Data Protection Statement
 
I. Name and address of the Controller

The Controller, as defined in the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection provisions, is

Heidelberg-Apotheke Johannes Ertelt e. K.
Heidelbergstrasse 22
72406 Bisingen (Germany)

E-mail: hb@ertelt.de
Internet: www.heidelberg-apotheke.de
Phone ++49 7476 8411
Fax ++49 7476 2009

Please use the following numbers to reach your contact person directly
Mistletoe Pharmacy Customer Service:
Phone ++49 7476 9500 303
Fax ++49 7476 9500 304
E-mail: mail@mistletoe-pharmacy.com
Internet: www.mistletoe-pharmacy.com

II. Name and address of the Data Protection Officer
The Controller’s Data Protection Officer is:
DeltaMed Sued GmbH & Co.KG
Untere Gasse 9
71642 Ludwigsburg (Germany)
Phone: ++49 7141 974 57 0
Fax: ++49 7141 974 5714
E-mail: dsb@deltamedsued.de
Internet: www.deltamedsued.de

III. General information on data processing

1. Scope of the processing of personal data
As a general rule, we collect and use personal data of our users only insofar as this is necessary for the provision of a functioning website as well as of our content and services. Personal data of our users are routinely collected and used solely with the consent of the user. An exception applies in cases in which the prior obtaining of consent is not possible for objective reasons, and processing of the data is permitted by statutory regulations.

2. Legal basis for the processing of personal data
If we obtain consent from the data subject for personal-data processing procedures, Art. 6 (1) lit. a EU General Data Protection Regulation (GDPR) shall serve as the legal basis.
When processing personal data, required for fulfilment of a contract to which the data subject is a contract party, Art. 6 (1) lit. b GDPR shall serve as the legal basis. This also applies to processing procedures required for the implementation of pre-contractual measures.
If the processing of personal data is necessary for fulfilment of a legal obligation incumbent on our company, Art. 6 (1) lit. c GDPR shall serve as the legal basis.
If vital interests of the data subject, or of another natural person, necessitate the processing of personal data, Art. 6 (1) lit. d GDPR shall serve as the legal basis.
If the processing is necessary for the purpose of safeguarding a justified interest of our company or of a third party, and if the interests, basic rights and basic freedoms of the data subject do not prevail over the first interest stated, Art. 6 (1) lit. f. GDPR shall serve as the legal basis for the processing.
The legal basis for the processing of your health data is Article 9 (2) lit. h) GDPR in conjunction with Section 22 (1) N0. 1 lit. b) German Federal Data Protection Act. Additional fundamental legal bases for the processing of your data are the German Pharmacy Act, the German Pharmacy Operational Regulations as well as the German Code of Social Law V, in particular Section 300 SGB V.

3. Erasure of data and storage duration

The personal data of the data subject will be erased or blocked as soon as the purpose of the storage no longer applies. Storage for a longer period is permitted if this has been provided for by the European or national lawmaker in EU Regulations, laws or other regulations to which the Controller is subject. The data will also be blocked or erased when a storage period, prescribed by the said standards, expires, unless there is a need for further storage of the data for conclusion of a contract or fulfilment of a contract.

IV. Provision of the website and creation of logfiles

1. Description and scope of the data processing
Every time our Internet site is called up, our system automatically collects data and information from the computer system of the computer making the call-up.
The following data are collected:
(1) Information on the browser type and the version used
(2) The user’s operating system
(3) The user’s Internet service provider
(4) The user’s IP address
(5) Date and time of the access
(6) Websites from which the user’s system reaches our Internet site
(7) Websites called up by the user’s system via our website
The data are also stored in our system’s log files. This does not apply to the user's IP addresses or to other data that enable the assignment of the data to a user. These data are not stored together with other personal data of the user.

