The controller in the sense of the General Data Protection Regulation (GDPR) and other national data protection acts and other data protection legislation is:
Sarstedt AG & Co. KG
Tel: +49 (0) 2293 305 0
Fax: +49 (0) 2293 305 2470
If you would like to request access to information or the rectification, blocking or erasure of personal data or if you have questions regarding the use, collection or processing of your personal data, please contact:
SARSTEDT AG & Co. KG, Sarstedtstraße 1, 51588 Nümbrecht, Germany, e-mail: firstname.lastname@example.org Tel.: +49 2293 305 0, Fax: +49 2293 305 2470
For the sake of legibility, separate male and female personal pronouns are not used.
1. General information on data processing
1.1. Processing of personal data and its purpose
SARSTEDT AG & Co. KG (‘Sarstedt’ or ‘we’) only collects and uses the personal data of our users in so far as necessary to provide a functional website as well as our content and services. When you visit our website, the following data will be processed:
- IP address of the user
- Browser (type, version, language)
- Operating system
- ISP of the user
- Date and time of the visit to our website
- Files accessed on our website
- The website the user was previously visiting
- The website the user visits after our Website
The processing and temporary storage of an IP address is necessary for the purpose of transmitting the website to the computer of the user. The IP address of the user has to be stored for the duration of the session. The log files contain IP addresses and other data that can be attributed to the user. It is stored in log files to guarantee the functionality of the website. Additionally, the data enable us to optimise the website and ensure the security of our IT systems. Any processing of personal data is exclusively for these purposes and to the extent necessary to achieve these purposes. These data will not be used for the purposes of marketing, customer advice or market research.
1.2. Legal grounds for the processing of personal data
As a rule, the personal data of our users are processed with the consent of the user. This does not apply to cases in which prior consent cannot be obtained for practical reasons and the processing of the data is permitted by statutory provisions. Point (f) of Article 6 (1) GDPR serves as the legal grounds for the storage of the data and log files.
1.3. Erasure of data and duration of storage
The personal data of data subjects will be erased or blocked by us as soon as the purpose for which they were stored has been achieved. If the data have been processed in order to make the website available, they will be deleted when the session ends. If the personal data have been stored in log files, they will be deleted within no more than 30 days. Storage for an extended period is possible provided that the IP addresses of the user are deleted or anonymised in order to prevent them from being associated with the visiting client.
- Language settings
- Log-in information.
3.1. Amazon Cloud Front:
3.2. Payment Service Provider (PSP)
On this website, payment is possible via the payment service of EVO Payments International GmbH, Elsa-Brändström-Straße 10-12, 50668 Köln, Germany (EVO).
The following payment methods are processed by EVO: Mastercard, Giropay, American express, Visa
When paying by credit card via Heidelpay, payment is processed by the payment service provider Heidelberger Payment GmbH, Vangerowstraße 18, 69115 Heidelberg (hereinafter "Heidelpay"), to whom we pass on your data provided during the ordering process exclusively for the purpose of payment processing in accordance with Art. 6 Para. 1 lit. b DSGVO. The data will only be passed on if it is actually necessary for payment processing. To the extent necessary, Heidelpay will again transmit your data to HUELLEMANN & STRAUSS ONLINESERVICES S.A., 1, Place du Marché, 6755 Grevenmacher, Luxembourg, in accordance with Art. 6 Para. 1 letter b DSGVO. You can object to this processing of your data at any time by sending a message to the person responsible for data processing or to Heidelpay. However, Heidelpay may still be entitled to process your personal data if this is necessary for contractual payment processing.
Which further data is collected by Heidelpay, results from the respective data protection declaration of Heidelpay. This can be read at: https://www.heidelpay.com/en/privacy-statement
3.3. Avalara (Tax compliance)
Protection of Customer Data, Personal Information, and Confidential Information. Avalara shall implement and maintain commercially reasonable and appropriate technical, administrative, and physical safeguards and security methods designed to prevent any unauthorized release, access to or publication of Customer Data, Confidential Information, or Personal Information. Avalara shall implement processes and maintain procedures designed to comply with Applicable Laws and shall facilitate Customer’s compliance with its data security obligations with respect to Personal Information in Avalara’s possession or control to the extent that Customer is required to comply with the following: (i) the U.K. Data Protection Act 1998; (ii) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and any applicable laws enacted by an EU member state implementing the requirements of the regulation; (iii) the Australian Privacy Act 1988 and National Privacy Principles; (iv) the Canadian Personal Information Protection and Electronic Documents Act; (v) California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. and implementing regulations (“CCPA”); and (vi) any amendments and successors to the aforementioned privacy laws, or any newly enacted Applicable Laws regarding privacy. The Agreement and the Documentation are Customer’s instructions for processing Customer Data, and Avalara shall not process Customer Data for any other purpose. The Avalara Data Processing Addendum is incorporated by this reference and is located at https://www.avalara.com/GDPR-DPA. Avalara may use subcontractors to facilitate its obligations under the Agreement. Avalara shall use commercially reasonable measures to ensure that such subcontractors implement and comply with reasonable security measures in handling any Customer’s Data, Personal Information, or Confidential Information.
4. Contact form and e-mail correspondence
Our website features a contact form that can be used to contact us electronically. If a user makes use of the form, the data entered in the contact form will be transmitted to us and stored:
- General enquiry (voluntary)
- Title (voluntary)
- First name
- Last name
- Phone number
- Sarstedt Account Number (voluntary)
- Order number (voluntary)
- Lot (voluntary)
- Address (street, town/city, post code) (voluntary)
- E-mail address
- Free field for custom text
- IP address of the user
- Date and time of sending.
