.g., sales, purchasing, logistics, accounting, HR) will have access to it. All authorized employees are obligated to maintain confidentiality, protect trade and business secrets, and adhere to data protection regulations.

Where necessary, we may also transfer your data to other sites of IMD GmbH, the Institute for Immunology and Genetics, or SEQ-IT GmbH, which may process the data for their own purposes as independent controllers. Your data will only be accessible to authorized individuals or departments with a legitimate reason and purpose for access and processing.

We use data processors for certain services. Data is disclosed to them only under strict confidentiality obligations and in compliance with DSGVO. These processors are contractually bound and may not use the data for their own purposes. Responsibility for the processing remains with us.

Examples of possible recipients of your data include:

  • Public authorities and institutions (e.g., tax offices, law enforcement agencies) when legally required
  • Insolvency administrators or creditors in enforcement situations
  • Auditors during annual audits
  • Service providers engaged under data processing agreements
  • Other locations of IMD GmbH, the Institute for Immunology and Genetics, or SEQ-IT GmbH

If any of these recipients are located in countries outside the EU or EEA that are not recognized as having an adequate level of data protection, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clause

How Long Will Your Data Be Stored?

We process and store the data of our business partners as long as it is necessary to fulfill our contractual and legal obligations arising from the existing business relationship.

Once the data is no longer required for this purpose, it is regularly deleted, unless further processing is needed to comply with commercial or tax-related retention periods under the German Commercial Code (HGB) and Fiscal Code (AO). These periods are typically 10 years for accounting documents and 6 years for business correspondence.

Additionally, we may retain your data for the preservation of evidence under applicable statute of limitations laws. These limitation periods may be up to 30 years, although the standard period is generally 3 years.

We may also retain your data for other purposes specified in this privacy policy if relevant.

Your Rights (Data Subject Rights)

With regard to the processing of your personal data, you are entitled to the following extensive rights:

Right of Access:

You have the right to request information about the data we hold about you, especially the purposes of processing and how long the data will be stored (Art. 15 DSGVO). This right is limited by § 34 of the German Federal Data Protection Act (BDSG), particularly if the data is stored solely due to legal retention requirements or for data security and privacy monitoring, the effort to provide access would be disproportionate, or if data misuse is prevented through suitable technical and organizational measures.

Right to Rectification:

You have the right to request immediate correction of inaccurate personal data concerning you (Art. 16 DSGVO).

Right to Erasure:

You have the right to request the deletion (Art. 17 DSGVO) of your personal data from us. This right applies in particular if:
a) the respective purpose for processing has been achieved or no longer applies,
b) we have processed your data unlawfully,
c) you have withdrawn your consent and there is no other legal basis for the continued processing of your data,
d) you have successfully objected to the processing of your data, or
e) there is an obligation to delete the data under EU law or the law of an EU Member State to which we are subject.

This right is subject to the limitations set out in Section 35 of the German Federal Data Protection Act § 35 BDSG, according to which the right to deletion may, in particular, lapse if, in the case of non-automated data processing, deletion would involve a disproportionate effort and your interest in deletion is considered to be minor.

Right to Restriction of Processing (Art. 18 DSGVO):

You have the right to request the restriction of the processing of your data (Art. 18 DSGVO). This right applies in particular if:
a) the accuracy of the data is disputed,
b) instead of deletion, you request restricted processing under the conditions of a legitimate request for erasure,
c) the data is no longer required for the purposes pursued by us, but you need it for the establishment, exercise, or defense of legal claims, or
d) the outcome of an objection is still pending.

Right to Data Portability:

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format (Art. 20 DSGVO), provided that the data has not already been deleted.

Right to Object:

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you (Art. 21 DSGVO). We will cease processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

Right to Withdraw Consent:

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you (Art. 21 DSGVO). We will cease processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

Pursuant to Art. 7(3) DSGVO, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out based on the consent before its withdrawal. The withdrawal only means that we will no longer be allowed to continue the data processing that was based on this consent in the future.

Right Not to Be Subject to Automated Decision-Making:

You have the right (Art. 22 DSGVO) not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. As a general rule, we do not use automated decision-making or profiling in employment matters. However, if you have been subject to an automated decision and do not agree with the outcome, you can contact us using the contact details provided below and request that the decision be reviewed.

Right to Lodge a Complaint:

If you believe that your data is being processed unlawfully, you may lodge a complaint with our data protection officer or a data protection supervisory authority.

Application Process (Recruiting)

The protection of your personal data is particularly important to us. Therefore, we would like to inform you below about the data protection principles that IMD GmbH adheres to in order to provide you with a trustworthy application process.