2. Legal basis for the data processing
The legal basis for the temporary storage of the data is Art. 6 (1) lit. f GDPR.

3. Purpose of the data processing
The temporary storage of the IP address by the system is necessary in order to enable delivery of the website to the user's computer. This necessitates storage of the user’s IP address for the duration of the session.
The storage in log files ensures the functionality of the website. In addition, the data enable us to optimize the website and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes takes place in this context.
These purposes also constitute our justified interest in data processing pursuant to Art. 6 (1) lit. f GDPR.

4. Duration of the storage
The data are erased as soon as they are no longer required to achieve the purpose of their collection. If the data are collected for the provision of the website, this will be the case when the respective session has ended.
If the data are stored in log files, this will be the case at the latest after seven days. Longer storage is possible. In this case, the users’ IP addresses will be erased or changed, such that assignment of the client making the call-up is no longer possible.

5. Possibility of objection and removal
The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for operation of the Internet site. As a result, the user has no possibility of objection.

V. Use of cookies

a) Description and scope of the data processing
Our website uses cookies. Cookies are text files that are stored on the user’s computer system in or by the Internet browser. When a user calls up a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string that enables clear identification of the browser during renewed call-ups of the website.
We use cookies in order to make our website more user friendly. Some elements of our Internet site necessitate it being possible to identify the browser making the call up even after a change of page.
In this respect, the following data are stored and forwarded in the cookies:
(1) Language settings
(2) Articles in a shopping basket
(3) Log-on information
In addition, we also use cookies on our website that enable an analysis of the users’ surfing patterns.
The following data can be forwarded as a result:
(1) Search terms entered
(2) Frequency of call-up of sites
(3) Use of website functions
The user data collected in this way are pseudonymized via technical precautions. As a result, assignment of the data to the user making the call-up is no longer possible. The data are not stored together with other personal data of the users.
When users call up our website, an information banner will inform them of the use of cookies for analysis purposes, and they will be referred to this data protection statement. In this context, reference will also be made to how the storage of cookies can be prevented in the browser settings.

b) Legal basis for the data processing
The legal basis for the processing of personal data using cookies is Art. 6 (1) lit. f GDPR.

c) Purpose of the data processing
The purpose of the use of technically necessary cookies is to simplify the use of websites for users. Some functions of our Internet site cannot be offered without the use of cookies. These require the browser to be recognized even after a change of page.
We require the cookies for the following applications:
(1) Shopping basket
(2) Take-over of language settings
(3) Noting of search terms
The user data collected through technically necessary cookies will not be used to create user profiles.
The analysis cookies are used to improve the quality of our website and its content. The analysis cookies tell us how the website is used, and thus enable us to continuously improve our offer.
These purposes also constitute our justified interest in the processing of personal data pursuant to Art. 6 (1) lit. f GDPR.

d) Duration of the storage, opportunity to object and of removal
Cookies are stored on the user’s computer which then forwards them to our site. This means that you, as user, also have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your Internet browser. Cookies already stored can be erased at any time. This can also be done automatically. If cookies are deactivated for our website, this may possibly mean that some functions of the website can no longer be used in full.

VI. Registration

1. Description and scope of the data processing
On our Internet site we offer users the possibility of registering stating personal data. The data are entered in an input screen, forwarded to us and stored. The data are not forwarded to third parties. The following data are collected within the scope of the registration process:
(1) Title, first name and last name of the user
(2) Street and house number
(3) ZIP code and town
(4) Country
(5) Telephone
(6) E-mail address
(7) User name and password
The following data are also stored at the time of registration:
(8) The user’s IP address
(9) Date and time of registration
The consent of the user to the processing of these data is obtained within the framework of the registration process.

2. Legal basis for the data processing
Given the availability of consent by the user, the legal basis for the processing of the data is Art. 6 (1) lit. a GDPR.

3. Purpose of the data processing
The provision of specific content and services on our website requires registration by the user.

4. Duration of the storage
The data are erased as soon as they are no longer required to achieve the purpose of their collection.
This is the case with the data collected during the registration process if the registration is cancelled or altered on our website.