By completing the contact form, you consent to the processing of the data you provide. Alternatively, you can contact us at the e-mail address provided. In this case, the personal data of the user that are transmitted along with the e-mail will be stored by us. When the user has provided consent, point (a) of Article 6 (1) GDPR serves as the legal grounds for the processing of data. Point (f) of Article 6 (1) GDPR serves as the legal grounds when personal data are transmitted as part of sending an e-mail. Point (b) of Article 6 (1) GDPR serves as the legal grounds when the correspondence is aimed towards concluding a contract. The data will be used exclusively to process the correspondence. In this context, no data are disclosed to third parties. The personal data from the contact form and the data sent by e-mail will be erased when the conversation with the user is finished, i.e. as soon as the circumstances imply that the matter in question has been resolved. The additional personal data collected during the sending process will be erased within no more than seven days.
The user can revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his/her personal data at any time. In this case, the message cannot be processed and the correspondence cannot be continued. In this case, all personal data stored as part of the correspondence will be erased.
5. Google Maps
Users of our website can subscribe to a free newsletter. If a user subscribes to our newsletter, we will process the following personal data:
- Salutation (voluntary)
- First name, surname (voluntary)
- E-mail address
- Area of work (voluntary)
- Interests (voluntary)
- IP address of the computer accessing the website
- Date and time of registration.
Sarstedt has implemented technical and organisational security measures to protect the personal data of users against accidental or intentional manipulation, loss, destruction and hacking. We continuously improve our security measures to keep pace with technological developments.
8. Rights of the data subject
If Sarstedt processes your personal data, you are a data subject in the sense of Article 4 (1) GDPR and have the following rights with regard to Sarstedt:
8.1. Right to Information
Pursuant to Article 15 GDPR, you can demand confirmation from us whether or not personal data concerning you are being processed by us. If personal data concerning you are being processed, you can request the following information from us:
- the purposes of the processing;
- the categories of personal data that are being processed;
- the recipients or categories of recipient to which personal data concerning you have been or are being disclosed;
- (if possible) the period for which the personal data will be stored by us, or if that is not possible, the criteria used to determine that period;
- the existence of a right to rectify or erase the personal data concerning you, a right to restrict processing by us or a right to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- all available information on the origins of the data if the personal data were not obtained from you;
- the existence of automated individual decision-making, including profiling (Article 22 (1) and (4) GDPR), and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
You are entitled to demand information on whether or not the controller intends to transfer personal data to a recipient in a third country or international organisation. In this context, you can request information on the appropriate safeguards referred to in Article 46 GDPR in connection with the transfer.
8.2. Right to rectification
Under Article 16 GDPR, you are entitled to obtain from us the rectification and/or completion of the personal data concerning you, provided that they are inaccurate or incomplete.
8.3. Right to erasure
Pursuant to Article 17 GDPR, you can demand that we erase your personal data without undue delay. We are obliged to erase your data without undue delay if one of the following criteria is met:
- Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw consent on which our processing is based according to point (a) of Article 6 (1) GDPR or point (a) of Article 9 (2) GDPR, and where there is no other legal ground for the processing.
- You object to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) GDPR.
- The personal data concerning you have been unlawfully processed.
- The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
- Your personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
Where we have made the personal data concerning you public and are obliged pursuant to Article 17 (1) GDPR to erase the personal data, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure does not apply to the extent that processing is necessary
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) GDPR as well as Article 9 (3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
8.4. Right to restriction of processing
Under the following circumstances, pursuant to Article 18 GDPR, you can demand the restriction of the processing of the personal data concerning you:
- if you contest the accuracy of the personal data concerning you for a period enabling us to verify the accuracy of the personal data;
- if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- if we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
- if you have objected to processing pursuant to Article 21 (1) GDPR pending the verification whether our legitimate grounds override your own.
Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If processing has been restricted in line with the criteria above, you will be informed by us before the restriction of processing is lifted.
8.5. Right to notification
In accordance with Article 19 GDPR, we shall communicate any rectification or erasure of personal data or restriction of processing to which you have exercised your right to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We must inform you about those recipients if you request it.
8.6. Right to data portability
Under Article 20 GDPR, you are entitled to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. Additionally, you have the right to transmit those data to another controller without hindrance from us, where:
- the processing is based on consent (point (a) of Article 6 (1) GDPR or point (a) of Article 9 (2) GDPR) or on a contract pursuant to point (b) of Article 6 (1) GDPR; and
- the processing is carried out by automated means.
In exercising your right to data portability, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible. This may not adversely affect the rights and freedoms of others. The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
8.7. Right to object
Under Article 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. We shall no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
8.8. Right to withdraw consent
You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
8.9. Automated individual decision-making, including profiling
Under Article 22 GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and us;
- is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
8.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority
, or applicable local governing body, in particular in the Member State or applicable local jurisdiction of your habitual residence, place of work or place of the alleged infringement if you consider that our processing of personal data relating to you infringes the General Data Protection Regulation.
9. Responsibility for content and Information
Our website contains links to third-party websites. When the links were placed, we examined the content of each third-party website for infringements of civil or criminal law. However, it cannot be ruled out that this content has since been changed by the provider. If you believe that linked third-party websites are infringing the law or have other inappropriate content, please let us know. We will follow up on your report and, if necessary, remove the link. Sarstedt is not responsible for the content or availability of the linked third-party websites.
As at: September 2019