General Data Protection Notice of Olympus Soft Imaging Solutions GmbH (OSIS) („Olympus“)
In accordance with the EU General Data Protection Regulation (GDPR), we are obliged to comprehensively inform you about the processing of your personal data by Olympus Soft Imaging Solutions GmbH. Hereunder we inform you about the processing of your personal data by us and about your rights.
1. General information
As the world's leading manufacturer of optical and digital precision technology, Olympus develops and markets innovative medical technology, digital cameras and solutions for science and industry.
Protecting your privacy and personal data is important to Olympus. We would like to inform you which personal data we collect from you, how we use it and what your rights are. This General Privacy Notice provides an overview of the general processing of your data by Olympus. Specific information on data protection, in particular for our web-based offers, can be found at www.olympus-europa.com/privacy.
2. Who is responsible for the processing of your data?
OLYMPUS Soft Imaging Solutions GmbH
48149 Münster, Germany
Tel/Fax: +49 251 79800 0
For written requests to the Olympus Data Protection Officer, the above address with the addition "c/o Data Protection EMEA" and the e-mail address firstname.lastname@example.org apply.
3. Why and on what legal basis does Olympus process your data?
Olympus processes your personal data in a lawful and transparent manner, in good faith and in accordance with the General Data Protection Regulation (GDPR), only for as long as
- it is necessary for the fulfilment of a contract with you or for the execution of pre-contractual measures which take place at your request (Art. 6 para. 1 lit. b. GDPR), e.g. business related communication or transferring money to your bank account or; or
- you have given your consent to the processing (Art. 6 para. 1 lit. a GDPR), e.g. for e-mail marketing; or
- the processing is necessary for the purposes of
- the legitimate interests pursued by us or a third party (Art. 6 para. 1 lit. f DSGVO), e.g. recognition and elimination of misuse, defence in legal disputes, assertion of claims, prevention and clarification of criminal offences; or
- it is necessary due to other legal requirements, e.g. storage of documents for commercial and tax purposes or notification obligations to authorities (Art. 6 para. 1 lit. c GDPR); or
- the processing is necessary to protect the vital interests of the data subject or another natural person (Art. 6 para. 1 lit. d GDPR) or is in the public interest (Art. 6 para. 1 lit. e GDPR).
If you do not provide Olympus with the necessary information, we may not establish the business relationship you have requested, conclude the contract or execute the order. We can also no longer execute an existing contract and may have to terminate it.
4. What kind of data is processed?
We primarily collect data directly from you, but in rare cases we also generate data from public sources such as registers and websites.
The personal data processed includes
- Master data (e.g. names, addresses and customer numbers),
- Contact data (e.g. e-mail addresses and telephone numbers),
- Contract data (e.g. services used, order history, contract contents, contractual communication, names of contact persons) and
- Payment data (e.g. bank details, payment history).
Olympus only processes special categories of personal data pursuant to Article 9 of the GDPR if these are part of a commissioned or contractual processing.
5. To whom does Olympus transfer data?
Olympus undertakes to use only employees and subcontractors who are familiar with the GDPR and provide appropriate measures and services on data protection. Your data will be passed on to third parties very restrictively, e.g. if this is necessary to fulfil the (pre-)contractual relationship or to pursue our claims or if there is a legal obligation to do so, and in certain cases at the request of a government agency. Within the scope of processing it is possible that your personal data may be passed on to contract processors (service providers, vicarious agents). These have been carefully selected by us and are obliged to us in accordance with the statutory provisions of Art. 28 GDPR to treat your data confidentially and to observe our own data protection standards. In particular, our contract processors are not permitted to use the data themselves for commercial purposes. Your data may be passed on to the following recipients:
- Agencies & cooperation partners
- Credit agencies & debt collection service providers (for risk checks, credit insurances)