5. Possibility of objection and removal
As a user, you have the right to cancel the registration at any time. You can have the data stored on you altered at any time.

VII. Contact form and e-mail contact

1. Description and scope of the data processing
Our Internet site contains a contact form that can be used for electronic contact. If a user makes use of this facility, the data entered in the input screen will be forwarded to us and stored. These data are:
(1) Subject
(2) Title, first name and last name of the user
(3) E-mail address
(4) Content of the message
The following data are also stored when the message is sent:
(5) The user’s IP address
(6) Date and time of registration
Your consent to the processing of the data is obtained within the scope of the sending process, and reference made to this data protection statement.
Alternatively, contact can be made via the e-mail address provided. In this case, the user’s personal data, forwarded in the e-mail, will be stored.
The data will not be forwarded to third parties in this context. The data will be used exclusively for the processing of the conversation.

2. Legal basis for the data processing
Given the availability of consent by the user, the legal basis for the processing of the data is Art. 6 (1) lit. a GDPR.
The legal basis for the processing of the data, forwarded in the context of sending of an e-mail, is Art. 6 (1) lit. f GDPR. If the e-mail contact is aimed at conclusion of a contract, an additional legal basis for the processing is Art. 6 (1) lit. b GDPR.

3. Purpose of the data processing
We process the personal data from the input screen solely for the purpose of processing the contact. In the event of contact by e-mail, this also constitutes the required justified interest in the processing of the data.
The other personal data processed during the sending procedure are used to prevent misuse of the contact form, and to ensure the security of our information technology systems.

4. Duration of the storage
The data are erased as soon as they are no longer required to achieve the purpose of their collection. With the personal data from the contact-form input screen and the data sent by e-mail, this will be the case when the respective conversation with the user has ended. The conversation will be ended when it becomes clear from the circumstances that the matter concerned has been clarified finally.
The additional personal data collected during the sending procedure will be erased at the latest after a period of seven days.

5. Possibility of objection and removal
The user can revoke his/her consent to the processing of the personal data at any time. If the user contacts us by e-mail, he/she can object to the storage of his/her personal data at any time. In this case, the conversation cannot be continued.
In this case, all personal data stored in the context of the contact, will be erased.

VIII. Web analysis by Google Analytics

This website uses Google Analytics, a web analysis service of Google Inc. ("Google"). Use is based on Art. 6 (1) Sentence 1 lit. f. GDPR. Google Analytics uses so-called "cookies", text files that are stored on your computer and that enable an analysis of your use of the website. Information, generated by the cookie on your use of the website, such as
(1) browser type/version,
(2) operating system used,
(3) referrer-URL (the previous site visited),
(4) host name of the computer making access (IP address),
(5) time of the server inquiry,
is normally transmitted to a Google server in the USA and stored there. The IP address, transmitted by your browser within the scope of Google Analytics, will not be brought together with other Google data. On this website we have also extended Google Analytics by the code “anonymizeIP”. This guarantees the masking of your IP address, so that all data are collected in anonymous form. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.
Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activities, and to provide the website operator with additional services associated with use of the website and of the Internet. You can prevent storage of the cookies via a corresponding setting of your browser software; nevertheless, we draw attention to the fact that, in this case, you may not be able to use all functions of this website in full.
You can also prevent the forwarding of the data, generated by the cookie and concerning your use of the website (incl. your IP address), to Google and the processing of this data by Google, by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de. As an alternative to the browser add-on, in particular with browsers on mobile end devices, you can also prevent collection by Google Analytics by clicking this link. An opt-out cookie will be set that prevents the collection of your data during future visits to this website: The opt-out cookie applies only in this browser and only for our website, and will be deposited on your device. If you erase the cookies in this browser, you must again set the opt-out cookie.
We also use Google Analytics to evaluate data from double-click cookies and also AdWords for statistical purposes. If you wish to prevent this, you can deactivate it via the display preferences manager (https://www.google.com/settings/ads/onweb/?hl=de).
Further information on data protection in connection with Google Analytics can be found for example in the Google Analytics Help (https://support.google.com/analytics/answer/6004245?hl=de).
To prevent the collection of your data during future visits to this website, click the following link to activate an opt-out cookie: Deactivate Google Analytics.

IX. Rights of the data subject

The following list includes all rights of the data subjects under the GDPR. Rights that are of no relevance for the own website need not be stated. The list can be shortened accordingly.
If your personal data are processed, you are a data subject as defined in the GDPR and you have the following rights with respect to the Controller:

1. Right of access to personal data
You can request confirmation from the Controller as to whether personal data concerning you are processed by us.
If such processing exists, you can ask the Controller for information on the following:
(1) the purposes for which the personal data are processed,
(2) the categories of personal data processed,
(3) the recipients, or the categories of recipients, to whom your personal data have been or will be disclosed,
(4) the planned duration of the storage of your personal data or, if no specific information can be provided on this, the criteria for determining the duration of storage,
(5) the existence of a right of rectification or erasure of your personal data, of a right to restrict the processing by the Controller, or of a right to object to this processing,
(6) the existence of a right to complain to a supervisory authority,
(7) all available information on the origin of the data, if the personal data are not collected from the data subject,
(8) the existence of automated decision-making, including Profiling, pursuant to Art. 22 (1) and (4) GDPR and - at least in these cases – meaningful information on the logic involved as well as the consequences and striven-for effects of such processing for the data subject.
You have a right to demand information on whether your personal data will be transferred to a third country or to an international organization. In this context, you can demand to be informed of the suitable guarantees pursuant to Art. 46 GDPR in connection with the transfer.

2. Right of rectification
You have a right of rectification and/or completion with respect to the Controller insofar as your processed personal data are incorrect or incomplete. The Controller must arrange the rectification immediately.

3. Right of restriction of the processing
You can demand the restriction of the processing of your personal data under the following circumstances:
(1) if you dispute the correctness of your personal data for a period that enables the Controller to check the correctness of the personal data,
(2) if the processing is unlawful and you reject the erasure of the personal data, and instead demand a restriction on the use of the personal data,
(3) if the Controller no longer requires the personal data for the purposes of the processing, but you nevertheless require these for the assertion, exercise or defense of legal entitlements, or
(4) if you have filed an objection against the processing pursuant to Art. 21 (1) GDPR, and it is not yet clear whether the justified reasons of the Controller prevail over your reasons.
If the processing of your personal data has been restricted, these data – with the exception of their storage – can only be processed with your consent, or for the assertion, exercise or defense of legal entitlements, or to protect the rights of another natural or legal person, or for reasons of an important public interest on the part of the EU or a member state.
If the restriction on processing has been implemented in accordance with the above prerequisites, you will be informed by the Controller before the restriction is lifted.

4. Right of erasure
a) Obligation to erase
You can ask the Controller to erase your personal data immediately, and the Controller is obliged to erase these data immediately, provided one of the following reasons applies:
(1) Your personal data are no longer required for the purposes for which they were collected or otherwise processed.
(2) You revoke your consent on which the processing pursuant to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR was based, and there is no other legal basis for the processing.
(3) You file an objection against the processing pursuant to Art. 21 (1) GDPR, and there are no priority justified reasons for the processing, or you file an objection against the processing pursuant to Art. 21 (2) GDPR.
(4) Your personal data have been processed unlawfully.
(5) Erasure of your personal data is required for fulfilment of a legal obligation under EU law or the law of the member states to which the Controller is subject.
(6) Your personal data have been collected in connection with services offered by the information society pursuant to Art. 8 (1) GDPR.
b) Information to third parties
If the Controller has made your personal data public and is obliged to erase them under Art. 17 (1) GDPR, he/she shall, with consideration for the available technology and implementation costs, take appropriate measures, including of a technical nature, to inform Controllers, responsible for the data processing and processing the personal data, that you, as data subject, have demanded that they erase all links to these personal data, or have demanded copies or replications of these personal data. Exceptions
The right of erasure shall not apply if the processing is necessary
(1) for exercising the right of freedom of expression and information,
(2) for fulfilment of a legal obligation requiring processing under the law of the EU or of the member states to which the Controller is subject, or for performance of a duty that is in the public interest, or is performed in the exercise of public powers transferred to the Controller,
(3) for reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i, as well as Art. 9 (3) GDPR,
(4) for archiving purposes, scientific or historical research purposes in the public interest, or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right stated under a) foreseeably renders achievement of the aims of this processing impossible or seriously impairs this, or
(5) for the assertion, exercise or defense of legal entitlements.

5. Right of information
If you have asserted the right of rectification, erasure or restriction of processing with respect to the Controller, the latter is obliged to inform all recipients, to whom your personal data have been disclosed, of this rectification or erasure of the data or of the restriction of processing, unless this proves to be impossible or involves disproportionate expense.
You have a right with respect to the Controller to be informed of these recipients.

6. Right of data portability
You have a right to receive your personal data, provided to the Controller by you, in a structured, commonly-used and machine-readable format. You also have a right to transfer these data to another controller without hindrance by the Controller to whom the personal data have been provided, if
(1) the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR, or on a contract pursuant to Art. 6 (1) lit. b GDPR, and
(2) the processing is carried out with the help of automated procedures.
When exercising this right, you also have a right to insist that your personal data be transferred directly from one controller to another controller, insofar as this is technically possible. Liberties and rights of other persons must not be impaired as a result.
The right of data portability does not apply to the processing of personal data required for the performance of a duty that is in the public interest, or is performed in exercise of public powers transferred to the Controller.

7. Right of objection
You have the right to file an objection at any time against processing of your personal data, carried out on the basis of Art. 6 (1) lit. e or f GDPR, for reasons resulting from your particular situation. This also applies to any Profiling based on these provisions. The Controller will then no longer process your personal data, unless he/she can demonstrate compelling reasons for the processing warranting protection, and these prevail over your interests, rights and liberties, or if the processing is for the purpose of assertion, exercising or defense of legal entitlements.
If your personal data are processed in order to carry out direct advertising, you have a right to file an objection at any time against the processing of your personal data for the purpose of such advertising. This also applies to Profiling insofar as it is connected with such direct advertising.
If you object to processing for the purpose of direct advertising, your personal data will no longer be processed for these purposes.
In connection with the use of services of the information society and notwithstanding Directive 2002/58/EC, you have the possibility of exercising your right of objection via automated procedures that use technical specifications.

8. Right of revocation of the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. Revocation of the consent shall not affect the legality of the processing, carried out on the basis of the consent, up until the revocation.

9. Automated decision on a case-by-case basis, including profiling
You have the right not to be subjected to a decision, based exclusively on automated processing – including Profiling - that is legally effective against you or that significantly impairs you in a similar manner. This shall not apply if the decision
(1) is necessary for the conclusion or fulfilment of a contract between you and the Controller,
(2) is admissible on the basis of legal regulations of the EU or of the member states to which the Controller is subject, and these legal regulations include appropriate measures for safeguarding your rights and liberties as well as your justified interests, or
(3) is taken with your express consent.
Nevertheless, these decisions must not be based on particular categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g GDPR is applicable, and appropriate measures have been taken to protect the rights and liberties as well as your justified interests.
With regard to the cases stated in (1) and (3), the Controller shall take appropriate measures to safeguard the rights and freedoms as well as your justified interests. This includes at least the right to insist on the intervention of a person by the Controller, the right to set out one’s own position and to contest the decision.

10. Right to complain to a supervisory authority
Notwithstanding any other administrative-law or judicial remedy, you have a right to complain to a supervisory authority, in particular in the member state of your residence, your place of work or the place of the suspected violation, if you are of the opinion that the processing of your personal data violates the GDPR.
The supervisory body with which the complaint has been filed, will inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.


A big thank you to all our customers!