Data Collection

The application process requires that you provide us with the data necessary for evaluation and selection. You can submit your application via email or postal mail. Please note that emails are generally not encrypted during transmission over the Internet. While emails are usually encrypted during transit, they may not be encrypted on the servers from which they are sent or received. Therefore, we cannot take responsibility for the security of your application during transmission.

During the application selection process, we collect and process the following categories of data:

  • Contact and identification data for your application profile (e.g., name, address, date of birth, country, email, phone number, marital status, nationality)
  • Education, performance, and employment data, as well as application documents (e.g., résumé, cover letter, information about career development, qualifications, skills, language skills, work experience, certificates)
  • Additional documents (e.g., salary expectations, notice period, willingness to travel, motivation, references, and job-specific info)
  • The channel through which we received your application (e.g., email, Indeed, MediJobs, recruitment agency)
  • Special categories of personal data (e.g., information on disabilities, health or medical conditions, proof of measles vaccination), processed only within legal limits

We may also receive data about you from other sources, including external business partners (e.g., personnel service providers). If you are hired via such a provider, your data will be stored in your personnel file. If you are not selected, your documents will be deleted once the position is filled. We may also use publicly available professional platforms such as LinkedIn or Indeed to verify application details or contact you for job opportunities.

Purpose and Type of Processing

We collect your data solely for the following purposes:

  • Initiation and establishment of an employment relationship
  • To contact you if another suitable position arises
  • To contact you based on a speculative application
  • To send you personalized information about open positions, subject to your consent

 

Legal Basis

Your data is necessary for decision-making regarding potential employment (Art. 88 DSGVO in conjunction with Art. 6 para. 1 lit. b DSGVO).

In some cases, we will ask for your explicit consent—for example, to retain your application longer or to consider you for another role (Talent Pool). Consent is voluntary and may be withdrawn at any time (Art. 6 para. 1 lit. a DSGVO).

If we use publicly available profiles from social networks, the legal basis is our legitimate interest (Art. 6 para. 1 lit. f DSGVO in conjunction with Art. 9 para. 2 lit. e DSGVO) in forming a basis for employment decisions.

We also process your data as necessary to assert or defend legal claims or fulfill legal obligations (Art. 6 para. 1 lit. c and f DSGVO). For example, to comply with documentation obligations or for proof in cases under the General Equal Treatment Act (AGG).

If we request special categories of personal data (e.g., health data or ethnicity), we only process them:

  • To fulfill obligations under labor, social security, or social protection law (Art. 9 para. 2 lit. b DSGVO)
  • To protect vital interests (Art. 9 para. 2 lit. c DSGVO)
  • For medical or occupational health purposes (Art. 9 para. 2 lit. h DSGVO)
  • Or based on your explicit consent (Art. 9 para. 2 lit. a DSGVO)

Any use for other purposes is only permitted under Art. 6 para. 4 DSGVO and if compatible with the original purposes. We will inform you in such cases.

Recipients of Your Data

Only those involved in the hiring process (e.g., HR, management, relevant departments) will access your data. These individuals are obligated to confidentiality and data protection.

Data may also be processed by service providers under contracts according to Art. 28 DSGVO. Responsibility remains with us.

Data is not transferred to third parties unless you have explicitly consented or we are legally required to do so. Generally, no data is transferred outside the EU or EEA.

In case of unlawful behavior, your data may be shared with law enforcement and affected third parties, but only if specific indications of such behavior exist. We are also legally obligated to share data with certain public authorities when requested (e.g., tax, law enforcement).

Data Retention

If your application is rejected, we retain your data for 6 months for evidence in potential AGG claims. Longer storage is possible if required to assert or defend legal claims.

You may withdraw your application at any time, which will result in your data being deleted—subject to the 6-month AGG retention period.

If your application is successful, your data will be retained throughout your employment in accordance with employee data protection obligations.

Talent Pool

If we reject your application, we may ask to keep your information in our Talent Pool for future job offers. This only happens with your prior consent (Art. 6 para. 1 lit. a DSGVO). For speculative applications, the same applies.

If we store your data in the Talent Pool, we may contact you about relevant jobs. Your data will be stored for a maximum of 12 months or until you withdraw consent. Afterward, it will be deleted automatically without notice.

Data Processing of Our Patients

Information regarding the processing of patient data is available in printed form at our medical practice.

Cookies

Our website uses so-called “cookies.” Cookies are small text files that do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted after your visit ends. Persistent cookies remain stored on your device until you delete them or your browser removes them automatically.

In some cases, cookies from third-party companies may be stored on your device when you visit our website (third-party cookies). These allow us or you to use certain services provided by the third party.

Cookies serve various functions. Many cookies are technically necessary because certain website functions would not work without them. Other cookies are used to analyze user behavior or display advertisements.

Cookies that are necessary to carry out electronic communication processes (necessary cookies), provide specific functions you have requested (functional cookies), or optimize the website (e.g., audience measurement cookies) are stored based on Art. 6 para. 1 lit. f DSGVO, unless another legal basis is specified. The website operator has a legitimate interest in storing cookies to ensure the technically flawless and optimized delivery of services. Where consent for cookies has been requested, the storage is based solely on this consent (Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TDDDG); consent can be revoked at any time.

If third-party cookies or cookies for analysis purposes are used, you will be separately informed in this privacy policy, and your consent may be requested.

You can configure your browser to inform you before cookies are set, to allow cookies only in individual cases, to exclude the acceptance of cookies in specific cases or in general, or to enable automatic deletion of cookies upon closing the browser. If cookies are disabled, the functionality of this website may be limited.

For detailed information on cookie settings, refer to your browser’s help function or the browser provider’s website.

Cookie Consent Management – Borlabs Cookie

Our website uses Borlabs Cookie to store your cookie consent preferences. This service is provided by Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany.

Borlabs does not process any personal data. All information is stored locally on our servers.

The Borlabs cookie stores the following information:

  • Cookie duration
  • Cookie version
  • Domain and path of the WordPress website
  • Consents given
  • UID (randomly generated ID that is not personally identifiable)

If you wish to revoke your consent, simply delete the cookie in your browser. When you revisit or reload the website, you will be asked to provide your cookie preferences again.

More information on Borlabs data processing can be found here:

https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/

The use of Borlabs serves the purpose of obtaining legally required cookie consent. The legal basis is Art. 6 para. 1 lit. c DSGVO.

We inform you about the use of cookies in advance via a banner.

Data Sharing

In the course of our business activities, we collaborate with various external partners. In some cases, this may require the transfer of data to such partners. We only share your data with third parties if:

  • it is necessary for fulfilling a contract (Art. 6 para. 1 lit. b DSGVO),
  • we are legally obligated (Art. 6 para. 1 lit. c DSGVO),
  • we have a legitimate interest (Art. 6 para. 1 lit. f DSGVO), or
  • another legal basis permits the transfer.

When using processors, we only transfer your data based on a valid data processing agreement. In the case of joint responsibility, we conclude a joint controllership agreement.

Data Transfers to the USA

Please note: The USA is generally considered a third country with an adequate level of data protection if the data recipient is certified under the EU-U.S. Data Privacy Framework (DPF) or has appropriate safeguards in place. Transfers to such recipients are therefore permitted.

Details about international transfers, including recipients, can be found in this privacy policy.

Integration of Services and Content from Third Parties

Google Services

We use services provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The responsible EU provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google may act as either a processor or joint controller based on the service agreement. If data is transferred to the U.S., it is done using EU Standard Contractual Clauses (SCCs). Details:

Google LLC is certified under the DPF. See:

DPF Certification

For more info on how Google handles data and your settings:

Google Privacy Policy

Google Analytics (GA4)

We use Google Analytics to analyze visitor behavior on our website. This includes data like:

  • Page views
  • Session duration
  • Operating system
  • Traffic source

Google compiles this into a user ID associated with each device. Google also tracks mouse and scroll movements and uses modeling techniques and machine learning for deeper analysis.

Technologies used: Cookies, device fingerprinting.

IP anonymization is enabled by default (within EU/EEA).

Legal basis:

  • Art. 6 para. 1 lit. f DSGVO (legitimate interest in website optimization)
  • If consent was obtained: Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TDDDG

Data associated with cookies is deleted after 2 months. Retention is renewed with repeat visits.

To prevent tracking: Google Opt-Out Plugin

More info: GA Terms

Google Fonts

To ensure consistent fonts and icons, we use Google Fonts.

These fonts are hosted locally on our web server, not by Google.

No data is transferred to Google when loading fonts.

Legal basis: Art. 6 para. 1 lit. f DSGVO – legitimate interest in consistent and optimized presentation.

More info:

Google Fonts FAQ

Storage Duration

Unless otherwise stated, we only store your data for as long as necessary to fulfill the intended purposes. In some cases, statutory storage obligations apply (e.g., under tax or commercial law). Data retained under these laws will not be used for other purposes and will be deleted once the legal retention period expires.

Data Security

We are committed to protecting your data using the best available technical and organizational measures in accordance with Art. 32 DSGVO. These are regularly updated.

This website uses SSL encryption (Secure Socket Layer) for security, especially when transmitting sensitive content such as contact forms or orders. Note: Internet data transmission (e.g., via email) can have security gaps. Absolute protection from third-party access is not guaranteed.

We do not guarantee uninterrupted availability of our services. Outages or disruptions may occur.

Final Note on Data Subject Rights (Summary)

As described previously, you have extensive rights under the DSGVO:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent
  • Right not to be subject to automated decision-making
  • Right to lodge a complaint with a supervisory authority

Effective Date: 06/2024