- Financial institutions
- Print service provider
- External legal representatives, auditors, corporate and tax consultants
- Internal positions & Group companies
- IT service provider
- Market and opinion research companies
- Newsletter & Mail service provider
- Postal & logistics service providers
- Telecommunications Providers
- Travel agency & tourism service provider
- Repair & service provider
- Administrative authorities & other government agencies
6. Does Olympus conduct credit checks?
We transmit your data (name, address, e-mail address, information on the company and, if applicable, contract and claim data) in the event of a credit risk for the purpose of credit assessment and debt collection processing, as well as to check the deliverability of the address provided to
- Atradius Kreditversicherung, Niederlassung der Atradius Crédito y Caución S.A. de Seguros y Reaseguros, Opladener Straße 14, 50679 Köln, Germany
and, if applicable, to other cooperating credit agencies. The legal basis for this transfer is Art. 6 para. 1 lit. b and Art. 6 para. 1 lit. f GDPR. Transmissions to safeguard legitimate interests may only take place to the extent that this is necessary for Olympus and does not outweigh the interests or fundamental rights and freedoms of the person concerned which require the protection of personal data.
If we receive data from credit agencies or debt collection agencies, we also use scoring as a mathematically and statistically recognised and proven method in accordance with Art. 6 para. 1 lit. f and Art. 22 GDPR to calculate the probability with which a customer will meet his payment obligations in accordance with the contract.
7. Duration of storage or criteria for storage duration
Personal data will only be used as long as it is necessary for the respective purpose, unless you have given your consent to Olympus or Olympus has a legitimate interest in further processing. In these cases, Olympus will process this data until you revoke your consent or until you object to the legitimate interests of Olympus due to your particular situation. We will delete your personal data as soon as the purpose of the processing has been fulfilled or storage is otherwise no longer legally permissible. Due to the amount of data, this check for deletion takes place with regard to specific data types or purposes of processing. However, it is possible that your personal data will be stored until legal claims against Olympus can no longer be asserted (legal limitation period between 3 and 30 years). In addition, we store your personal data to the extent that we are legally obliged to do so. Corresponding documentation and storage obligations are regulated in the respective national laws. (e.g. in the German Commercial Code HGB the retention periods are up to ten years.
8. Will data be transferred to countries outside the EU/EEA?
Your personal data is generally processed within the EU or the European Economic Area. If it is necessary for Olympus to pass on data to other Olympus companies or third parties for the fulfilment of data processing purposes, Olympus will ensure that the personal data of the data subject remains within the European Union or the European Economic Area.
If this is not possible and a transfer of personal data to a third country becomes necessary, e.g. to other Olympus companies or cooperation partners in third countries such as Japan or the USA, Olympus will ensure that there is a legal basis for this. These are usually
- consent pursuant to Art. 6 para. 1 lit. a) GDPR
- the existence of an adequacy decision of the European Commission (Art. 45 GDPR). A published and constantly updated list of these countries can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries
- Use of guarantees in the form of standard contractual clauses under data protection law (Art. 46 para. 2 lit. b GDPR) of the European Commission for data transfer to third countries. A published and constantly updated list of clauses can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries
9. What rights do you have?
You have the right to obtain from Olympus
- Information on the personal data stored about you (data categories, processing purposes, possibly recipient of the data, planned storage period), Art. 15 GDPR;
- Correction or addition of incorrect or incomplete data, Art. 16 GDPR;
- Deletion of personal data (in certain cases), Art. 17 GDPR;
- Restriction of processing (under certain conditions), Art. 18 GDPR;
- Data portability (under certain conditions), Art. 20 GDPR,
- Objection to the processing of your personal data on the basis of a weighing of interests, Art. 21 GDPR, and
- Revocation of your consent to the processing of your personal data with effect for the future, Art. 7 para. 3 GDPR,
with the exception of any contrary, other legal requirements as prescribed in the GDPR.
If you exercise your right to deletion, objection or revocation, we will no longer process your personal data unless we can prove mandatory reasons, which outweigh your interests, rights and freedoms, or the processing serves the purpose, exercise or defence of legal claims.
In the event of a request for information or correction which is not made in writing, we ask for your understanding that Olympus will then require proof of your identity. This serves in particular to protect your data from unauthorized access by third parties.
To exercise these rights, you can contact us at any time - e.g. via one of the contact channels indicated at the beginning of this data protection notice. According to Article 77 GDPR, you are also entitled to lodge a complaint with a competent supervisory authority for data protection, which you can find in this list: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm