Privacy Policy

With this Privacy Notice our organisation wishes to inform you how we process personal data (hereinafter “data”) in connection with this website, particularly the type of data processed, the scope and purpose of processing. The definitions of art. 4 General Data Protection Regulation (GDPR), e.g. „personal data“, „processing“ apply.

1. Controller:

Widdersdorfer Straße 236 -240
50825 Cologne, Germany
Geschäftsführer: Dr. med. Aloys Oberthür, Dr. med. Christoph Weigand
Link to legal notice:

How to contact our Data Protection Officer:

You can reach our Data Protection Officer at the above address and the following email address:

2. Types of processed data

  • - inventory data (e.g. names, addresses).
  • - contact data (e.g. email, phone numbers).
  • - content data (e.g. text entered, photos, videos).
  • - usage data (e.g, websites visited, content interested in, duration of visit).
  • - Meta and communication data (e.g. device information, IP addresses).

3. Categories of data subjects

Customers / potential customers / suppliers as well as visitors and users of our web services in general, job applicants. Hereafter we refer to all affected persons as „Users“.

4. Purpose of processing

  • - Maintaining our web services, its contents and functionalities.
  • - Responding to inquiries, communication with users.
  • - Security measures.
  • - Marketing, advertisement and market research.

5. Definitions

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

6. Legal basis of processing

As required by art. 13 GDPR we inform you about the legal basis for our data processing. Unless a more specific legal basis is named in this Privacy Notice in connection with a processing, the following applies:

  • - If we ask for your consent, the legal basis for the processing is art. 6 (1) 1 lit. a. and art. 7 GDPR.
  • - If we process data to perform a contract or to respond to an inquiry the legal basis is art. 6 (1) lit. b. GDPR.
  • - If we process data to comply with legal requirements the legal basis is art. 6 (1) lit. c. GDPR.
  • - If we process data to pursue our legitimate interest or the legitimate interest of a third party the legal basis is art. 6 (1) lit. f. GDPR.
  • - If we process for a purpose other than that for which the data have been collected, the legal basis is art. 6 (4) GDPR.
  • - If we process special categories of data as defined in art. 9 (1) GDPR the legal basis is art. 9 (2) GDPR.

7. Security measures

We take technical and organisational measures in accordance with art. 32 GDPR taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for rights and freedoms of natural persons to ensure a level of security appropriate to the risk.

Among those measures are in particular the ensuring of ongoing confidentiality, integrity, availability of processing systems though controlling physical access to Data as well as access, entering, transfer, ensuring availability as well as segregation. In addition, we have established processes ensuring that data subjects can invoke their rights, Data is deleted and reactions to threats to Data are appropriate. We take into account the protection of data during development and selection of hardware, software and processes in accordance with the principles of privacy by design and privacy by default (art. 25 GDPR).

8. Cooperation with data processors and third parties

We only disclose, transfer or grant access to the Data other persons and enterprises (data processors or third parties) in connection with our processing where a legal basis exists (for example where the transfer to third parties is necessary for the performance of a contract pursuant to art. 6 (1) lit b. GDPR), if you have given us consent, if we are required by law or if we have a legitimate interest to do so (e.g. webhosting by third party providers).

Where we engage data processors to process data on our behalf we conclude data processing agreement pursuant to art. 28 GDPR.

9. Data transfer to third countries

If we process data in a third country (i.e. outside of the European Union or the European Economic Area or Switzerland) ourselves or by engaging a service provider or through disclosure or transfer to third parties we will only do so to perform a contract, based on consent, if required by law or to pursue a legitimate interest. Unless otherwise permitted by law or by contract we process data or have data processed on our behalf only if the requirements of art. 44 et seqq. GDPR are met. This means that special safeguards like an official assessment that the level of data protection in a specific country is equivalent to that in the EU (e.g. for the USA the „Privacy Shield“) are in place or the processor or third party has agreed to observe officially sanctioned special contractual obligations („standard contractual clauses“).

10. Rights of the data subject

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data in accordance with the law.

You have the right to obtain from the controller without undue delay the rectification of inaccurate and the completion of incomplete personal data concerning you in accordance with the law.

Subject to the requirements of art. 17 GDPR you have the right to obtain from the controller the erasure of personal data concerning you without undue delay, alternatively to obtain restriction of processing subject to the requirements of the law.

You have the right to receive the personal data concerning you, which you have provided to us and to transmit those data to another controller subject to the requirements of the law

You also have the right to lodge a complaint with a competent supervisory authority.

11. Right to withdraw consent

You have the right to withdraw consent for the future.

12. Right to object

If we process Data based on a legitimate interest you have the right object to future processing, particularly to processing for the purpose of direct marketing, in accordance with legal requirements.

13. Cookies and right to object in the case of direct marketing

Cookies are small files which are stored on the device of the User. Different types of information can be stored in cookies. Primarily, cookies are used to store information on the User (or the device on which the cookie is stored) during or after the site visit of the User. Temporary or “transient” or “session cookies” are cookies which are deleted once a User leaves our website and closes the browser. This type of cookie can be used, e.g. to store the contents of a shopping cart in an online store a login status. Cookies. “Permanent” or “persistent” cookies are cookies which remain stored on a device even after the browser has been closed. Such cookies can e.g. store the login status of a User for several days. In such cookies a User’s interests can be stored which can then be used for internet audience measurement or marketing purposes. If somebody other than the controller, who is operating this website, provides a cookie, it is referred to as a “third-party cookie”.

We use temporary and permanent cookies and inform about their use in this privacy notice.

If you do not want cookies to be stored on your device, deactivate cookies in the settings of your browser where you can also delete previously stored cookies. Disabling the use of cookies can limit the functioning of this website.

You can generally object to the use of cookies for marketing and interest-based advertising purposes by many services and tracking in particular by visiting the US website or EU website In addition, you can set your browser to reject cookies. In such case not all of the website’s functionality may be available to you.

14. Data retention and deletion

We delete or restrict data processed in accordance with legal requirements. Unless explicitly stated otherwise in this Privacy Notice we delete personal data when it is no longer necessary for the purpose of the processing and no legal retention periods require storage.

The processing will be restricted if the data are not deleted because they are necessary for other and lawful purposes. This means that data will be restricted and not processed for other purposes. This applies for example to data stored to comply with retention periods under commercial or tax law.

15. Changes to this Privacy Policy

We ask that you check the content of this Privacy Policy regularly. We will modify this Privacy Policy when it becomes necessary due to changes to our data processing. We will inform you should any action on your part become necessary (e.g. consent) or if an individual notification becomes necessary for any reason.

Last updated: 23rd January 2019

16. Contacting us

If you contact us by email, telephone or our contact form, the data you provide will be processed to handle your inquiry pursuant to art. 6 (1) lit. b. GDPR (contractual relations) or art. 6 (1) lit. b. GDPR (other inquiries).

The data you provide may be entered into a Customer-Relationship-Management System ("CRM System") or request management system.

We delete your request and the data provided therein once they are no longer necessary. We evaluate the necessity every two years. Where statutory retention periods apply we delete the data after their expiry (in case of retention periods under tax law usually after six years, in case of retention periods under commercial law usually after 10 years).

17. Hosting

For services such as web hosting, data center, infrastructure, platforms, mail services, and technical maintenance we rely on hosting providers.

To this end we or our services providers process inventory, contact, content, usage and meta and communication data (e.g. device information, IP address) of website users. The legal basis for this processing is art. 6 (1) 1 lit. f. GDPR. Our legitimate interest is to provide our online services efficiently and in a secure manner. We have concluded data processing agreements pursuant to art. 28 GDPR with our service providers.

18. Collection of access data and log files

Our hosting provider collects data (server log files) on the basis of our legitimate interest pursuant to art. 6 (1) lit. f. GDPR each time you connect to the server on which the online service is hosted. The logged data contains website visited, name of the file, date and time of request, data volume transmitted, notification on successful request, web browser including version, operating system of user, referrer URL (the website previously visited), IP address and access provider making the request.

The data is stored in the log files for security purposes (e.g. to investigate misuse and fraud) for a maximum period of four weeks and are then deleted. Not deleted are data whose retention is necessary for evidentiary purposes. Such data will be stored until the issue under investigation has been resolved and are then deleted.

19. Integration of third-party services and content

As part of our website we are using on the basis of our legitimate interest (i.e. our interest in analysing, optimizing and efficient operation of our website) pursuant to art. 6 (1) lit. f. GDPR content and services from third party providers in order to embed their services such as videos or fonts (hereinafter “content”).

The third-party service providers need to process the IP address of the user in order to be able to deliver content to the user’s browser. The IP address is therefore necessary for the display of the content. We strive to only use third party content whose providers process the IP address solely for the purpose of delivering content. Third-party providers can further use pixel-tags („web beacons“) for statistical and marketing purposes. Using pixel-tags the user traffic on the pages of this website can be analysed. This pseudonymous information can further be stored in cookies on the user’s device and can contain technical information on browser, operating system, referrer website, time of visit and further information on the usage of our website and can be combined with similar information from other sources.

20. Google Analytics

We use Google Analytics, a service provided by Google LLC („Google“) on the basis of our legitimate interest in analysing and optimizing the operation of our online services (art. 6 (1) 1 lit. f. GDPR) Google uses Cookies. The information contained in the cookie about the usage of our online services by the user are usually transmitted to and stored on servers located in the USA.

Google is certified under the Privacy Shield and guarantees adherence to EU data protection law (

Google will use this information on our behalf to evaluate usage of our online services, to create reports on the activities within the online services and to render other services related to the usage of our online services. It is possible to create pseudonymized user profiles based on the data processed.

We use Google Analytics only with activated IP Anonymisation. This means the User’s IP address within member states of the European Union or in other contracting states to the Agreement on the European Economic Area is shortened. Only in exceptional cases will the complete IP address be sent to a Google server and shortened within the US.

According to Google the IP address transmitted by your browser is not combined with other data from Google. You can disable the storing of cookies by changing the relevant settings in your browser; In addition, you can prevent Google from collecting the data stored in cookie and relating to your usage of the online services by downloading and installing the browser add-on available under this link:

Further information on how Google uses information from websites and on the available settings and objection options can be found on Google’s website: („How Google uses information from sites or apps that use our services“), („How Google uses cookies in advertising“), („Manage information used by Google to display ads”“).

Personal user data is deleted or anonymized after 14 months.

The tracking cookies set by Google Analytics expire as follows: _ga (2 years), _gat (1 min), _gid (24h).

21. Google Fonts

We use web fonts ("Google Fonts") by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Privacy policy:


22. Google ReCaptcha

We use a functionality for detecting bots, e.g. during data entry in web forms ("ReCaptcha") by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Privacy policy:


23. Google Maps

We use the web service for displaying interactive maps Google Maps (API) by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Among the data processed in this context are in particular your IP address and location data. This data may be processed in the USA.

Detailed information on privacy in connection with the use of Google Maps can be found on Google’s website („Google Privacy Policy“):